popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

am.exe

Gen1 Generic Malware Obsidium protector .NET framework(MSIL) UPX Antivirus Malicious Library Anti_VM PE File PNG Format OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 17, 2024, 4:53 p.m. June 17, 2024, 4:55 p.m.
Size 8.6MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
CRC32 3CFA5796
ssdeep 98304:kHRNlpNpt3gSuDdFeznbkRBLwX1Pgedmv72Im/xAgDXMnw4bmVKAHNAXqcMHKYsN:uRrptYDdF8komd8xAUXMwIwHNvcMmN
PDB Path D:\BUILD\work\00\9602260c9c68f601\bin\Release\Win32\Speccy.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Antivirus - Contains references to security software
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • IsPE32 - (no description)
  • Obsidium_Zero - Obsidium protector file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
i.imgur.com
CNAME ipv4.imgur.map.fastly.net
A 146.75.92.193
199.232.192.193
proresupdate.com
A 45.152.112.146
45.152.112.146
contur2fa.recipeupdates.rest
A 172.67.197.250
A 104.21.76.173
172.67.197.250
IP Address Status Action
146.75.92.193 Active Moloch
164.124.101.2 Active Moloch
172.67.197.250 Active Moloch
45.152.112.146 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 146.75.92.193:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49170 -> 172.67.197.250:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49172 -> 172.67.197.250:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49169 -> 45.152.112.146:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
146.75.92.193:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.imgur.com 39:5b:e1:0d:4a:fc:a4:c7:f3:71:de:c4:5c:12:69:f9:5f:58:9f:42
TLSv1
192.168.56.101:49170
172.67.197.250:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=recipeupdates.rest 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf
TLSv1
192.168.56.101:49172
172.67.197.250:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1P5 CN=recipeupdates.rest 56:1f:99:81:f8:1f:9b:4e:f8:64:b7:17:28:16:1b:e1:fd:f8:cb:cf

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Get-ChildItem : A parameter cannot be found that matches parameter name 'Direct
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ory'.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:33 char:51
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $S3t4u = Get-ChildItem -Path $P1q2r -Directory <<<<
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterB
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: indingException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Comm
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: ands.GetChildItemCommand
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Cannot find an overload for "Combine" and the argument count: "3".
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: At line:36 char:47
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: + $B9c0d = [System.IO.Path]::Combine <<<< ($V5w6x.FullName, 'Local
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: Extension Settings', $Y7z8a)
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodException
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: Test-Path : Cannot bind argument to parameter 'Path' because it is null.
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: At line:37 char:26
console_handle: 0x000000ff
1 1 0

WriteConsoleW

 buffer: + if (Test-Path <<<< $B9c0d) {
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingVa
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: lidationException
console_handle: 0x00000123
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
console_handle: 0x0000012f
1 1 0

WriteConsoleW

 buffer: icrosoft.PowerShell.Commands.TestPathCommand
console_handle: 0x0000013b
1 1 0

WriteConsoleW

 buffer: Cannot find an overload for "Combine" and the argument count: "3".
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:36 char:47
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $B9c0d = [System.IO.Path]::Combine <<<< ($V5w6x.FullName, 'Local
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: Extension Settings', $Y7z8a)
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodException
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: Test-Path : Cannot bind argument to parameter 'Path' because it is null.
console_handle: 0x0000007f
1 1 0

WriteConsoleW

 buffer: At line:37 char:26
console_handle: 0x0000008b
1 1 0

WriteConsoleW

 buffer: + if (Test-Path <<<< $B9c0d) {
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingVa
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: lidationException
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: icrosoft.PowerShell.Commands.TestPathCommand
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: Cannot find an overload for "Combine" and the argument count: "3".
console_handle: 0x000000e7
1 1 0

WriteConsoleW

 buffer: At line:36 char:47
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: + $B9c0d = [System.IO.Path]::Combine <<<< ($V5w6x.FullName, 'Local
console_handle: 0x000000ff
1 1 0

