Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 16, 2022, 9:43 a.m.	Dec. 16, 2022, 9:46 a.m.

Size	174.7KB
Type	C source, ASCII text, with very long lines, with CRLF line terminators
MD5	`39e3fa050d14b95af5226a1eb4d2afab`
SHA256	`2d9c3b8a1a489a72956198c5857a8cbbc45d695a51000a0e857c0d32ab871138`
CRC32	`7A0C471F`
ssdeep	`1536:oYrP7b2WPgkSqZkjEHcFJXiKTClpXcclUXdCXxEbr7IlWMQvVhB8LCZsHXGwrAfY:o32`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\bb.png.ps1
2996
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
  1776
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
  2352
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
  2464
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
  2244
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F
  776
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
  1716
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
  2536
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
  2568
- taskkill.exe "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
  2808
- schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn WD /f
  2904
- wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\office.vbs"
  1944
  - cmd.exe cmd /c ""C:\Users\Public\office.bat" "
    2760
    - powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\office.ps1'"
      2380

Name	Response	Post-Analysis Lookup
d1x3x.linkpc.net	A 45.138.16.150	45.138.16.150

IP Address	Status	Action
164.124.101.2	Active	Moloch
45.138.16.150	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2034458	ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)	Potentially Bad Traffic
TCP 45.138.16.150:6666 -> 192.168.56.102:49184	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 45.138.16.150:6666 -> 192.168.56.102:49184	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49184 45.138.16.150:6666	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 16, 2022, 9:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 16, 2022, 9:44 a.m.			0	0

Command line console output was observed (32 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: Directory: C:\ProgramData console_handle: 0x00000023	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: d---- 2022-12-16 오전 9:44 WindowsHost console_handle: 0x00000037	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "CCleanerBrowser.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "aspnet_regbrowsers.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "aspnet_compiler.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "AppLaunch.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "InstallUtil.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "jsc.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "MSBuild.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "RegAsm.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: The process "cvtres.exe" not found. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: The system cannot find the file specified. console_handle: 0x0000000b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: PowerShell console_handle: 0x00000007	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\office.ps1'" console_handle: 0x00000007	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: The term 'catch' is not recognized as the name of a cmdlet, function, script fi console_handle: 0x00000023	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: le, or operable program. Check the spelling of the name, or if a path was inclu console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ded, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: At C:\Users\Public\office.ps1:1 char:6 console_handle: 0x00000047	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + catch <<<< {} console_handle: 0x00000053	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + CategoryInfo : ObjectNotFound: (catch:String) [], CommandNotFou console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ndException console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: Unable to find type [PoH]: make sure that the assembly containing this type is console_handle: 0x00000097	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: loaded. console_handle: 0x000000a3	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: At C:\Users\Public\office.ps1:4 char:6 console_handle: 0x000000af	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + [PoH] <<<< ::main(); console_handle: 0x000000bb	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + CategoryInfo : InvalidOperation: (PoH:String) [], RuntimeExcept console_handle: 0x000000c7	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: ion console_handle: 0x000000d3	1	1
WriteConsoleW Dec. 16, 2022, 9:44 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x000000df	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 56 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0501e1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0501e1f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0501e3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0501e3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0501e3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3678 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d38f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d34b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d2c38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3278 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d39b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 16, 2022, 9:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007d3578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 16, 2022, 9:44 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

d1x3x.linkpc.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 174 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05815000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05816000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05817000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2996 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05818000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0280b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02807000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02805000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0280c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 2380 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\office.ps1
file	C:\Users\Public\office.bat
file	C:\ProgramData\WindowsHost\office.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /delete /tn WD /f
cmdline	PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\office.ps1'"

