Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 25, 2023, 8:05 a.m.	April 25, 2023, 8:07 a.m.

Size	469.0B
Type	DOS batch file, ASCII text
MD5	`e02fd6b5f8ceca4c582c54cd177bcb3a`
SHA256	`04ede962e341e05f6f0ceea4838ba7aef489d859e43d8c0eb67ffd3ce8671c1d`
CRC32	`BE9E3A46`
ssdeep	`12:FEXhsS88072EOdLdzdWx7dVYEdm3WdHfV+EVT1:FEXhe3qZhWxJjlHf9Z`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gxjInGipOc" C:\Users\test22\AppData\Local\Temp\bruh.bat
840
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\bruh.bat
  2052
  - powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://136.244.84.50:8022/bruh.png', 'C:\Users\test22\AppData\Local\Temp\bruh.png')"
    2140
  - reg.exe REG ADD "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\test22\AppData\Local\Temp\bruh.png" /f
    2288
  - reg.exe REG ADD "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 10 /f
    2332
  - reg.exe REG ADD "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d 0 /f
    2376
  - rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    2420

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
136.244.84.50	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 25, 2023, 8:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 25, 2023, 8:05 a.m.			0	0
IsDebuggerPresent April 25, 2023, 8:05 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 25, 2023, 8:05 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW April 25, 2023, 8:05 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW April 25, 2023, 8:05 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW April 25, 2023, 8:05 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e96e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e9ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 25, 2023, 8:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ea2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 25, 2023, 8:05 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02589000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04988000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04989000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0498f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 25, 2023, 8:05 a.m.	process_identifier: 2140 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://136.244.84.50:8022/bruh.png', 'C:\Users\test22\AppData\Local\Temp\bruh.png')"

