Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 1, 2021, 9:11 a.m.	Aug. 1, 2021, 9:13 a.m.

Size	44.2KB
Type	ASCII text
MD5	`9f63005e964ad4c6663d2052dee07826`
SHA256	`d4b1c1f948dac9c782f87d22379bde504901fe53701183de12fbd81fff5c1eba`
CRC32	`5B061C39`
ssdeep	`384:PYHMaCbMj0YQMTz5XiMVc35AMugM7Me3MbMoo8s:gWYXVc3TM`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\link.jpg.ps1
660
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs"
  1784
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
    1808
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\vb.vbs"
      264
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1
        2220
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
        2408
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\LocalLow\Microsoft\Google\OneDrive.vbs"
  672
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1
    1716

Name	Response	Post-Analysis Lookup
bit.ly	A 67.199.248.11 A 67.199.248.10	67.199.248.10

IP Address	Status	Action
164.124.101.2	Active	Moloch
67.199.248.10	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49172 -> 67.199.248.10:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 67.199.248.10:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2021, 9:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 1, 2021, 9:11 a.m.			0	0
IsDebuggerPresent Aug. 1, 2021, 9:11 a.m.			0	0
IsDebuggerPresent Aug. 1, 2021, 9:11 a.m.			0	0
IsDebuggerPresent Aug. 1, 2021, 9:11 a.m.			0	0

Command line console output was observed (50 out of 294 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: d---- 2021-08-01 오전 9:11 Google console_handle: 0x00000023	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: Remove-Item : Cannot find path 'C:\Users\Public\OneDrive.vbs' because it does n console_handle: 0x00000023	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: ot exist. console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\link.jpg.ps1:248 char:14 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: + Remove-Item <<<< -Path C:\Users\Public\OneDrive.vbs -Force console_handle: 0x00000047	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\Public\OneDrive.vbs:St console_handle: 0x00000053	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: ring) [Remove-Item], ItemNotFoundException console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: eItemCommand console_handle: 0x00000077	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: Directory: C:\Users\Public console_handle: 0x00000097	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: -a--- 2021-08-01 오전 9:11 0 alosh.ps1 console_handle: 0x000000ab	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: Windows Registry Editor Version 5.00 console_handle: 0x00000013	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x00000017	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks] console_handle: 0x00000017	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x0000000f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100] console_handle: 0x0000000f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: "CheckSetting"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb, console_handle: 0x00000017	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 01,00,00,00,c5,b3,6a,e4,0c,03,21,45,ac,98,0c,b7,4e,27,27,e1,00,00,00,00,02,\ console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,00,00,00,00,10,66,00,00,00,01,00,00,20,00,00,00,72,95,d4,76,21,15,a1,34,\ console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: a9,81,1e,14,d6,bd,b3,91,0b,23,5c,74,61,4a,e3,08,58,8a,0d,46,c5,57,0d,b4,00,\ console_handle: 0x00000023	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,00,00,0e,80,00,00,00,02,00,00,20,00,00,00,23,8f,17,7c,83,ae,0c,12,38,b9,\ console_handle: 0x00000027	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 93,b7,cf,05,50,6d,3e,e1,2b,ef,50,06,5c,85,61,04,6e,56,32,43,f0,72,30,00,00,\ console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,71,47,f8,00,73,33,f6,8f,5a,e6,09,3d,96,1a,c9,f5,52,ae,c3,db,52,45,f4,ed,\ console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 34,b3,2e,a4,30,00,ae,d3,b3,8f,f2,9d,c5,59,ac,b1,18,76,e1,e8,79,5b,bf,32,40,\ console_handle: 0x00000033	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,00,00,10,3f,ef,37,f4,d9,cb,74,f6,17,ab,cb,21,4f,31,99,d2,c9,14,be,cb,ce,\ console_handle: 0x00000037	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 19,75,40,8e,0f,bb,fd,1f,af,29,e9,e5,92,40,35,30,ac,01,11,f8,f2,06,9d,af,30,\ console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: bd,7f,42,c3,d6,15,f3,d6,a2,65,17,e9,1f,2a,15,1e,ad console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x00000043	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.101] console_handle: 0x00000043	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x00000047	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks\{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC}.check.0] console_handle: 0x00000047	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: "CheckSetting"=hex:23,00,41,00,43,00,42,00,6c,00,6f,00,62,00,00,00,00,00,00,00, console_handle: 0x0000004b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 01,00,00,00,80,00,00,00,61,70,70,6c,26,ca,50,b3,15,dc,d0,01,01,00,00,00,7b,\ console_handle: 0x0000004f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,30,00,38,00,38,00,45,00,38,00,44,00,46,00,42,00,2d,00,32,00,34,00,36,00,\ console_handle: 0x00000053	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 34,00,2d,00,34,00,43,00,32,00,31,00,2d,00,42,00,41,00,44,00,32,00,2d,00,46,\ console_handle: 0x00000057	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,30,00,41,00,41,00,36,00,44,00,42,00,35,00,44,00,34,00,42,00,43,00,7d,00,\ console_handle: 0x0000005b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 2e,00,6e,00,6f,00,74,00,69,00,66,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\ console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,2e,00,31,00,00,00,73,68,3a,6e,61,6d,65,3e,40,73,68 console_handle: 0x00000063	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x00000067	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78}.check.101] console_handle: 0x00000067	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Security and Maint console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: enance\Checks\{134EA407-755D-4A93-B8A6-F290CD155023}.check.8001] console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: "CheckSetting"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb, console_handle: 0x0000006f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 01,00,00,00,c5,b3,6a,e4,0c,03,21,45,ac,98,0c,b7,4e,27,27,e1,00,00,00,00,02,\ console_handle: 0x00000073	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,00,00,00,00,10,66,00,00,00,01,00,00,20,00,00,00,20,c1,9f,91,55,f3,43,a3,\ console_handle: 0x00000077	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 4e,1b,3b,9a,91,ec,fa,19,17,cb,45,43,f9,15,4b,ce,6a,c6,aa,b4,63,63,5f,36,00,\ console_handle: 0x0000007b	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 00,00,00,0e,80,00,00,00,02,00,00,20,00,00,00,84,22,14,42,cb,c8,72,1f,61,57,\ console_handle: 0x0000007f	1	1
WriteConsoleW Aug. 1, 2021, 9:11 a.m.	buffer: 06,0c,34,d9,7e,b9,89,19,34,ab,b6,b9,ee,86,0e,5c,a1,6c,ae,14,08,48,30,00,00,\ console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 159 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00371ea0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00665c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006666d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2021, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00666798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 1, 2021, 9:11 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 478 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02389000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05171000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05186000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05df9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05172000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05173000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05e41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06600000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0675a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05dff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 1808 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2021, 9:11 a.m.	process_identifier: 1808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Users\Public\test.ps1
file	C:\Users\Public\OneDrive.vbs
file	C:\Users\Public\alosh.ps1
file	C:\Users\Public\Chrome.vbs
file	C:\Users\Public\run.ps1
file	C:\Users\Public\vb.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (8 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
cmdline	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
cmdline	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1
cmdline	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
cmdline	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 1, 2021, 9:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1 filepath: powershell.exe	1	1
ShellExecuteExW Aug. 1, 2021, 9:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1 filepath: powershell.exe	1	1
ShellExecuteExW Aug. 1, 2021, 9:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1 filepath: powershell.exe	1	1
ShellExecuteExW Aug. 1, 2021, 9:11 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1 filepath: powershell.exe	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	ISB.Downloader!gen281
DrWeb	Trojan.MulDrop18.8207
Qihoo-360	virus.powershell.qexvmc.1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 1, 2021, 9:11 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (2 events)

