popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

settings.md.ps1

GIF Format Lnk Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Nov. 1, 2023, 9:45 a.m. Nov. 1, 2023, 9:48 a.m.
Size 21.4KB
Type ASCII text, with very long lines
MD5 d4a8463332d11c465c311485626a089e
SHA256 dff3d7a15b8ff7fada4397088a658bc79d47c0d387ee9a3c710490d73983395a
CRC32 BE37BC89
ssdeep 384:QcyvJh/drDCNrr2YyHEHaeizHlf2GkxUtJNFw5ARMthKqsvvvhUvhkvkNp8mpdFm:QcyvJh/drDCNrr2Yyk6eizFf2GkxUtJb
Yara None matched

Name Response Post-Analysis Lookup
www.dropbox.com
CNAME www-env.dropbox-dns.com
A 162.125.84.18
162.125.84.18
ambjulio.com
A 154.56.63.216
154.56.63.216
IP Address Status Action
154.56.63.216 Active Moloch
162.125.84.18 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Method invocation failed because [System.Object[]] doesn't contain a method nam
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ed 'ToUpper'.
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:39 char:116
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + ${__||||||_||||||_|//////\\\\\________________} = Get-Random -InputObject ${_
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: |||||||||||||________________}.ToUpper <<<< () -Count 1
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (ToUpper:String) [], RuntimeEx
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: ception
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodNotFound
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: Directory: C:\
console_handle: 0x00000097
1 1 0

WriteConsoleW

 buffer: Mode LastWriteTime Length Name
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: d---- 2023-11-01 오전 9:45 _bwnasf7_
console_handle: 0x000000ab
1 1 0

WriteConsoleW

 buffer: New-Item : Illegal characters in path.
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:134 char:9
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: + New-Item <<<< ${TESTE} -ItemType Directory
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidArgument: (\\?\C:\Windows \System32\:Stri
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ng) [New-Item], ArgumentException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : ItemExistsArgumentError,Microsoft.PowerShell.Com
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: mands.NewItemCommand
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: Copy-Item : Cannot find path 'C:\Windows\System32\fodhelper.exe' because it doe
console_handle: 0x00000127
1 1 0

WriteConsoleW

 buffer: s not exist.
console_handle: 0x00000133
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:135 char:10
console_handle: 0x0000013f
1 1 0

WriteConsoleW

 buffer: + Copy-Item <<<< -Path "${_fiv_}" -Destination "${TESTE}${_six_}" -Recurse
console_handle: 0x0000014b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (C:\Windows\System32\fodhelper.e
console_handle: 0x00000157
1 1 0

WriteConsoleW

 buffer: xe:String) [Copy-Item], ItemNotFoundException
console_handle: 0x00000163
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.CopyI
console_handle: 0x0000016f
1 1 0

WriteConsoleW

 buffer: temCommand
console_handle: 0x0000017b
1 1 0

WriteConsoleW

 buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: on was closed: An unexpected error occurred on a send."
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:241 char:40
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: + ${_\\\///////\\\\\\\\\\/_}.DownloadFile <<<< (${_/|\_/|////\__|//\\\\\\\\/|_}
console_handle: 0x000001c7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001eb
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x000001f7
1 1 0

WriteConsoleW

 buffer: Rename-Item : Cannot rename because item at 'C:\_bwnasf7_\_bwnasf7_._bwnasf7_'
console_handle: 0x00000217
1 1 0

WriteConsoleW

 buffer: does not exist.
console_handle: 0x00000223
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:242 char:12
console_handle: 0x0000022f
1 1 0

WriteConsoleW

 buffer: + Rename-Item <<<< -NewName ("${_\\///////////////////////_}${_\\\\\\/|\_/|/\\
console_handle: 0x0000023b
1 1 0

WriteConsoleW

 buffer: \___\\\\/|_}\${_\\\\\\/|\_/|/\\\___\\\\/|_}.zip") -Path ("${_\\////////////////
console_handle: 0x00000247
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (:) [Rename-Item], PSInvalidOp
console_handle: 0x0000026b
1 1 0