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 25, 2023, 8:05 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.9.2 Date: Mon, 24 Apr 2023 23:05:42 GMT Content-type: image/png Content-Length: 20955 Last-Modified: Sun, 23 Apr 2023 15:39:18 GMT
Data received	íy/3ÉËüöêäô +¨©KI×Fª´EüâéTþøíÔÉéöO&O¡ 2j×½D¥õ~VUO¨Ó704&O¡.2 }JWë¯¿è¬ªP'§o`hLB]d,I÷Z³³³4¼s~~^VÛßßOª¨§Ccòê"ca`ºýFçççVUÚ¥ßÝÝ%@UÔSAiÿ0h* jQ2¶e rÓé´½î¬F···iIß>@µÁA1Õ)ÛÈ20wwwûûûùyÿöÇ5húíTËSQP±,rww···ùïG)ßÜÜ4ñËËËüöªå©(¨NÉØFaioDýÐÉÉIÖ 6zoÀp<¤md÷OS.¦ÓiV 6zoÀp<¤md¨étÚ}ôÏÉÉb @ÕôÞá0y ÕqQ@¥ÔSá0y ÕqQ@¥ÔSðw~jä¢J©§áïüÔÈEUROÂßù©QIÚF¨0þÎOJÒ6²@%tà!xxx(ÒÝÝÝ %oY :pÀ\^^AéééiBÐ{mp<'@%ÔS!Øßß/ãÒ»»» ÷ÎÎÎJÞ^\\$@%ÔSê=??Aéh4N§BïÇãº P õ z777ePzttôÞËËKÉÛ¨z P½£££2.½¹¹Izïîî®äíááaBÔC=¨Ût:Fe\úüü(ô^;òùùyBÔC=¨[ûGþ½½½ ÇÇÇ%uýúõPOêvzzZ¥B]vwwKê>==%@=ÔSºµÒ ÷LFP;õ bÉÄ vê)@ÅÚ=OOO vê)@ÅÊ ÔÔÅd´µSOjÕÎ@1^__ìììì5-@¥ÔSZÝÞÞ©(¨NIÝF¨P«öëëë %uY 6zr@¦Óéh4#ÒçççD¡%uY 6zr@îïïËptoo/!¨GÉÞF¨P¥óóó2õ¸YjT²·ej£'Ti<áèÃÃCBP&iKö6iµQOêóôôT£;;;Óé4Q¨ÄÙÙYIà¨z P«««2=99IêÑ^]õøøµQOêsxxX£··· A%¦ÓiÉÞÑhROóúúZ£æßB%&IÉÞýýý¨z PÛÛÛ2=<<LêqwwWøøø8!¤Tæää¤G¯®®z´³ÿ jê)@eÚ¹<z´÷¹¹¹I ©§)cÑF¡ílÊ P! &///e,:ªìîîn9!¤Ô¤}6ÊÁÁABPKõ &÷÷÷e8êÙ(ÔÈÃC=¨Iû°ä³³³ 0ê)@M.//Ëp´ùGBPKõ &í³fooozxX2À`¨§59>>.ÃÑûûû 0ê)@MÊpt2$xyyF%=, vê)@MvvvG©ÔùùyÉ^÷õ e8º³³T¢{qÊÝÝ]¢TK=¨FûpÓÓÓ .Nõ Í@´H=Üº¸8`xÔS:4#Ò2m¼¾¾& 5pq Àð¨§u¸½½-#Ò »»»%{]0ê)@NNNÊôòò2!¨Ád2)©ke!QOêÐ>)ùññ1!¨ÁõõuIÝããã¨z POJ¦^ÇÇÇ%{¯¯¯ ~ê)@<)zµVM&¨z POJ¦^%uY`tï¾ó¤dêÕNFÛHAÐ½úÎ©Ôt:m/:<<LAPOúÎ©T;ïÏh4zzzJAPOúÎ©ÔîînIÝ««« õ ×ÚÉSF£QBPº,0 :y@¯Ýßßéþþ~BPº,0 :y@¯]__éééiBPº,0 :y@¯éõõuBPº,0 :y@¯µ½¿¿OQR·eD'èµÑhTF¤/// A%Jê6²ÀèäýõôôT£;;; A=Jö6²ÀèäýuwwW£GGG A%nnnJö6`@tòþºººÃÑóóó ãñ¸dïÉÉIBz Ð_ÇÇÇeDzssÔàõõµ¤îÎÎÎt:MQOúkoo¯J'IBPÇÇÇº 0,ê)@OM§Ó2"mø?ui'O9;;KaQOzj2éÞÞ^BPóóó½××× 0,ê)@Oýúõ«HJì½¿¿OaQOzªýÿÕÕUBPÑhT²·ùw¢z ÐSí_øïîî´¥Àýýýõ §vvvÊ ôéé)!