Data sent	ieaæ¸¦bäLB6¤àÿ*B?îHý}u5I!Ç/5 ÀÀÀ À 28$ÿ bit.ly
Data sent	ieaæ¸pÜrrèÕÝJM&¦úð=TâîWKÉ%Ñ/5 ÀÀÀ À 28$ÿ bit.ly

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 1, 2021, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 1, 2021, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 1, 2021, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 1, 2021, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Attempts to identify installed AV products by installation directory (4 events)

file	C:\Program Files\Avast Software\Avast\AvastUI.exe
file	C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
file	C:\Program Files\AVG\Antivirus\AVGUI.exe
file	C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe

Deletes executed files from disk (1 event)

file	C:\Users\Public\windows.ps1

Drops a binary and executes it (2 events)

file	C:\Users\Public\Chrome.vbs
file	C:\Users\Public\vb.vbs

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Aug. 1, 2021, 9:11 a.m.	buffer: ieaæ¸¦bäLB6¤àÿ*B?îHý}u5I!Ç/5 ÀÀÀ À 28$ÿ bit.ly socket: 1452 sent: 110	1	110	0
send Aug. 1, 2021, 9:11 a.m.	buffer: ieaæ¸pÜrrèÕÝJM&¦úð=TâîWKÉ%Ñ/5 ÀÀÀ À 28$ÿ bit.ly socket: 1452 sent: 110	1	110	0

One or more non-whitelisted processes were created (15 events)

parent_process	wscript.exe	martian_process	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\windows.ps1
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\Public\vb.vbs"
parent_process	powershell.exe	martian_process	C:\Users\Public\vb.vbs
parent_process	wscript.exe	martian_process	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\run.ps1
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\LocalLow\Microsoft\Google\OneDrive.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\LocalLow\Microsoft\Google\OneDrive.vbs"
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\LocalLtow\Microsoft\Google\OneDrive.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\Public\Chrome.vbs"
parent_process	powershell.exe	martian_process	C:\Users\Public\Chrome.vbs
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
parent_process	wscript.exe	martian_process	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\alosh.ps1
parent_process	wscript.exe	martian_process	powershell.exe -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\test.ps1

Creates a suspicious Powershell process (16 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-nologo	value	Hides the copyright banner when PowerShell launches

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

link.jpg.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All