WriteConsoleW

 buffer: erationException
console_handle: 0x00000277
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.R
console_handle: 0x00000283
1 1 0

WriteConsoleW

 buffer: enameItemCommand
console_handle: 0x0000028f
1 1 0

WriteConsoleW

 buffer: The term 'Expand-Archive' is not recognized as the name of a cmdlet, function,
console_handle: 0x000002af
1 1 0

WriteConsoleW

 buffer: script file, or operable program. Check the spelling of the name, or if a path
console_handle: 0x000002bb
1 1 0

WriteConsoleW

 buffer: was included, verify that the path is correct and try again.
console_handle: 0x000002c7
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\settings.md.ps1:243 char:15
console_handle: 0x000002d3
1 1 0

WriteConsoleW

 buffer: + Expand-Archive <<<< -Path "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\
console_handle: 0x000002df
1 1 0

WriteConsoleW

 buffer: \|_}" -DestinationPath "${_\\///////////////////////_}${_\\\\\\/|\_/|/\\\___\\\
console_handle: 0x000002f7
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : ObjectNotFound: (Expand-Archive:String) [], Comm
console_handle: 0x0000030f
1 1 0

WriteConsoleW

 buffer: andNotFoundException
console_handle: 0x0000031b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x00000327
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3550
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3910
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3a90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3a90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3a90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c3a90
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01edb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f6f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e69000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06070000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06370000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06511000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06512000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06513000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06514000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06071000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06072000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06073000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06074000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06075000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06076000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05431000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06077000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e6d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05486000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06078000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06120000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06079000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05432000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01f69000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0607f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06121000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02922000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02923000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06515000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06516000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0651a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0652b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0652c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0652d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0652e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01e6e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0652f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x066e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_EX.lnk
file C:\Users\Public\TEST22-PC_bwnasf7_.cmd
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AA.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_y.lnk
file C:\Users\Public\TEST22-PC_bwnasf7_y.cmd
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_EX.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agent.pyw - 바로 가기.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AA.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_y.lnk
domain www.dropbox.com
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received 
Data received F
Data sent rneAŸžæ„¿ ç<ìÏ1­áªX‹{Q¢8Zºl'U¡'/5 ÀÀÀ À 28-ÿwww.dropbox.com  
Data sent rneAŸž£`øn¶†O7ÌË<Æ+HVú†1¥ÿ€š„³/5 ÀÀÀ À 28-ÿwww.dropbox.com  
cmdline "C:\Windows\system32\shutdown.exe" /r /t 10
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AT.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_EX.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_y.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_AA.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_bwnasf7_.lnk
DrWeb PowerShell.DownLoader.1782
ClamAV Win.Trojan.PowerMacro-5942596-0
McAfee PS/Downloader.ic
Avast PwrSh:Downloader-BH [Trj]
Cynet Malicious (score: 99)
Kaspersky HEUR:Trojan.Script.Generic
F-Secure Trojan.TR/PShell.Dldr.VPJ
Google Detected
Avira TR/PShell.Dldr.VPJ
ZoneAlarm HEUR:Trojan.Script.Generic
Microsoft Trojan:Script/Wacatac.B!ml
Varist PSH/Agent.LF
Tencent Script.Trojan.Generic.Kmnw
Ikarus Trojan-Downloader.PowerShell.Agent
AVG PwrSh:Downloader-BH [Trj]
Time & API Arguments Status Return Repeated

send

 buffer: rneAŸžæ„¿ ç<ìÏ1­áªX‹{Q¢8Zºl'U¡'/5 ÀÀÀ À 28-ÿwww.dropbox.com  
socket: 1660
sent: 119
1 119 0

send

 buffer: rneAŸž£`øn¶†O7ÌË<Æ+HVú†1¥ÿ€š„³/5 ÀÀÀ À 28-ÿwww.dropbox.com  
socket: 1660
sent: 119
1 119 0
parent_process powershell.exe martian_process "C:\Windows\system32\shutdown.exe" /r /t 10
file C:\_bwnasf7_\_bwnasf7_.exe
file C:\_bwnasf7_\_bwnasf7_i7.exe
file C:\Windows\System32\shutdown.exe