è½îÅ)J¦ôQ;íÎÎNBP§l õ ®¯¯Ë Ôd´Ôeww·¤®SM=è£ããã2(õ¸YêRò¶eJè£vòÉdÔ äm#ËÐ;&O¡^%uY` tøÞ1y õ*©ÛÈ2¥ÃôÉS¨WIÝF(> wLB½Jê6²À@éðýbòªV²·eJè§P/Õ@í¡ôÉS¨j ÀöPOúÅä)ÔK5`{¨§=âv ª¦°=ÔSq»õzxx(Ù«° ÔSq»õº¼¼,Ù{zzÃ¥ôÛ%¨×þþ~ÉÞÛÛÛ.õ /LB½^^^Jö6^__`¸ÔS¾0y õº½½-Ù{pp¦ôÉS¨×ÉÉIÉÞËËË4õ /LB½Úì}\|\|LASOzÁä)Tdo#ËÐ&O¡j%{Y`èôü^0y U+ÙÛÈ2C§çôÉS¨ZÉÞF:=?`óLBíJ7²ÀÐéùgòj7Jg¡Óó6Ïä)Tíõõµ$ðh4J¡SO6Ïä)Tíññ±$ðþþ~Bz °ae,:ªÜÜÜ>99I¡SO6ììì¬E/..ª¾ººJ¡SO6lww·Eª¾»»K¡SO6ÉÍ>@[\|zzJ¡SO6ÉÍ>Ôîåå¥äðÎÎNBlõ`ÜìCíîîîJ&ÀPO6ÆÍ>ÀÕÕUIãóóóØê)ÀÆ¸Ù8>>.il2Z¢l}6`¨§áf@l-õ`3ÜìÃHc¥lÆx<.Q7ûP/i°µÔS x}}-£Ð 6///Ò`k©§ðøøX¢ AmîîîJ&
Data received	ÀÖPO6àææ¦DÏÎÎÚ\^^4>??O¡l@3þ,Ñëëë 6ÇÇÇ%ýú[C=Ø£££2½¿¿Oj³³³SÒøéé)!¶z °»»»e úòòÔ¦äp#Ël½@`Ý<Üa(iÜÈ2ÛD/X7÷aJ7²À6ÑÖÍÃ}ÆØ&zÀºy¸Ð¦ñþþ~Blõ`Ý<ÜhçT¾»»Km¢¬ûP»Ããñ8!¶z °VÏÏÏe êá>Ôëìì¬¤ñÅÅEBlõ`nooË@ôøø8!¨Íx<.iüøø[F=X«ÓÓÓ25-z}}-9ì+m¦¬UûýÉdTåññ±äðÁÁABlõ`}LÂÜÜÜ4>;;Kí£¬O;5y õ:??/iì5m¦¬Ïññ±(µ;::i\|ÛG=X25y õjÓøåå%!¶z °&É¤BMB½JÇãØJê)À\__¨ÉS¨×ÙÙYIãØJê)À<ØÝÝ-iüøø[I=X§P;7ûÐROÖÁ@p³-õ`D7ûÐROÖÁ@Ú¹Æ .õ`åD×XÐ¥¬(à+ºÔS3¥v®±àê)Àj2®±àê)Àj2®±àê)ÀjR;×Xðz °B¢k¬xO=X!Q`<4v-õ`ÜìCí^^^Jïìì$ê)Àê¸Ù¸»»+i\|xx¨§«ãfàòò²¤ñùùyB ¬}ãããÆ¿~ýJÔSq³ðòò2J&?==% ê)À¸Ù8??/i¼¿¿ü¦¬}¨]÷â»»»Dà7õ`ùÜìÃ¸8/¨§Ëçfjçâ¾¦,ßÞÞ^ºÙJ¹8¯©§ËW¢,CU\À_íKÖEË@Ôä)TÊÅ)üz °dÉ¤EzL§ÓÃ.Nà3ê)ÀÝßß±èññqBPÛÛÛÀ.°àê)ÀµÃÑ³³³ %¯®®wÔS%»¼¼,ÃÑæ A%Ú»ÕF£ÑËËK¢ðz °dgggeDz{{T¢ÖÝj\|M=X²f ZF¤÷÷÷ A º3ÑÊ^¾¦,Y;ýÄd2Ij`&Z¾O=X²ÝÝÝ2(5ýu1-ß§,ÓËËKîìì$50-sQOéîî®JMçI]ÌDÀ\ÔSåx\|\|<<<ÇePú_ÿõ_iÞL&£Ñ¨¤®høõ`9ö÷÷Ëp´kooïð·Ë¼6m:¶Ù{pp(\|I=XËËË2"W)¸ËýýýÃÃÃÓÓSÞV¬MÝÑh$ñø&õ`iþßÿûe\ú?ÿçÿlòCÍû5ÞÇÇÇ\|,CûDõàûÔS¥¹¾¾.ãÒÓÓÓyzzú}sÏÃÍÍÍï«O.ONNÊ)í vaÇÇÇÍ{6ïÿúúZ>æÒ>ÖÇ©z °4ÇÇÇehz{{Ð7Ëýý}·à²Àå-ãñ¸Ù«««æÝòÖð7mÐc}z °4í%'É$¡+Õ_¿~]^^^\\k[ÚG±\|áàààüü¼yáóósÞÞi××× À7¨§ËñòòRÆ¥k»oâééé×¯_¥Èòueww·Y§LÂÒ¼ÄýAÝÇ$/±À6POãîî®KZ¯f<\|ssszzº··W¶ä¯ö÷÷½¸¸(w y¶ËVñd~B=XËÙCgÏÏÏÚ×××2!