Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 31, 2023, 9:29 a.m.	Oct. 31, 2023, 9:31 a.m.

Size	1.9KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`e2de940fab2b14c512499006bbe5cd0a`
SHA256	`9465750d2ddfcbfc68cd92da0bbad34a36a1eeac8c82a1c8ed086465b6c0cccf`
CRC32	`05126E17`
ssdeep	`48:zZ+onhYxPxRrlb3XAw0JThCipAg6n0vfv1UnNzkrTPJ3:zZ+Ec5RNCF`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\hash.ps1
2560

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 526 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: Get-Content : A parameter cannot be found that matches parameter name 'Raw'. console_handle: 0x00000023	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:18 char:59 console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $Jxxxe = (Get-Content -Path "C:\Users\Public\msg.txt" -Raw <<<< ) -replace "% console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ","0" -replace "!","1" -replace "@","A" console_handle: 0x00000047	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Get-Content], ParameterBin console_handle: 0x00000053	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: dingException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ands.GetContentCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: Get-Content : A parameter cannot be found that matches parameter name 'Raw'. console_handle: 0x00000097	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:21 char:62 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $geGWHZ = (Get-Content -Path "C:\Users\Public\runpe.txt" -Raw <<<< ) -replace console_handle: 0x000000af	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: "%","0" -replace "!","1" -replace "@","A" console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidArgument: (:) [Get-Content], ParameterBin console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: dingException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm console_handle: 0x000000df	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ands.GetContentCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: Method invocation failed because [System.Collections.Generic.List`1[[System.Byt console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: e, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089] console_handle: 0x00000117	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ]] doesn't contain a method named 'new'. console_handle: 0x00000123	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:2 char:55 console_handle: 0x0000012f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $JS = [System.Collections.Generic.List[Byte]]::new <<<< () console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x00000147	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ion console_handle: 0x00000153	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:4 char:16 console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000033	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000043	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ion console_handle: 0x0000004f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:4 char:16 console_handle: 0x00000087	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x00000093	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x0000009f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ion console_handle: 0x000000ab	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:4 char:16 console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ion console_handle: 0x00000107	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000113	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000133	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:4 char:16 console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + $JS.Add <<<< ([Convert]::ToByte($Jxxxe.Substring($i, 8), 2)) console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + CategoryInfo : InvalidOperation: (Add:String) [], RuntimeExcept console_handle: 0x00000157	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: ion console_handle: 0x00000167	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000173	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000193	1	1
WriteConsoleW Oct. 31, 2023, 9:29 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\hash.ps1:4 char:16 console_handle: 0x0000019f	1	1

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 31, 2023, 9:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0502c3d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 31, 2023, 9:29 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (22 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06360000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06401000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06403000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06404000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06405000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05561000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0640a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0641b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0641c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 31, 2023, 9:29 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

ALYac	Trojan.PowerShell.Agent
ESET-NOD32	PowerShell/Agent.BET
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
Ikarus	Win32.Outbreak
Google	Detected
Xcitium	Malware@#gjmwe060moew
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
AVG	Script:SNH-gen [Trj]

hash.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All