popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Systray.ps1

Generic Malware Antivirus .NET DLL PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 22, 2024, 11:16 a.m. July 22, 2024, 11:20 a.m.
Size 261.3KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 628dd8d3aef4624a70735ca05cd4d2ed
SHA256 7a44ba69d3629f62f26c783a52ae0788700ba8cc307a718a6bd452ac516ffc2e
CRC32 124AA6B4
ssdeep 1536:Ygjfke3ZQztDbM3f2694RVDqCuvnShvk85x0Vaw3oJP5vZ9x5VwYJWjTxZbv4Qjl:z/31MN4
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: False
console_handle: 0x00000013
1 1 0

WriteConsoleW

 buffer: Exception calling "Copy" with "4" argument(s): "Value cannot be null.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: Parameter name: destination"
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: At line:27 char:50
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + [System.Runtime.InteropServices.Marshal]::"CO`PY" <<<< (${XrI`VF}, 0, ${P`iBb
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: xu}, 6)
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: Multiple ambiguous overloads found for "GetMethod" and the argument count: "2".
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\Systray.ps1:75 char:1014
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $ILnEDbDyFVGRIvsFPFdXexNDBRltaVEAjyQsnUMuMtjGuRBgKzyDyAEpHALETDjDFRDXMqAkHNrP
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: IglWJUQzjHJuQlaCUraGNdOlObZYDZpIhDGfDbRNDFRRkkUSUGwNNjORBaCNbLXKzcTZiPcBzEdhPir
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: sDbkaaTleEhxmjjWwLeuUgHwBAQuzOMWAUsWNkqPpkDEUhoCRnqhmdVIWCfpznltiahrrerfmuRTyHb
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: FhdqDoMMlXBCPRcVDPYxPeQvZOQLApHsyvTyCItRxKOxsyjRoamBHBhnUpswLgCHMoojqLSHkPEXGfw
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: CgpAqpGSFeCbUoaIzZsQmuUWUluDzfmpYUDsbUrYfEJuLkBybpzsShtvdtuqrplklCxaOPtQzEQhEbJ
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: RxpUbKhZOhxmsodRzHXnxHtZuZhIQYRqStbTbomONiGpXuUsYYYAncxTKFJJAygftEewtrdDTSXSVOY
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: WrJIKTMTyooYiVeGjRgfYtegXbBx = $hAueYlqPOhPPLvaTACodpiskusmyCmnYRADLtwqMePlphcA
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: DhPDDNwdFOZqgpHVIiLrSoRfixjoBklRALqexrrSoNlzkTsIUaHANQHSWtXhOrZrNMmlHLZcBiqsUiC
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: MUjCtjKJhVSZjRltePGfgAjyWZgLQXGWJAurAWOMOQWkVbQfMqHzTTEvuqiVQVJKSmuPIRmkpEFcKSV
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: DRuZJupWEkdOJkCmLPowtzWjLuAKEzmFWKlMwzIrJhAmvJOojqYfSSxrYpZAbGYZMfyahSUHawDFHEg
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: VCXgtpBRkTOZrgbfGgtDBRFfsoVydjpfuJbzXZunPANcyrhGVXaQnxMQvOFMmmrwfEoxsfiVFxknFRO
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: MfnlgGLFggfoSKTxhYaKMKvPnvliuuWsWLVwIacCozxEpdgaDYrOkiBSAOLMgGDcHeUGdrnYjFzvToS
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: TJeGtThncTJsdgZrbmtjVsOtXprMWfnNFNZwjLhXvFcBSbcuoTOXNAiug.GetMethod <<<< ($ZiBk
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: QQHEXofrEVEELBdaXVEleqhrHfkxHIqKGYYELVOmqxPGxPrxfKGGjbWpIsKxTkSLkpGfireUWovGXaN
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: QIBpTNsXXpbNsTVkgEExjxqblFknyGTsAStSZzpmWElkevasdljPITyOAOdUarPOICqnmEolGJiWJUw
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: ieQuRYpdqTeDCLYUQhkAfIFNdWgyRkuCYrpFbjfueLcSLRDIsaWjydcpiUbIWUNZPVGDAymBhsZaKID
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: fuZTVqnouoTnZhYwwrwysSfysXAWNHueSZcccJdjtmjrQKKfPfmqyojSpmTndtqtLifWnhROCzlZNgJ
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: oAdWBALfXUaTbMSvFSZEOthRevJDYAyDXeFReNTBHrvJBkqbXZRdhFPrUOCCfllYUhqFXpasTABWWem
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: VkjgNiiMKJJxqubcLefaxoEZTAPGNHztzyFypEjKfOihUBGabgKuNvUwZAbjQBMNsdvDJPoNQgrTfeu
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: ZSNMVzQYYRANkBiXCiRhy, [System.Reflection.BindingFlags]::Public -bor [System.Re
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: flection.BindingFlags]::Static)
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodException
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : MethodCountCouldNotFindBest
console_handle: 0x00000143
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00566098
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00566098
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00565f98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00565f98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00565f98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00565f98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004aece8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004aece8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9500
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9540
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c9580
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004c94c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0254b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0255f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02469000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05256000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05257000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05258000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0246a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x048c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 516
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 5
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000
process_handle: 0xffffffff
3221225496 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05241000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02710000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02711000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02712000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02713000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0246d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02700000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026c9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 516
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02714000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2112
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file c:\Users\test22\AppData\Local\Temp\h9sgxbz3.dll
file C:\Users\test22\AppData\Local\Temp\h9sgxbz3.dll
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\h9sgxbz3.cmdline"
buffer Buffer with sha1: 4fa446a189889074ae2a1200f8d4aac26d2ac1f7
buffer Buffer with sha1: b8b890fa22bc5a5249d69770dd0b5d98aa697584
file c:\Users\test22\AppData\Local\Temp\CSCC8AA.tmp
file C:\Users\test22\AppData\Local\Temp\RESC8CA.tmp
VIPRE Heur.BZC.PZQ.Pantera.140.0331BE8F
Arcabit Heur.BZC.PZQ.Pantera.140.0331BE8F
Avast Script:SNH-gen [Drp]
BitDefender Heur.BZC.PZQ.Pantera.140.0331BE8F
MicroWorld-eScan Heur.BZC.PZQ.Pantera.140.0331BE8F
Rising Trojan.Injector/PS!1.D2AD (CLASSIC)
Emsisoft Heur.BZC.PZQ.Pantera.140.0331BE8F (B)
FireEye Heur.BZC.PZQ.Pantera.140.0331BE8F
Microsoft Trojan:Script/Wacatac.B!ml
GData Heur.BZC.PZQ.Pantera.140.0331BE8F
MAX malware (ai score=82)
AVG Script:SNH-gen [Drp]
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\h9sgxbz3.cmdline"