Ë7oêÚÛÛ;::W²xÐµë1É,@=Xv_¿~%ÔÉäáááúúºB7Ûy8çÓööö\Æ2<ÀO¨§ËÑN+74úððÐ§Ë$,ß¿Q¨Ñ¬\|ü§5ßßß7xsseÖ«9jå8Çã`ê)À¬2ÚÕyzz÷ \|ÿ±ÍÍ°üðð°yÕíím3VÏ{}âùù¹ÜÔü7!Öèõõµ½êââ"Qz °v¥»e<¿¼¼ä]:Ê:¦A]¿ûûû²ÿ¦È`1ê)À´S{öa2ÚõxúöÓ»Æãñÿþßÿ;ók÷òòÒ=XÇÇÇi9©§KÐçÉh×c2,pPñÅ,,W³Ë>ßÝÝ½½½Mæ§,AÑ®ÚÝÝÝþþ~Ù-ß7ÏÎÎþ:x\|\|l/NiN¢°õà§^__ËÕìª_kÆóeG5þó?ÿ3ÿúÄîî®V¨ÙmÕÏ´5üz ðSm`?!ÞN§íåGGGþö+YÜôÍÎooÂÚÝÝµø9õà§nnnÊHõää$!Þ¹ºº*{i4=??'úÎd29??Çeå/4ë4{>/ãKggge§5;ßÀ,z ðSíWWW ñN{³É7÷Ò\Ó¯uåm½¯q}}(üz ðSGGGe°jÏÏ<<<]4§Ói¢óøfyewwWa¥ë¥óäÓÓÓDàÇÔSjoNùâ6-×ÞorqqÐÏL§ÓÓÓÓòsÙ¶»Ú'yïïï/VÉ©§?UÆ«îóöfMÞñýYWËËË¼rÐîïïóW¶çØZê)À<??ñêÞÞ^B¼Õ½Ù'¡·°ÒÕ¼jH÷ M§Óv?¸Ó¥SO~¤-üñ`ZK¿ÙgaÓé´ìæ»»»·õòò²\|H`éÔS¹½½-£Ö³³³xkÕ7ûÌe®Wê½båéé©Ö3}XõàGÚ«<,ùCë¼Ùç¾¸W¨º+VÊ7ÿHJ=øöb_¿~%DGnöù¦ï_À2îë£®®®ÊF£§§§D`©ÔS9<<,cWÏOyïåå¥½ë¤ÆýS®Xi¿ÂúvOP÷N×L°:ê)À´·òó½óóó²sö÷÷ªP{¹Ç7möº¶ÀçNVJ=øöZ,3Ó½8åîî.Ñ¡øÎmAë/¬4W>ºÙóîô`¥Å½¾¾áëîînBÌãâ¿úbÛ?¬º¼2NÛG)¹ÓUSO÷üü\¯Ã.,`Ø§\|á¯×èÖ°ëëëò²5PO×>øðð0!~ÛS¾ðEae4-ýúîÅ)[UÀ`SÔSÅýúõ«`sBlñÅ)_N§ÇÇÇeË½ýÇÅ)¬z °¸vúÏpqÊçîîîÚJS±Û\Àú©§»¼¼,XÓ¶í¿öþéË£Ñèüüü'U§°~ê)ÀâÚ 2nooÚzwwweÇãxçýí??Te¿¼É¯_¿SO×Úzí>¹¼¼LOÜÝÝµ¥bÛÚÖîîî
Data received	t:MVL=XÜÁÁAÊN&¶[w&ÚçççDùÒUyoÿiðúú:!X=õ`qãñ¸e>¥è0´yxô\¾ýg2´ë»8uROÔ_Û¡lB[¯½ÎÂ2xûÏ_ïj«0ççç ÀZ¨§zzzCÙfÐvsÄRüQUÇÝþóüü\Öiv¸+¤X3õ`Aí< ÇÇÇ m·fØ_vÈééiB,d:Y>T¥Ýá''' Àº¨§jç ¹¸¸Hh»íììâiG?7NÛ§q·FIU^:SÿõSOtvvVF³777 m±²7ÆãqB,ÃûIUÍNþ?ÿçÿ»< POÔÞárF[]rµÎ\|XU)¦fûûûñoª{¬z ° ööS6vwwËÞx\|\|L¥úð ÿñ?þGI¿ñìÑÝ¿>~N=XP¯ÿ8¸ÙgÚç(}¡fVÄ@XPF®ê)nöY¯?ýó¡Ñhµ`5eäªâf5jÒ=noo?T¥ÀjèqÊ°uë®nöYétº··Wööx+ °zÀ2lÝú«}ÖæúúºìêÝÝÝétèoÌVÛ4Àj¨§ÊÈu»ë)Í0ÞÍ>kÓîêÛÛÛ`CÔSm#Ë[é×¯_e'ìíí%Äj´õÙÙÙI6G=XPÜ6²¼ËN¸¾¾NÕhoö9>>N6G=XPÜ6²¼}ÊF///²ÇÇÇeo+]Ðê)ÀÊà¶åíÓ>Sæää$!Vfgg§ìíÉdlz ° 2¸mdyËtg¢}xxHÕ0y }£,¨oYÞ2íL´ãñ8!VÆä)ôz ° 2¾mdyË´3Ñ^]]%ÄÊ½mòzB=XPß6²¼MÌD»Neo7L@O¨§Êw+ë)íL´n?Yµn1åèè(QØ4õ`Aãn_=e:¶Ï¹¿¿Oø£Òìù4À¦©§Ê0wûê)íÜ¨{{{ ±)ôz ° t·¯²··W¾¸¹QWçææ¦ìäb =¤,(Ý-«§ÜÝÝo½»»k¿:Íî-ûY1~ROT»,ofx_¾õÅÅEB,ÛÃÃCÙÉãñX1~ROTF¼,oÉdR¾²Ç$¯ÔÙÙYÙÏVôz ° 