WriteConsoleW

 buffer: Extension Settings', $Y7z8a)
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodException
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest
console_handle: 0x00000123
1 1 0

WriteConsoleW

 buffer: Test-Path : Cannot bind argument to parameter 'Path' because it is null.
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: At line:37 char:26
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: + if (Test-Path <<<< $B9c0d) {
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingVa
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: lidationException
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,M
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: icrosoft.PowerShell.Commands.TestPathCommand
console_handle: 0x0000018b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242ab8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00243038
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00243038
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00243038
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242bb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00242f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002427b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00243438
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00243438
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d4c88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06174798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06174798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x06174798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\BUILD\work\00\9602260c9c68f601\bin\Release\Win32\Speccy.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .gfids
resource name AFX_DIALOG_LAYOUT
resource name BRANDING
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://proresupdate.com/h9fmdW5/index.php
suspicious_features GET method with no useragent header suspicious_request GET https://i.imgur.com/yximuB4.png
suspicious_features GET method with no useragent header suspicious_request GET https://contur2fa.recipeupdates.rest/__hh/files/run
suspicious_features GET method with no useragent header suspicious_request GET https://contur2fa.recipeupdates.rest/__hh/files/run_search
request POST http://proresupdate.com/h9fmdW5/index.php
request GET https://i.imgur.com/yximuB4.png
request GET https://contur2fa.recipeupdates.rest/__hh/files/run
request GET https://contur2fa.recipeupdates.rest/__hh/files/run_search
request POST http://proresupdate.com/h9fmdW5/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ab2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2564
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 73728
