Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 27, 2023, 7:36 a.m.	June 27, 2023, 7:38 a.m.

Size	3.0MB
Type	ASCII text, with very long lines, with no line terminators
MD5	`45d5e30ed69d3ef0e2a5d558afee3c6b`
SHA256	`daab8414c732f29a4909fb72d61d2e92fc6b958c91dc270b040ca700a25d68a7`
CRC32	`C056A881`
ssdeep	`49152:VY1wOeTfeinwRg0Yd0YtWdR2++BqkPiblNmBZOqsHtL3rdyW6JKHINYMpnkq/3+W:3`
Yara	Win_Trojan_Formbook_Zero - Used Formbook hide_executable_file - Hide executable file

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\LATH.ps1
1268

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 39232 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: GAC Version Location console_handle: 0x0000001b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: False v4.0.30319 console_handle: 0x00000023	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: Exception calling "Main" with "0" argument(s): "The type initializer for 'QJAMs console_handle: 0x0000001b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: rpfhk.HH' threw an exception." console_handle: 0x00000027	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\LATH.ps1:1 char:3098726 console_handle: 0x00000033	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: + $me='TVqQAAMAAAAEAAAA/ /8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA console_handle: 0x0000003f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG console_handle: 0x0000004b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: 1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOUnh2QAAAAAAAAAAOAAAiELAQsAAG4jAAAGAAAAAAAALo0jA console_handle: 0x00000057	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAgAAAAoCMAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgIwAAAgAAAAAAAAMAQIUAABAAABAA console_handle: 0x00000063	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOCMIwBLAAAAAKAjALACAAAAAAAAAAAAAAAAAAAAAAAAAMA console_handle: 0x0000006f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: jAAwAAACoiyMAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACA console_handle: 0x0000007b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAANG0jAAAgAAAAbiMAAAIAAAAAAAAAAAAAA console_handle: 0x00000087	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAACAAAGAucnNyYwAAALACAAAAoCMAAAQAAABwIwAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAA console_handle: 0x00000093	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AMAjAAACAAAAdCMAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAQjSMAAAAAAEgAAAACAAU console_handle: 0x0000009f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AuCQAAPBmIwADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA console_handle: 0x000000ab	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAAAAABMwBgA/AAAAAQAAEQB+BwAABCgFAAAGCnIBAABwKAUAAAoABigGAAAKchkAAHBvBwAACnKJA console_handle: 0x000000b7	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: ABwIAABAAAUFH4KAAAEbwgAAAomKvZywQAAcIAFAAAEch6lIXCABgAABH4FAAAEctNXI3AoCAAABoAH console_handle: 0x000000c3	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAEfgYAAARy01cjcCgIAAAGgAgAAAQqAAAAEzADADUAAAACAAARfggAAAQoBQAABoAJAAAEGY0BAAA console_handle: 0x000000cf	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: BCgYWcjVYI3CiBhd+CQAACqIGGH4JAAAEogaACgAABCoeAigKAAAKKgAAABMwAQAMAAAAAQAAEQACKA console_handle: 0x000000db	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: sAAAoKKwAGKh4CKAoAAAoqGzAEADcBAAADAAARACgJAAAGCigJAAAGCygMAAAKAm8NAAAKDAMGIOgDA console_handle: 0x000000e7	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: ABzDgAACg0ACR8gbw8AAAoTBHMQAAAKEwUAEQUgAAEAAG8RAAAKABEFF28SAAAKABEFGG8TAAAKABEF console_handle: 0x000000f3	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: EQQHbxQAAAoTBgBzFQAAChMHABEHEQYXcxYAAAoTCAARCAgWCI5pbxcAAAoAEQhvGAAACgAGEwkRCQc console_handle: 0x000000ff	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: oAQAAKygCAAArEwkRCREHbxsAAAooAQAAKygCAAArEwkRB28cAAAKABEIbxwAAAoAEQkoHQAAChMK3m console_handle: 0x0000010b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: IRCBT+ARMLEQstCBEIbx4AAAoA3BEHFP4BEwsRCy0IEQdvHgAACgDcEQYU/gETCxELLQgRBm8eAAAKA console_handle: 0x00000117	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: NwRBRT+ARMLEQstCBEFbx4AAAoA3AkU/gETCxELLQcJbx4AAAoA3AARCioAAUAAAAIAeQBY0QAUAAAA console_handle: 0x00000123	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAIAbAB55QAUAAAAAAIAZACV+QAUAAAAAAIAOADVDQEUAAAAAAIAJgD7IQESAAAAABswBABNAQAABAA console_handle: 0x0000012f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AEQACKAsAAAoKBh8gKAMAACsoAgAAKwsGHyAoBAAAKx8gKAMAACsoAgAAKwwGH0AoBAAAKwaOaR9AWS