popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

up.ps1

GIF Format Lnk Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 25, 2023, 4:47 p.m. Oct. 25, 2023, 4:50 p.m.
Size 21.6KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 21440931518ff0df59af9b94e52a7c84
SHA256 111107b822f0edf5e02a42a0f908d1a28df8bc2417e76fe416100d200fef115f
CRC32 E97AF0A3
ssdeep 384:QnhcamjWyW+ud7/HLHajbwHcGlftuLGuIwywNhODLMVqVGGGMrGMbGba0Ni0a10G:QnhcamjWyW+ud7/r6jbw8GlftuLGuIwY
Yara None matched

Name Response Post-Analysis Lookup
www.dropbox.com
CNAME www-env.dropbox-dns.com
A 162.125.84.18
162.125.84.18
ambjulio.com
A 62.72.22.30
62.72.22.30
IP Address Status Action
162.125.84.18 Active Moloch
164.124.101.2 Active Moloch
62.72.22.30 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Method invocation failed because [System.Object[]] doesn't contain a method nam
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ed 'ToUpper'.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:38 char:116
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + ${__||||||_||||||_|//////\\\\\________________} = Get-Random -InputObject ${_
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: |||||||||||||________________}.ToUpper <<<< () -Count 1
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (ToUpper:String) [], RuntimeEx
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ception
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodNotFound
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Directory: C:\
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: Mode LastWriteTime Length Name
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: d---- 2023-10-25 오후 4:47 _bxkevs9_
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: New-Item : Illegal characters in path.
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:133 char:9
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: + New-Item <<<< ${TESTE} -ItemType Directory
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidArgument: (\\?\C:\Windows \System32\:Stri
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ng) [New-Item], ArgumentException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Com
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: mands.NewItemCommand
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: Copy-Item : Cannot find path 'C:\Windows\System32\fodhelper.exe' because it doe
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: s not exist.
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:134 char:10
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: + Copy-Item <<<< -Path "${_fiv_}" -Destination "${TESTE}${_six_}" -Recurse
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\Windows\System32\fodhelper.e
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: xe:String) [Copy-Item], ItemNotFoundException
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyI
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: temCommand
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:240 char:40
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: + ${_\\\///////\\\\\\\\\\/_}.DownloadFile <<<< (${_/|\_/|////\__|//\\\\\\\\/|_}
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001eb
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001f7
1 1 0

WriteConsoleW

 buffer: Rename-Item : Cannot rename because item at 'C:\_bxkevs9_\_bxkevs9_._bxkevs9_'
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: does not exist.
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:241 char:12
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: + Rename-Item <<<< -NewName ("${_\\///////////////////////_}${_\\\\\\/|\_/|/\\
console_handle: 0x0000023b
1 1 0

WriteConsoleW

 buffer: \___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.zip") -Path ("${_\\////////////////
console_handle: 0x00000247
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOp
console_handle: 0x0000026b
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x00000277
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.R
console_handle: 0x00000283
1 1 0

WriteConsoleW

 buffer: enameItemCommand
console_handle: 0x0000028f
1 1 0

WriteConsoleW

 buffer: The term 'Expand-Archive' is not recognized as the name of a cmdlet, function,
console_handle: 0x000002af
1 1 0

WriteConsoleW

 buffer: script file, or operable program. Check the spelling of the name, or if a path
console_handle: 0x000002bb
1 1 0

WriteConsoleW

 buffer: was included, verify that the path is correct and try again.
console_handle: 0x000002c7
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\up.ps1:242 char:15
console_handle: 0x000002d3
1 1 0

WriteConsoleW

 buffer: + Expand-Archive <<<< -Path "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\
console_handle: 0x000002df
1 1 0

WriteConsoleW

 buffer: \|_}" -DestinationPath "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\
console_handle: 0x000002f7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Expand-Archive:String) [], Comm
console_handle: 0x0000030f
1 1 0

WriteConsoleW

 buffer: andNotFoundException
console_handle: 0x0000031b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000327
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3818
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3bd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3bd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3bd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04fd3d58
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0269b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ef000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02679000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06230000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06280000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06281000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06282000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06283000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06284000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05561000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05576000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056d9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05562000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026e9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056dd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056de000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056df000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x056f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06285000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06286000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0628a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0629b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0629c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0629d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0629e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06590000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0267e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0629f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06591000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AT.lnk
file C:\Users\Public\TEST22-PC_bxkevs9_y.cmd
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_EX.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_y.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AA.lnk
file C:\Users\Public\TEST22-PC_bxkevs9_.cmd
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_EX.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_y.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AA.lnk
domain www.dropbox.com
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data sent rne8Çû‚Ar ×t£¬®‰]z»F¼žnJßļ ‚ŸÚ/5 ÀÀÀ À 28-ÿwww.dropbox.com  
Data sent rne8Çû5Ó&+_7«n#U<bú\i@¾ ÝI™ÃðÀºZÂ/5 ÀÀÀ À 28-ÿwww.dropbox.com  
cmdline "C:\Windows\system32\shutdown.exe" /r /t 10
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_EX.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_y.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_AA.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bxkevs9_.lnk
ClamAV Win.Trojan.PowerMacro-5942596-0
Avast PwrSh:Downloader-BH [Trj]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.Script.Generic
F-Secure Trojan.TR/PShell.Dldr.VPJ
DrWeb PowerShell.DownLoader.1802
Ikarus Trojan-Downloader.PowerShell.Agent
Avira TR/PShell.Dldr.VPJ
ZoneAlarm HEUR:Trojan.Script.Generic
Google Detected
Rising Downloader.Agent/PS!8.1250D (TOPIS:E0:bpJ3L8PUGuT)
AVG PwrSh:Downloader-BH [Trj]
Time & API Arguments Status Return Repeated

send

 buffer: rne8Çû‚Ar ×t£¬®‰]z»F¼žnJßļ ‚ŸÚ/5 ÀÀÀ À 28-ÿwww.dropbox.com  
socket: 1600
sent: 119
1 119 0

send

 buffer: rne8Çû5Ó&+_7«n#U<bú\i@¾ ÝI™ÃðÀºZÂ/5 ÀÀÀ À 28-ÿwww.dropbox.com  
socket: 1600
sent: 119
1 119 0
parent_process powershell.exe martian_process "C:\Windows\system32\shutdown.exe" /r /t 10
file C:\_bxkevs9_\_bxkevs9_.exe
file C:\_bxkevs9_\_bxkevs9_i7.exe
file C:\Windows\System32\shutdown.exe