Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 18, 2023, 9:45 a.m.	April 18, 2023, 9:47 a.m.

Size	2.8MB
Type	ASCII text, with very long lines, with no line terminators
MD5	`5051d5610215e59183b9f6651d01d6d1`
SHA256	`1e80b0f71178f8e69f9575ba0ed5875b170977a763131e2c8cb224aa68034b2f`
CRC32	`B2D360A7`
ssdeep	`49152:7WdHTfkNvi7tAa6S6DnEQ7ltE/xX2OhwyDgtkAx8Y:b`
Yara	NPKI_Zero - File included NPKI

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\rt.php.ps1
3012

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 37623 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: Unexpected token 'function' in expression or statement. console_handle: 0x0000001b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\rt.php.ps1:1 char:2969321 console_handle: 0x00000027	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: + $0i157d2foha94cj = "fvFjdmh1NWx2d29sIZjUJiN2MXhyd295YYvt7CCLhZs7jf5zYQJqc2h+N console_handle: 0x00000033	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: WxyPzsyNTZYREYxeSCeTQIBdS/dq1tIfEtrn6l861EOFMGaFI800xaE4V5x8iH3J/Q7v6OLUHNDHKSG console_handle: 0x0000003f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: Vqkb5hI155ev7KE4jtBgHD7GwSK3W8Or438Z2l5Tp+MnQGFdvzRXdkMwPM8IDuBlVPxDiqHIvOnyP06 console_handle: 0x0000004b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: XW7oN2MTjup21hRW6DJvR0In/rPb+F3B7yxjvFlVogtMLWJZpstPbMtTWU9WNm9ffpjHEiMXkLHVXIJ console_handle: 0x00000057	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: TegOOuyBmEIr+c2haN1CuOshiuOsY9CNCNtOv54MPZSgSD512CoyDr5RD8qNnYDpACvCm9gEuO34bjn console_handle: 0x00000063	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: XH3w7d3DlKWCaVgS5+my3cJgb0HL7U4wg0Oi8tfFNnI1dcWlvZT0f+mpooV+R/H+1GNZOtV0tiUy3hd console_handle: 0x0000006f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: 6QnLNac9bRIuvRsKbvlECB33P7DQqrzbrlGvB0JpMkbe07sbcyP8JRvGQvWTxkKNSWiAlpluhOu4wFh console_handle: 0x0000007b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: MuxF25RNvVbTp/0NnZdkF+SAUlcjO8GFYUXRmhSD+KI3OlnNUwkeK+AZa89kD+EKuetvfUYHoopGkbT console_handle: 0x00000087	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: njt/uctYpZHFVrq9dDR7jtQoLxCPRwDmzf+RsWxE5XHHAqGnWo7t73NhQaweKyylIyDYf2umyQqlhrX console_handle: 0x00000093	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: xqNNJPSRBTFR5COnd4kS1HUqYxPM9naqlf26JKPzx/x01TbdAMi/QCYY9VE+5RHPFQaH2N/GWD7XFIt console_handle: 0x0000009f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: yT/v6Bceq79mxnr4LOebOdtDB+CgFEgM7HePBTcZtN/C0t8I//ubVEoJ7wxSy7gHNwIRcVhQwNCgGsZ console_handle: 0x000000ab	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: io83ndr+W44Sl4YcAgWdkT4W/PUeVAA2x5ubi1xH1lk/8Z5LrqhHaLUujvV4Q5pyL/XOvb3rwxS4AW1 console_handle: 0x000000b7	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: XlMmo4yNRM4f5SWh5Q3Qd+vk1Yw4yXkRSBFyxjcYCuF2cDUSlwygi53BwuoER1vZLHOK0expY7hcnlE console_handle: 0x000000c3	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: sdIjl50hv/Ou5SiFM0mszv/RMq+ovxBnR0nPAlmpfYm7HbjuFTPMMOs6TtLgDbJ1B76c5s3rO1JPnRR console_handle: 