Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2024, 11:16 a.m.	July 22, 2024, 11:26 a.m.

Size	175.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`36b6376a1763c4751be6f698b6bf2ce9`
SHA256	`9ef5b8d0b70e6d0f8cc59fbf81950825c77bee1703d0cf33a708a8ba14a10e2e`
CRC32	`5AB303B1`
ssdeep	`1536:kW212KdV0/OPcgz3Xa06RqNqGMC9SoXxuke8DMcbYp2Q29KKURg69Y9jZG/NQH0L:kCqNqymB`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\AnyClesk.ps1
2540
- csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pzy8xxob.cmdline"
  2700
  - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESF86A.tmp" "c:\Users\test22\AppData\Local\Temp\CSCF85A.tmp"
    2744

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (33 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: False console_handle: 0x00000013	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Exception calling "Copy" with "4" argument(s): "Value cannot be null. console_handle: 0x00000027	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Parameter name: destination" console_handle: 0x00000033	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: At line:27 char:50 console_handle: 0x0000003f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + [System.Runtime.InteropServices.Marshal]::"CO`pY" <<<< (${x`Rivf}, 0, ${p`iBb console_handle: 0x0000004b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: `Xu}, 6) console_handle: 0x00000057	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000063	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Multiple ambiguous overloads found for "GetMethod" and the argument count: "2". console_handle: 0x00000023	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\AnyClesk.ps1:75 char:1014 console_handle: 0x0000002f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + $wfThfgKjklZsexKDLIWmtBEOqBrKypHcOBrbWIQzNeJPYRMfNCpqJgRpFgYzaGerirKzxsJeLLYO console_handle: 0x0000003b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: ZVQPLwQrfwBujlgCXgMZrdTwLaYfyFZAuEFmhLRluTPcELfdmWEtEWIobBGBkmICAtAnrDFOfHmhTVj console_handle: 0x00000047	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: DDFAasxFRquTljZddBnEfoUOtVIizIpzqdxhVhveIFvlNuCIrlBzcNrNyMOENxjNnNWjwrkufRjMjdS console_handle: 0x00000053	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: TdxztGHTGSHSSlKrpQnLpwdoNfgMJOoxMJssmzAErDLSPiYsYHLghOhcPBRIPbWtRMLYyPDaWeIqnmi console_handle: 0x0000005f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: YgxwIokGXwcoAJFtSaXtwlFjYXhPqLDRIILnbJckiHGTGzuDMnrJYBcBTIcVfuZulIogeBWwQmxIjBt console_handle: 0x0000006b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: LWKCtauTliOmTwIuSzJsJSAfUlzJifIpGiERoVHjGpwVaBzQxwsKurFEZnKEyVttaOUHUsArAEWGJfJ console_handle: 0x00000077	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: DCQHLeQSwGOBMiFOkWQauARUkqrh = $ctTkPpbZvIDVyqQKlRHRWOMKYCujqquxGdLrLiYzJkXZhro console_handle: 0x00000083	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: kaZDktrmoLkCNGoDaQLvUaMJMVqTMZWBiIxNsosIvBbqTghFZwWFhVaejFjlSDwHOeeWmcIegfHvyWy console_handle: 0x0000008f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: fXDAmuPlnqWNOjcsjFZJDiUNScTvDOcAkMLJEXZtdKZndCartSXVcXTqojXluDDMzzhHPCJWiFsKKVm console_handle: 0x0000009b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: RCNKgkzVsRjgrqUANRlsgfVFgnFForARKsEdZsneGxTzaypxfsabujLiKslWXmBbcvThcXOhUIJqhQb console_handle: 0x000000a7	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: mTtHIdHdSzuLzczqFqQnryDRGamWwoAJpsDmJyDiRxwouQtIVUhhTAsLGQpcxOtXiXFDKJTiDVAKAIf console_handle: 0x000000b3	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: NSLpbKsNFjZsPjFaOPSYKWAbwbeRVqHWoiueAIUMZMHvemDtvgHlofCZgSpmWNqFfCXWmidVRfXVyDu console_handle: 0x000000bf	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: pEVtJYRfWTYqlMmOclKGgmdmKpAtjvBbszJXZMfecrEyHfXCmEVQITrYs.GetMethod <<<< ($dzYF console_handle: 0x000000cb	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: nxlIFTImgcgoeVpdBtGovBZZXSyKwVrHPmXCdKlmjciHgkfXpGRUsmXVHcnULBZqIdRCQlQkyxUcMFR console_handle: 0x000000d7	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: kFziInfxsLlgimdFyBlXsMucCDEMQUaYRSbYxlNTkSBUbfYzEoJyzPWuSlRiPNDfKRJIOOruQBbnLmF console_handle: 0x000000e3	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: QrtkRrIxCZkgvxJUAFUACMyenJarVrHLiIFcdIRZdHaLsNZMNaJTsOlQsmcugIMLBiDloLidpaTLcNT console_handle: 0x000000ef	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: YNkTlFCSOHAdgqKlGVTeqZVNTAEbUVmUdrPsjArKGZBSsDuxTvSXbYuDrTrEvfooDduXHyVkgdsKfeS console_handle: 0x000000fb	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: qiXBnwMcwLcFEFGcCEgfdaTZQXbIMcGAPcztawDDAcezqJvkOrMzEmxrAUfCfYuokjgmmpqoGtOAzoY console_handle: 0x00000107	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: fTZkQKkNEQdQLggFnbcRKbBEtBdJpkHyNxELkXIQTizGIdeMyvLGfpJqsgGqNvGBQTPIOQeSDDXNtTi console_handle: 0x00000113	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: CtRrtboTGkxnRGtWSWWix, [System.Reflection.BindingFlags]::Public -bor [System.Re console_handle: 0x0000011f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: flection.BindingFlags]::Static) console_handle: 0x0000012b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x00000137	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest console_handle: 0x00000143	1	1

Uses Windows APIs to generate a cryptographic key (50 events)

Time & API	Arguments	Status	Return
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b1c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002af710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ac7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002addf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0029eb28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1428 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2024, 11:16 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 5 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x073e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07514000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2700 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Creates executable files on the filesystem (1 event)

file	c:\Users\test22\AppData\Local\Temp\pzy8xxob.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\pzy8xxob.dll

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pzy8xxob.cmdline"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: d64778a1cff856670d3af63c2f785b149c48b55e
buffer	Buffer with sha1: 4fa446a189889074ae2a1200f8d4aac26d2ac1f7

Deletes executed files from disk (2 events)

file	c:\Users\test22\AppData\Local\Temp\CSCF85A.tmp
file	C:\Users\test22\AppData\Local\Temp\RESF86A.tmp

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

MicroWorld-eScan	Heur.BZC.PZQ.Pantera.140.F85FF0C4
VIPRE	Heur.BZC.PZQ.Pantera.140.F85FF0C4
Avast	Script:SNH-gen [Drp]
BitDefender	Heur.BZC.PZQ.Pantera.140.F85FF0C4
Rising	Trojan.Injector/PS!1.D2AD (CLASSIC)
Emsisoft	Heur.BZC.PZQ.Pantera.140.F85FF0C4 (B)
FireEye	Heur.BZC.PZQ.Pantera.140.F85FF0C4
Arcabit	Heur.BZC.PZQ.Pantera.140.F85FF0C4
GData	Heur.BZC.PZQ.Pantera.140.F85FF0C4
MAX	malware (ai score=84)
AVG	Script:SNH-gen [Drp]

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\pzy8xxob.cmdline"

AnyClesk.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All