console_handle: 0x0000013b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: gDAAArKAIAACsNAwcg6AMAAHMOAAAKEwQAEQQfIG8PAAAKEwVzEAAAChMGABEGIAABAABvEQAACgARB console_handle: 0x00000147	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: hdvEgAACgARBhhvEwAACgARBhEFCG8hAAAKEwcACXMiAAAKEwgAEQgRBxZzFgAAChMJAAmOaY0dAAAB console_handle: 0x00000153	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: EwoRCREKFhEKjmlvIwAAChMLEQhvHAAACgARCW8cAAAKACgMAAAKEQoWEQtvJAAAChMM3mQRCRT+ARM console_handle: 0x0000015f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: NEQ0tCBEJbx4AAAoA3BEIFP4BEw0RDS0IEQhvHgAACgDcEQcU/gETDRENLQgRB28eAAAKANwRBhT+AR console_handle: 0x0000016b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: MNEQ0tCBEGbx4AAAoA3BEEFP4BEw0RDS0IEQRvHgAACgDcABEMKgAAAAFAAAACAKcAPuUAFAAAAAACA console_handle: 0x00000177	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: JoAX/kAFAAAAAACAJEAfA0BFAAAAAACAGUAvCEBFAAAAAACAFIA4zUBFAAAAAAbMAIAMgAAAAUAABEA console_handle: 0x00000183	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: HyCNHQAAAQpzJQAACgsABwZvJgAACgAA3hAHFP4BDQktBwdvHgAACgDcAAYMKwAIKgAAARAAAAIADwA console_handle: 0x0000018f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: MGwAQAAAAAEJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALQDAAAjfgAAIAQAADgIAA console_handle: 0x0000019b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AjU3RyaW5ncwAAAABYDAAAqFgjACNVUwAAZSMAEAAAACNHVUlEAAAAEGUjAOABAAAjQmxvYgAAAAAAA console_handle: 0x000001a7	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AACAAABVx0CAAkIAAAA+iUzABYAAAEAAAAfAAAABQAAAAwAAAAJAAAABQAAACYAAAAGAAAABAAAAAUA console_handle: 0x000001b3	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAABAAAAAgAAAAQAAAAAAAoAAQAAAAAABgDWAM8ABgD2BOMECwAKBQAABgA5BRkFBgBZBRkFBgCCBc8 console_handle: 0x000001bf	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: ABgCVBc8ABgC5BacFBgDHBc8ABgDUBacFBgDhBacFBgD8Bc8ABgAJBs8ABgAuBiIGBgBmBkkGBgB5Bk console_handle: 0x000001cb	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: kGBgCFBkkGBgCVBkkGBgC2BkkGBgDKBkkGBgDiBkkGBgANBwMHBgAaB0kGBgAnBwMHBgAuB0kGCgBtB console_handle: 0x000001d7	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: 2EHBgCTB3gHBgDFB88ABgDzB88ABgAHCEkGBgAgCEkGAAAAAAEAAAAAAAEAAQCBARAAGQAcAAUAAQAB console_handle: 0x000001e3	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAEAEAAnAC0ABQAJAAMAAQAQADkAQQAFAAsABQCBARAATACJAAUACwAHAFaA3QAKAFaAGgEKAFaAVwE console_handle: 0x000001ef	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: KAFaAlAEKABYA0QEKABYADgIKABYASwIKABYAiAIKABYAygJ1ABYAzgJ5AFGA8gKHAFGALwOHAFAgAA console_handle: 0x000001fb	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AAAJYAxQJxAAEAmyAAAAAAkRj1BXEAAQAdIQAAAACGGNYCfQABANwgAAAAAJEY9QVxAAEAKCEAAAAAl console_handle: 0x00000207	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: gDcAoEAAQBAIQAAAACGGNYCfQACAEghAAAAAJYAbAOUAAIAzCIAAAAAlgCpA5QABABoJAAAAACRAOYD console_handle: 0x00000213	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: mgAGAAAAAQAjBAAAAQAsBAAAAgBpBAAAAQCmBAAAAgBpBBEA1gKfACEA1gKlACkA1gJ9ADEA1gJ9ADk console_handle: 0x0000021f	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AnQWvAEEAwgW0AEEAzAW7AEkA6AXBAGEAAwYKAAkA1gJ9AGkAEQaBAHEANwbXAHEAQAbcAHkA1gLiAI console_handle: 0x0000022b	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: EAQAbqAIkA1gJ9AJEAqAalAJEAwQbwAJEA1gb2AJEA8wb8ALEA1gJ9ALkA1gIFAcEAPwcPAbkARQd9A console_handle: 0x00000237	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: NEAoQcXAdEAqAcxAbEAqAc+AcEAsAd9AGkAtgdDAeEA0Qd9ANEA2QdiAdEA3gdiAZEA4wf8ALEA1gJz console_handle: 0x00000243	1	1
WriteConsoleW June 27, 2023, 7:36 a.m.	buffer: AcEA+Ad5AXEA/QeBAfEA1gJ9APkAQAZzAQ4ABAANAA4ACAAmAA4ADAA/AA4AEABYAAgALACKAAgAMAC console_handle: 0x0000024f	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 27, 2023, 7:36 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x04e98948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 27, 2023, 7:36 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (17 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02953000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02954000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02924000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 27, 2023, 7:36 a.m.	process_identifier: 1268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02925000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

ESET-NOD32

a variant of MSIL/Kryptik.AGQQ

LATH.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All