Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 22, 2024, 11:16 a.m.	July 22, 2024, 11:19 a.m.

Size	534.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`0427dd4115ad876e9f188d808022d190`
SHA256	`9e926ae5240b086187838d49c47061a96fe29f517147079403fe9467f08271ab`
CRC32	`55DE142F`
ssdeep	`1536:kV2cOvVjOFf4ueS65Gb1Gby5m2i4upGbz5m/ZdXTU:6`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\arch.ps1
2564
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs"
  2764
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1"
    2848
    - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\kdcxyvbi.cmdline"
      2936
      - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES22E5.tmp" "c:\Users\test22\AppData\Local\Temp\CSC22D5.tmp"
        2980

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 22, 2024, 11:16 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 22, 2024, 11:16 a.m.			0	0

Command line console output was observed (33 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: False console_handle: 0x00000013	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Exception calling "Copy" with "4" argument(s): "Value cannot be null. console_handle: 0x00000027	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Parameter name: destination" console_handle: 0x00000033	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: At line:27 char:50 console_handle: 0x0000003f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + [System.Runtime.InteropServices.Marshal]::"CO`pY" <<<< (${x`Rivf}, 0, ${p`iBb console_handle: 0x0000004b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: `Xu}, 6) console_handle: 0x00000057	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000063	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: Multiple ambiguous overloads found for "GetMethod" and the argument count: "2". console_handle: 0x00000023	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: At C:\Users\test22\AppData\Roaming\AnyClesk.ps1:75 char:1014 console_handle: 0x0000002f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + $wfThfgKjklZsexKDLIWmtBEOqBrKypHcOBrbWIQzNeJPYRMfNCpqJgRpFgYzaGerirKzxsJeLLYO console_handle: 0x0000003b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: ZVQPLwQrfwBujlgCXgMZrdTwLaYfyFZAuEFmhLRluTPcELfdmWEtEWIobBGBkmICAtAnrDFOfHmhTVj console_handle: 0x00000047	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: DDFAasxFRquTljZddBnEfoUOtVIizIpzqdxhVhveIFvlNuCIrlBzcNrNyMOENxjNnNWjwrkufRjMjdS console_handle: 0x00000053	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: TdxztGHTGSHSSlKrpQnLpwdoNfgMJOoxMJssmzAErDLSPiYsYHLghOhcPBRIPbWtRMLYyPDaWeIqnmi console_handle: 0x0000005f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: YgxwIokGXwcoAJFtSaXtwlFjYXhPqLDRIILnbJckiHGTGzuDMnrJYBcBTIcVfuZulIogeBWwQmxIjBt console_handle: 0x0000006b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: LWKCtauTliOmTwIuSzJsJSAfUlzJifIpGiERoVHjGpwVaBzQxwsKurFEZnKEyVttaOUHUsArAEWGJfJ console_handle: 0x00000077	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: DCQHLeQSwGOBMiFOkWQauARUkqrh = $ctTkPpbZvIDVyqQKlRHRWOMKYCujqquxGdLrLiYzJkXZhro console_handle: 0x00000083	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: kaZDktrmoLkCNGoDaQLvUaMJMVqTMZWBiIxNsosIvBbqTghFZwWFhVaejFjlSDwHOeeWmcIegfHvyWy console_handle: 0x0000008f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: fXDAmuPlnqWNOjcsjFZJDiUNScTvDOcAkMLJEXZtdKZndCartSXVcXTqojXluDDMzzhHPCJWiFsKKVm console_handle: 0x0000009b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: RCNKgkzVsRjgrqUANRlsgfVFgnFForARKsEdZsneGxTzaypxfsabujLiKslWXmBbcvThcXOhUIJqhQb console_handle: 0x000000a7	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: mTtHIdHdSzuLzczqFqQnryDRGamWwoAJpsDmJyDiRxwouQtIVUhhTAsLGQpcxOtXiXFDKJTiDVAKAIf console_handle: 0x000000b3	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: NSLpbKsNFjZsPjFaOPSYKWAbwbeRVqHWoiueAIUMZMHvemDtvgHlofCZgSpmWNqFfCXWmidVRfXVyDu console_handle: 0x000000bf	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: pEVtJYRfWTYqlMmOclKGgmdmKpAtjvBbszJXZMfecrEyHfXCmEVQITrYs.GetMethod <<<< ($dzYF console_handle: 0x000000cb	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: nxlIFTImgcgoeVpdBtGovBZZXSyKwVrHPmXCdKlmjciHgkfXpGRUsmXVHcnULBZqIdRCQlQkyxUcMFR console_handle: 0x000000d7	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: kFziInfxsLlgimdFyBlXsMucCDEMQUaYRSbYxlNTkSBUbfYzEoJyzPWuSlRiPNDfKRJIOOruQBbnLmF console_handle: 0x000000e3	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: QrtkRrIxCZkgvxJUAFUACMyenJarVrHLiIFcdIRZdHaLsNZMNaJTsOlQsmcugIMLBiDloLidpaTLcNT console_handle: 0x000000ef	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: YNkTlFCSOHAdgqKlGVTeqZVNTAEbUVmUdrPsjArKGZBSsDuxTvSXbYuDrTrEvfooDduXHyVkgdsKfeS console_handle: 0x000000fb	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: qiXBnwMcwLcFEFGcCEgfdaTZQXbIMcGAPcztawDDAcezqJvkOrMzEmxrAUfCfYuokjgmmpqoGtOAzoY console_handle: 0x00000107	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: fTZkQKkNEQdQLggFnbcRKbBEtBdJpkHyNxELkXIQTizGIdeMyvLGfpJqsgGqNvGBQTPIOQeSDDXNtTi console_handle: 0x00000113	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: CtRrtboTGkxnRGtWSWWix, [System.Reflection.BindingFlags]::Public -bor [System.Re console_handle: 0x0000011f	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: flection.BindingFlags]::Static) console_handle: 0x0000012b	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x00000137	1	1
WriteConsoleW July 22, 2024, 11:16 a.m.	buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest console_handle: 0x00000143	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 90 events)

Time & API	Arguments	Status	Return
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6170 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d69b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d65f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d61b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d66b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d6430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ee7a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ee7a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 22, 2024, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fa870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 22, 2024, 11:16 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 163 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02639000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2764 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73662000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72521000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0283a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72522000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02843000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02844000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0287b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02877000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0283b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02875000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02845000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02846000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0287c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02863000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02864000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02866000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02867000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02869000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 22, 2024, 11:16 a.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	c:\Users\test22\AppData\Local\Temp\kdcxyvbi.dll
file	c:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs
file	c:\Users\test22\AppData\Roaming\AnyClesk.ps1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1"
cmdline	powershell.exe -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\kdcxyvbi.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 22, 2024, 11:16 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1" filepath: powershell.exe	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Sangfor	Trojan.Win32-PS.Save.WScriptShell
Avast	Other:Malware-gen [Trj]
AVG	Other:Malware-gen [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 22, 2024, 11:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\kdcxyvbi.cmdline"

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: d64778a1cff856670d3af63c2f785b149c48b55e
buffer	Buffer with sha1: 4fa446a189889074ae2a1200f8d4aac26d2ac1f7

Installs itself for autorun at Windows startup (1 event)

file	c:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\kdcxyvbi.cmdline

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs

One or more non-whitelisted processes were created (5 events)

parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\kdcxyvbi.cmdline"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AnyClesk.vbs"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1"
parent_process	wscript.exe	martian_process	powershell.exe -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\AnyClesk.ps1"

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-executionpolicy bypass				value	Attempts to bypass execution policy

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

arch.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All