0x000000cf	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: 9ZTVqVGO1pbzrJ/lPtUNiCGDFwhx5eS+yApAQR/vZVKLvQIYZrpL6qgMb9rffnXTnLlgQGYJQH/8d7t console_handle: 0x000000db	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: vzX8PYCXI6YxhiUEGilNi3fkm8aGU3WlDr1fzTGUHouv3J910YfmKBn8Vu/6O0kdVTsrqMoDHvGCih/ console_handle: 0x000000e7	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: nyeIScb+KmZhA/iX/vd3Il2rY13JZN6VgNjmnG4ZNC7lCY1VHMWt0PS5M+KwROar3IYDOnLBBhP9Wdm console_handle: 0x000000f3	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: xkLwxTOtg/OMQQ9BF5tZfqHZ4M7Q3Pfg43q8BNi2fP6WU/gWTe2COY62mEP5yLuftdvKftv31v4daL6 console_handle: 0x000000ff	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: p3bM4A74+nfSLtqhM8AOqnPiff0X3mOgEeRhUZYg+u3HEaEQpySEMmi0LOWDHgSe5jRbvv6ZsXZAwWU console_handle: 0x0000010b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: yTQ82HRJramSyEegjNYFyobfUSzQJPxf/cOuzFW8ouc0KvQePud6arykobWLLwwtuh/wkh72KiFAf0s console_handle: 0x00000117	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: F1wSu0pnBoIhX81PvnGiIgCY5VhLXz0pTspvgte51QSaywvjpjlg8QKiE2LojwyFgNiCoL6lkxCr0AQ console_handle: 0x00000123	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: nR7Nk+bgQTVeUN+S0FvVoinoD17rKH12Lje7l9mDRpKNJK6L7ry0ZhKjUxXnOsagi+z5TNdgiE7n+Yi console_handle: 0x0000012f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: vPdCfJWBUEbODSiZbc0yHsh90io6QcMopQhctrb18sDqBry9bZ+tX44vRZYDM0uiBDpD/BjoSKYF+00 console_handle: 0x0000013b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: ijxtTHJOIPqXuVDOSofCQsenSt5K7FqvEsyUqZzIJzSkEQJUxvfY+OuRP7m7Apnbj8tzLbYZRhh49yT console_handle: 0x00000147	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: gOb2KY/Dga+M6hm+O512HhdZZRlIf+7dv0RyGMsP/mWCEj3wf5hJE8/4s66Rs5i/1Rp3CXFKlpNbxXy console_handle: 0x00000153	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: V2hfxPo8ie8XHQoJ4QSBd2zcjTUfmAIwFA9zZhjvrfsJ/ocVooOQBWwyDvjb8X+jmy41qyeTUCpKueL console_handle: 0x0000015f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: JUxmFA8HXfSeFY/0GaO7SvmZ16AFyKfgzEZpnTAAPiMDEKFUOpctYcH6nje2pjFgGpF4Yh/BIjQdWqv console_handle: 0x0000016b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: wsCRORGtzoRSH8Zk/NZJ8vXigDEA38R2kdpN+9zIY2h+0Bvze3/pbrz04AN4jmvnojtJ2xjcSFjcvp8 console_handle: 0x00000177	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: of0FZY84YvrCjt0Ss1RFCBQxkMQlUIHKw/EUn6D4EdEhZYkyT1/QvbIzVXO+vuy9XpHJS3D0m5+Hmwx console_handle: 0x00000183	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: xaI9VWD+HaS1ADQWdnpYsqAW1B10mSqP6wJyaRli9jOMJDLcrJ1J4JwM1K51CxnPOHR/uwzlMuZdIS3 console_handle: 0x0000018f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: UnfNKHavEntlLqtNFp92h1zwCWIKUQKHxafJ/4WiAo8LV7OCSGYOBmYIb6qSPUjlZTBYFYZuOFin5Py console_handle: 0x0000019b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: 9aZ2AsyO+v9OhL9fpy8hMHnwl4TZjbenKPKZ7KWdVwhpfkpiAvSeE53XOxQdxBbYhc2AhYyH5tv5XjS console_handle: 0x000001a7	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: Fsr1szIoOGsO4Z4K5OGJ7VPoNPoQcGcfl6SBWlKNVMsk+XrGB8ihlYMwAlrnq0eGdq09LQ4mcQt1nUL