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72801000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003ef0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02730000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x722a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02732000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0275a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02733000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02734000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0276b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02767000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02752000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02765000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02735000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0275c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ae0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02736000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0276c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02753000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02754000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02755000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02756000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02757000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02758000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02759000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2456
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Temp\1000003041\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000003041\run.ps1"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000003041\run.ps1"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2700
thread_handle: 0x00000464
process_identifier: 2696
current_directory:
filepath:
track: 1
command_line: C:\Windows\SysWOW64\ftp.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000468
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: Powershell.exe
parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\1000003041\run.ps1"
filepath: Powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received WfoëÆ(Æ´]èÖYjÊrg|»ƒ§{DOWNGRD @\o]ހô)‡þætJK‘XuÜÀbÊgIù,"1Àÿ 
Data received †
Data received K
Data received GAˆ ¨õÿbW¹‘º•O‘€¬n¿à<0\Ýé™Dòk‡Ù¾ñg0¯foñV¹×D­úˆ;à§%t£ùö•¤Šš)xS™ûTåŸãiÉ·æ'6håÓ}§Üø’˜4båÎbúAyŠ ¼ÃËçkŠ–lz7_ª4þÇßëò…ÚÛa¾ bP Ò¶_xLO#2ºº:¸âÕns’Ù¥|'ßQŽõŸÞoÍÌC‚†‚¦4ÖÄÊÍû2Œ¡Eý3m=ghãñ”ÊØúq…6;)eÔ “IQ×¥E†ÚT—ËqŒQ¶|KƒøøÓ q0³ŸýäY{c;ìüÝ™¿{R Sœ°±U^cÔD'³Š®µžÄº¶¿‡¸ÓûAPp‡«Ù¥b12ΐèw2*/ÊŇ½&v»
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received óÁüî}Jldp1ûªVÙëqæ;â°ˆyæ1W’¥p(ƒŸ$‰@» ‚™oc¨
Data received p