2âmdy¯ÜøbÙF£QÙÏ@Ï¨§#ÞFîåå¥çO&DYªçççvæD ÔSAo#ËC×>¾÷øø8!j:¼»»ëúL=XP÷6²<tíuwww ±TííT£ÑÈ>ôz ° 2ômdyÐºOI¥º¹¹){¸Ñü;Qè+õ`AûnG=ÅgV½üÇ\¿TA=XPý6²<híhß}(«Ð½üg:& =¦,¨Y.7û¬Ë¨z ° 2ndy¸öWêéé©}µË¨z ° 2ndy¸Üì³Rí3$½§,¨Y¨ÇÇÇò5Ýì³ íc}F£ÑÓÓS¢Ð{ê)ÀÊ0¸åº¼¼,_Ósgîåå¥½ÓçêêQ¨z ° 2ndy ö÷÷Ë×¼¿¿O%9??/û¶ÙÉ @%ÔSp#ËCôüü\¾ãh4òßåz\|\|l/N¹»»K¡,¨Y¢ëëëòb^__ÇãqÙ·.N Fê)ÀÊ`¸å!:<<,ßñöö6!áøø¸ìXÓÐP)õ`Ae<ÜÈòà¼¾¾¶7¤¼¼¼$ÊµSü6ª¨z ° [OùõëWù ñcÝbÊééi¢Põ`A·ÒöËô(ßeéSLñ@½ÔSeX<ÐzJ3ÔßÙÙ)_ÐKÑ-¦)¦P5õ`A´r_¾Ýx<NPL``ÔSep<ÐzJ{³ÏÅÅEB,J1áQOññë)Ý}e!)z ° XOq³Ï²(¦0Tê)ÀF£Q'???'4gggå«¹Ùç'S0õ`Ae¨\|{{ÐPìîî¯æf)¦0lê)ÀÚóééiBðððP¾}¦Àà©§jÝÁÍ>?¤À6POÔ3hÖ´ãñ¸\|)7û,@1-¡,.ãæÕSË7ÚÙÙIoSL`{¨§ËÐy@õ»»»òâ{SØ*ê)Àâ2zP=åüü¼\|£ËËËøÅ¶Ëÿ÷ÿ[j0]IEND®B`

Poweshell is sending data to a remote host (1 event)

Data sent

GET /bruh.png HTTP/1.1 Host: 136.244.84.50:8022 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 25, 2023, 8:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	REG ADD "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d 0 /f
cmdline	REG ADD "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\test22\AppData\Local\Temp\bruh.png" /f
cmdline	REG ADD "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 10 /f

Communicates with host for which no DNS query was performed (1 event)

host

136.244.84.50

Attempts to modify desktop wallpaper (2 events)

registry	HKEY_CURRENT_USER\Control Panel\Desktop\WallpaperStyle
registry	HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send April 25, 2023, 8:05 a.m.	buffer: GET /bruh.png HTTP/1.1 Host: 136.244.84.50:8022 Connection: Keep-Alive socket: 1424 sent: 76	1	76	0

Creates a suspicious Powershell process (1 event)

value

Uses powershell to execute a file download from the command line

bruh.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All