console_handle: 0x000001b3	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: 1TAfsJnWZSKF1y6+atoKQb4UoQhw4YJ3NK10cS6WE3HMXaYGsuTc7i6bsTica7tX9PAWp3VvK+nzt22 console_handle: 0x000001bf	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: IjQIZj/iMUc32y9+rPS917b6ru2dST5bsct0IK9ItrnBI0s0GnAB4DTzY7q91n97gHI8Kg54L/l8Lbg console_handle: 0x000001cb	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: esEpVn4rRqHcRGytCpvRRXXIlNvbrsqO8NMRVmjh3TiU/D8MJO6AmlRO6xN4V7n5pclun36WhaeLpTj console_handle: 0x000001d7	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: yqkGENNPojmwIbaRDYIXCSkx6PHulsaFmoWKuJ5FWF/W4qqTm6pK+SWo1lgEbR2FLfbK0pYncFtSUh/ console_handle: 0x000001e3	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: fWEei9dDqequ720JEE2gmaTPOwvUQJSQxBwLYDDc0ByuWA3hytzjjGWGl8rGoyw0tIPOENNeIXQE5yX console_handle: 0x000001ef	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: oStk17d8jUoYToaUc4IewvaHImfmvOI3/cx+ZOHlz1h+ufCvM82O4xLkFVyLSZ8gKENnLBV72y+UeuJ console_handle: 0x000001fb	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: JJ1LOXEh2s5Fz7gTDW0oGRk8x4TIdkdMBtgP4zR8GLGrNNDjLNIwZDbSqECx/GRO7ZiOEhmGMdrNrIg console_handle: 0x00000207	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: fuxvsaOkzLWJl/EeJKAi0peMuA/SvchUHRzukSmNeqr7N5pN3qXYHzSrcB942DdT+JCvr3nsBojcs8p console_handle: 0x00000213	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: rvCmE5LKmr9UmgUz8uqYavOnt1lef98mmTUpFvPK2WTMJoxdlCsjhvjY/icLJjOCTwtSE0457Jppho5 console_handle: 0x0000021f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: TEGT3O3axgb991MDa1/1g6dHxosvBSeKfOKVZIOKrJZWfDc6MiKZB7r+pvwDiCvI8ES+s8I+rLiXvkZ console_handle: 0x0000022b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: Ixivh9mkNQvpZ8xyg+e5F/Sli4BPhOWqP6ls7YqrgJQYh1KiIp/hD1mOUqV1ct5c/0prKQmPfZ6DNjz console_handle: 0x00000237	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: FGeZV01+TaGlGFjzqXHC/OyNRBE2cGjxD9gFPlJc2S45Hfxi774Rfm0l8QF/LlJRPupxHLhGJ/IC6AN console_handle: 0x00000243	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: toA2M8EH9KHTaE2BCCZ22j4OYBnH8eo+ZUm1ZeeqU7xCmSeQck4FWb9Xe3bKVac/2EsRP7I9yZPEzOf console_handle: 0x0000024f	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: oRFyUC98BE7BwCoCTvN4OH79UFOMIMBVMdG2e2EjmqaB3sFDjRHtKZNQdSJ1W1yYNoorzEMqPWSnH0F console_handle: 0x0000025b	1	1
WriteConsoleW April 18, 2023, 9:45 a.m.	buffer: C7Uw0R6gUU4CaJ67DNwg7nqFZgxeqgSHskrnLruGRyRYLYZObDeKZTjRYlKesucyMsPj4gy0jRU+yAv console_handle: 0x00000267	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey April 18, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005067a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005067a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048f250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0048f250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2023, 9:45 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 9:45 a.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

rt.php.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All