Data received  CxÛ¾ò`€Ø€ï{.ÿ€§ytWÏt$„µqR"ø^”¨­Ì¨Ñg]ò—ê i-@®¢+ñÀ}V¨«[øN{\ô”¾#ág>žìG—¬cš³É¢•°É÷. ³©ö>‚)rQbôB€¡²¼iòG© ½tf‚XTo{Ɓ¼JmÅeñÞF¡Ò(Ðæ=ôð?f´±¨rG{ú0M¤çeýÿN—­‡h«+~àã^RlâEÖÙLôipŽ¸{‡<LBJwèYZºŸ!¬éû^ÅI=‹û/ã\fžœð<Âi ÛWûnÙ·oƒ”¬øĝC´ˆó£$t»rÄS1 üÿ´¢Ú³H³ü¨tUø ÀA$‡è2œ¡ WQrUª CiyH]›ŠT¥&´Htœ‰2‹ô£Þ1ÒVz’†ë‹‹—¿þ•pÑXÒs%6dŽ—Çŝꢎ.ðøôHH¸!ŒÕtæ¯VìÔ·3qf¸’*©$ñ´kΫØ›Í"Ë6çÜ1%“‹«è™ßÀ)ŸxBý×ü¤õÑR€Ö PËTT¸LJ ^Pê=Vdä$€zûñæ^O Ösâ<ð§@ x<'w3L¾ ­¼u>—ä4«wþÐ7mc «Â.0Šé‚ó+À«—)‹w-æ ·JËï«sy>&ê±i^Ö&üjoq§ó7 4ÿÔïĪ¿L's%ýËÍq±Ÿ"iÔ¯ðî`5Áì’ÏÕö Çχ'g-z'/Dô‹¼÷ é™@HÒIññ'›pè£VŠÛ/„VÒ)•ÉÒ~K i¿¬\R°k ¶ÃI³Ê4…ÃÃf” s/©~ )°öן·àD^?ØaP9õjErÏþ‰jØ ÍÅ÷Ž•V)ïØMù2‡æ «3"XšŠ™$@åái %7t‰ó3W»•ïð\y×ôV±Š6È`ÀçHùFqkKV @¢š-´x2“Ek¡ ر-IÀ$GoŠi¶.|G/ªzkºa…3í93mE-ï¥Ä¹ ð·É>µ[F~ɯAÕՒ›‡JÄâˆþŸ~WÌ`—d¿è„\sÉ DzŠ^ÃÇ«»ÓSŽ<€Ÿrnë0/"¸î[gu‚P'6bŒ f :.¿MX$›KF¨)”A! ¿JîœîY«Öº0¹º ud,1H¹v±yKQ*’ÙœYWl¬«7úïA*§¥EÖøè(+ÁcïáΙ?Ç&_£)‰ ïB’l•Y-çGׯÀ÷l‘͸ÕrrST|» /àäÖR4ƒýr§žP«^çÄõÜãó"fÝ’·„qê™Ófqk¨âŠ²ÕÞGÄÂe*8àšÂZá$ýe‘p0&[”¥.Fž¶dòK…NÇHó÷”~äôdžàb„û{lÕÀ“úb…‹µïjmûÿARˆˆBÞÛáÁWܝ¹_EHĬw36Ջµ³’ÜMi~æãÃdđGžÊ$óˆlcˆîO±áœ¾¹% ¢p©±ÇyÀCyÇlZ…¤¨w>´ÎÛ§(ðGg²‡púd©ÃŸ!î{DJõ}Ù‡B×7žô5™|ҟýõœ¾y BUo±¦Õˆ+rTé”3àÚA%Ž:^{€~áòšHˆÞ<ÿIwˆsg…~ÿU«É¼}^€bà;²®#0çÞÝ]óV{¯þc~(¤“KrÊÌsí#Öú:2x¼Øüm"øÊ)“Óm,Ÿ~äG·\f12+ß ÌÚ¸©:%l`VA³ôÄA*Op3”×y äʼ VÁ›—½HGßgÓ}àNyI›níåèq-fÍlvb™Ò
Data received 0
Data received ç¹[à.^IM9рµ?ý„Rø“š0,C§Ÿ°˜\¹=`®gËçÓGET£Jpÿið t‡ü»j'}2à}½E§˜Ö25Ý~š&4U”ráU¶QºTü½…y‘ÎdäíÐJkÅ<”¶ƒ ®«íÀy”; ‘|ɉ˜åG,"ۦyþšC¸dõôsÌôãY-Œ‹±d[õàtqYìÊïx‹ëÎ,Ü UÌù9’ISèwô<FA•&ãe+?kö[-fҊJ)ðg¬‰Áw av‚BfFPc8¹J >!¬¬ë™÷qø,Ý'ò’BÞÕö0“¨°Ô8A’Ž;¯àtÌ08§IL±Šº³*û7î`z&¾?Wr ÞÍ.\A58ìaX…tâ0 S×ðìæ~Iïq }ïÕ3õ’ £ë\±Ü–‡±exÚSò ¼[sJ(Ü"£P3q*ÿV[ÎCAÕ-IᶑɌ½pTÐÎ sÚŁjÑÑÁ(@ç óP‘-?'Šé/•›»HßÒÏ Åm0¬¦<fñĆ‚'ř{;E2§t“w‰}"ÃÜ-­Ÿ¯–¦?ÛÂâÇ7 Ø¬ñ¢‡„ÉÎ1òAÿ„â4#™É]⾟°ÝzÃN]].Pƒ#®WX Ì +4N“ݯ1äNQZÝH!Ýmë ‘ÓøŒ·'‚ªPô’a8K(¨:9í¸]ì-°=§ÀŸûrEµâê,™9 ,\E"@b9ǜ&w"dtƒ?«œÌz Ìm-qQx,•û<x'Ó\¤1éZ铲è÷K'NäSM¡I –J¶¦¥%;ƒ¡¡UtŽ R˜5®®Û?ÚS\ú…:÷E=Âaë»9uZ}ÈFñâT\49ÙfÔKw ÜÄy¤OZ8TÉ6Þ¢#©‡p–‰’/µ¶à5A®·¥Í”Táý¦Ú‚±;'!‚êQ r9ãIYE¢âùΡ¾{# N(À½».v{‰u'œœ;Eâ· å1àUü|ËEÑ㘫kÑÛc7!{…'ð£ø߸.Hh<ô©ìÆ£[ß°ÃÁ“òµÂf÷’°Þ ÁšXïýš£|i+ªû‰v­§®ùׁ06 òn¤ê­Ð±Ä^¯®‰h§èŒ±ÜC ¢_͆ñ˯óqT³[£Oÿô‚êºvx>ªfÒi³  dÖ’}3Š [gbY6urWºˆ’ŽIQFó‰® ,Ï=nm¥EKS?mO¶ÍWiÙÄî}»`PÃ맰+—«/™³*íÇ9Æ`Ó%Ù0Òs«[uðÊa¶ÿ`'Hk5“ÛJŠï "v,ÝÌwìÁxÌۊ6³ë :ñ0ŒùǒmBwmý6ÞËÑ,ÿ´ƒËl')mƒ# E¨´Úå¤í-ÿcð–äfØÂÅÄË=€±ãx]eït½_uÚ s§¬»ÂœÂ‘IöF§$ýV:Õ-ÏãW¨±ã;óÆk:¬”¨6É0œ\bHC¾„YòNg1̀È\ïMâ7~Fí÷=áGÈ?²)@²Çì~ÓÑ_ˆÕb‘(© lÍ m˜œ¢ŽSÖüƒ 5܎ÆíÑü(ÎBSXOwÛµÌð—,7°ÝÍßÁ}µgÕkz½ƒò_¯×Eø µn¿_ã«2ÿ!Î}Â+ë(OŸ‰’Îe¥¥êcÌïb_-2ÿ”UêÜaÿRáy“Æ.ÝÜRðø&É£Öϯa
Data sent {foë¶vB% ´Z¸D¸?»¸ú‘©÷ÿrëq¨,®jv^/5 ÀÀÀ À 28:ÿ!contur2fa.recipeupdates.rest  
Data sent FBA «w¾º»—³?ΆCÅŴ¼’5Ya'ƒÎ4ŠÛê·¸:PU‰‘ÿ°‹:»`ûµFB§ÞT/"ƒ0×”Ѫ‘D“RMäÏ@—Š;JK£ uéÞ§ÜMšT§Âž¾:ÜS Æ ¼àûë~e’
Data sent €ûãÑf.Q¿®•´)^ªXê ‡¶£³u°´ÒyÇ^6|ՉL$ ï/4‰N¯æoù#L•±  ú<wO)Pšuªª+>X† ‰â3—?ϧ>+c"3ê~Aô³dhY°­U¹ý ôŽkɨŠÙˆU?ëØÍ9èŒ$H.Ÿ xþ
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

