Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 7, 2022, 11:33 a.m.	Dec. 7, 2022, 11:35 a.m.

Size	1.2MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`fafde8664fa8689a4a001724caaa0b9a`
SHA256	`2904774e634f704f9126ba2046faec40f513aae8fa5591fcca159bf1717e5065`
CRC32	`1E2615B2`
ssdeep	`12288:rjx24c7RmYLQoSlhO5vLIyEDlzvOLHCKzR6VpPXncijT9L:reRm6QoSlhOXqrOLHCn4ijT5`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques hide_executable_file - Hide executable file PowerShell_Script_Include_2_Zero - PowerShell Script Include [Zero]

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\3.txt.ps1
3020
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
  2252
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"
  2220
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
  1112

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 7, 2022, 11:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 11:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 11:34 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (41 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: Directory: C:\ProgramData console_handle: 0x00000023	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: d---- 2022-12-07 오전 11:33 MegamindCypher console_handle: 0x00000037	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: At line:4 char:25 console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: + (Cum(Cum(Cum $AMI))) \| . <<<< ('{1}{0}'-f'eX','I') console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: At line:22 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + $o = $h.GetMethod <<<< ($k) console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x00000047	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: Exception console_handle: 0x00000053	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: At line:29 char:10 console_handle: 0x0000008b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V4,$Ripple)) console_handle: 0x00000097	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000a3	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: eption console_handle: 0x000000af	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000db	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: At line:30 char:10 console_handle: 0x000000e7	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V2,$Ripple)) console_handle: 0x000000f3	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000ff	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: eption console_handle: 0x0000010b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000117	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000137	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: At line:31 char:10 console_handle: 0x00000143	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + $o.Invoke <<<< ($hh, ($V3,$Ripple)) console_handle: 0x0000014f	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x0000015b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: eption console_handle: 0x00000167	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000173	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MegamindCypher\CypherDeptography.~+~ Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CypherDeptography.~+~". console_handle: 0x0000001b	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MegamindCypher\Drivers.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.js". console_handle: 0x00000027	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MegamindCypher\OneDriveUpdate.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveUpdate.js". console_handle: 0x00000033	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MegamindCypher\OutlookUpdate.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OutlookUpdate.js". console_handle: 0x0000003f	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: SUCCESS: The scheduled task "MainChrome" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 7, 2022, 11:33 a.m.	buffer: SUCCESS: The scheduled task "ChromeUAC" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Dec. 7, 2022, 11:34 a.m.	buffer: SUCCESS: The scheduled task "Driversed" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006425e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006425e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006425e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006425e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006425e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 11:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00642ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2022, 11:33 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a830000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:33 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a98b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a99c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a99d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 11:34 a.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\ProgramData\MegamindCypher\OutlookUpdate.js
file	C:\ProgramData\MegamindCypher\Drivers.js
file	C:\ProgramData\MegamindCypher\OneDriveUpdate.js

Creates a suspicious process (3 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ML.Attribute.HighConfidence
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
ZoneAlarm	HEUR:Trojan.PowerShell.Kryptik.gen
AVG	Script:SNH-gen [Trj]

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"

Installs itself for autorun at Windows startup (3 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"

A potential heapspray has been detected. 191 megabytes was sprayed onto the heap of the powershell.exe process (2 events)

count

934

name

heapspray

process

powershell.exe

total_mb

length

77824

protection

PAGE_READWRITE

count

1965

name

heapspray

process

powershell.exe

total_mb

122

length

65536

protection

PAGE_READWRITE

One or more non-whitelisted processes were created (3 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn MainChrome /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OneDriveUpdate.js"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 132 /tn Driversed /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\Drivers.js"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 143 /tn ChromeUAC /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MegamindCypher\\OutlookUpdate.js"

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\schtasks.exe

3.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All