InternetConnectA

 username:
service: 3
hostname: proresupdate.com
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 0
http_method: POST
referer:
path: /h9fmdW5/index.php
1 13369356 0

InternetConnectA

 username:
service: 3
hostname: proresupdate.com
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 0
http_method: POST
referer:
path: /h9fmdW5/index.php
1 13369356 0

InternetConnectA

 username:
service: 3
hostname: proresupdate.com
internet_handle: 0x00cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x00cc0008
http_version:
flags: 0
http_method: POST
referer:
path: /h9fmdW5/index.php
1 13369356 0
Time & API Arguments Status Return Repeated

send

 buffer: {foë¶vB% ´Z¸D¸?»¸ú‘©÷ÿrëq¨,®jv^/5 ÀÀÀ À 28:ÿ!contur2fa.recipeupdates.rest  
socket: 1320
sent: 132
1 132 0

send

 buffer: FBA «w¾º»—³?ΆCÅŴ¼’5Ya'ƒÎ4ŠÛê·¸:PU‰‘ÿ°‹:»`ûµFB§ÞT/"ƒ0×”Ѫ‘D“RMäÏ@—Š;JK£ uéÞ§ÜMšT§Âž¾:ÜS Æ ¼àûë~e’
socket: 1320
sent: 134
1 134 0

send

 buffer: €ûãÑf.Q¿®•´)^ªXê ‡¶£³u°´ÒyÇ^6|ՉL$ ï/4‰N¯æoù#L•±  ú<wO)Pšuªª+>X† ‰â3—?ϧ>+c"3ê~Aô³dhY°­U¹ý ôŽkɨŠÙˆU?ëØÍ9èŒ$H.Ÿ xþ
socket: 1320
sent: 133
1 133 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Lionic Trojan.Win32.Penguish.4!c
ALYac Trojan.GenericKD.73119104
Cylance Unsafe
VIPRE Trojan.GenericKD.73119104
Sangfor Trojan.Win32.Penguish.Vcxb
BitDefender Trojan.GenericKD.73119104
Cybereason malicious.ce9ca4
Arcabit Trojan.Generic.D45BB580
Symantec Trojan.Gen.MBT
ESET-NOD32 Win32/TrojanDownloader.Rugmi.AAN
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan.Win32.Penguish.gen
MicroWorld-eScan Trojan.GenericKD.73119104
Rising Trojan.Generic!8.C3 (C64:YzY0OkAwxJ5TJ1ob)
Emsisoft Trojan.GenericKD.73119104 (B)
F-Secure Trojan.TR/AD.Maldldr.rddne
TrendMicro TrojanSpy.Win32.LUMMASTEALER.YXEFLZ
McAfeeD ti!376E1802B979
FireEye Trojan.GenericKD.73119104
Sophos Mal/Generic-S
Ikarus Trojan.Maldldr
Google Detected
Avira TR/AD.Maldldr.rddne
MAX malware (ai score=81)
Gridinsoft Trojan.Win32.Gen.ca
Microsoft Trojan:Win32/Penguish!MTB
ZoneAlarm HEUR:Trojan.Win32.Penguish.gen
GData Trojan.GenericKD.73119104
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Penguish
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win32.LUMMASTEALER.YXEFLZ
MaxSecure Win.MxResIcn.Heur.Gen
Fortinet W32/PossibleThreat
AVG Win32:Malware-gen
Paloalto generic.ml
CrowdStrike win/malicious_confidence_100% (W)