Executes one or more WMI queries (9 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "cvtres.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RegAsm.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_regbrowsers.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MSBuild.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "aspnet_compiler.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AppLaunch.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CCleanerBrowser.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "InstallUtil.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "jsc.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 16, 2022, 9:44 a.m.	show_type: 0 filepath_r: C:\Users\Public\office.bat parameters: filepath: C:\Users\Public\office.bat	1	1	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Sangfor	Malware.Generic-LNK.Save.6d95409f
ESET-NOD32	PowerShell/TrojanDropper.Agent.UM
Avast	Script:SNH-gen [Trj]
Cynet	Malicious (score: 99)
Tencent	Win32.Trojan.Psrunner.Uwhl
F-Secure	Malware.LNK/PSRunner.VPAU
Avira	LNK/PSRunner.VPAU
Microsoft	Trojan:Script/Wacatac.B!ml
AVG	Script:SNH-gen [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 16, 2022, 9:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (12 events)

description	Run a KeyLogger	rule	KeyLogger
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Dec. 16, 2022, 9:44 a.m.	status_code: 0xffffffff process_identifier: 1692 process_handle: 0x00000348		0	0
NtTerminateProcess Dec. 16, 2022, 9:44 a.m.	status_code: 0xffffffff process_identifier: 1692 process_handle: 0x00000348	1	0	0

Uses Windows utilities for basic Windows functionality (11 events)

cmdline	"C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
cmdline	"C:\Windows\system32\schtasks.exe" /delete /tn WD /f
cmdline	"C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
cmdline	C:\Users\Public\office.bat
cmdline	"C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
cmdline	"C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1692 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368		3221225496	0
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1700 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000340	1	0	0

Drops a binary and executes it (2 events)

file	C:\ProgramData\WindowsHost\office.vbs
file	C:\Users\Public\office.bat

Manipulates memory of a non-child process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 manipulating memory of non-child process 1692
Process injection	Process 2380 manipulating memory of non-child process 1700
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1692 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368		3221225496	0
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1700 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000340	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 injected into non-child 1700
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZecàì Î @ `@K ÿ@ H.textÔë ì `.rsrcÿ î@@.reloc@ö@B base_address: 0x00400000 process_identifier: 1700 process_handle: 0x00000340	1	1	0
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: P8h Ìl#Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x00412000 process_identifier: 1700 process_handle: 0x00000340	1	1	0
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: Ð; base_address: 0x00414000 process_identifier: 1700 process_handle: 0x00000340	1	1	0
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1700 process_handle: 0x00000340	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 injected into non-child 1700
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZecàì Î @ `@K ÿ@ H.textÔë ì `.rsrcÿ î@@.reloc@ö@B base_address: 0x00400000 process_identifier: 1700 process_handle: 0x00000340	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 called NtSetContextThread to modify thread in remote process 1700
NtSetContextThread Dec. 16, 2022, 9:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4262862 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000348 process_identifier: 1700	1	0	0

One or more non-whitelisted processes were created (15 events)

parent_process	powershell.exe	martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
parent_process	wscript.exe	martian_process	"C:\Users\Public\office.bat"
parent_process	wscript.exe	martian_process	C:\Users\Public\office.bat
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\schtasks.exe" /delete /tn WD /f
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F
parent_process	powershell.exe	martian_process	C:\ProgramData\WindowsHost\office.vbs
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM jsc.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\office.vbs"
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F
parent_process	powershell.exe	martian_process	"C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 resumed a thread in remote process 1700
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 1700	1	0	0

Creates a suspicious Powershell process (2 events)

option	-executionpolicy bypass				value	Attempts to bypass execution policy
option	-noprofile				value	Does not load current user profile

The processes powershell.exe, wscript.exe wrote an executable file to disk (3 events)

file	C:\Windows\System32\taskkill.exe
file	C:\Windows\System32\schtasks.exe
file	C:\Windows\SysWOW64\wscript.exe

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 1376 thread_handle: 0x00000500 process_identifier: 1776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM CCleanerBrowser.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000041c	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2372 thread_handle: 0x0000041c process_identifier: 2352 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM aspnet_regbrowsers.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000500	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2472 thread_handle: 0x00000500 process_identifier: 2464 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM aspnet_compiler.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000041c	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 1596 thread_handle: 0x0000041c process_identifier: 2244 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM AppLaunch.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000500	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2524 thread_handle: 0x00000500 process_identifier: 776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM InstallUtil.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000041c	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 568 thread_handle: 0x0000041c process_identifier: 1716 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM jsc.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000500	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2124 thread_handle: 0x00000500 process_identifier: 2536 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM MSBuild.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000041c	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2564 thread_handle: 0x0000041c process_identifier: 2568 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM RegAsm.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000500	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2816 thread_handle: 0x00000500 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\taskkill.exe" /IM cvtres.exe /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x0000041c	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2908 thread_handle: 0x0000041c process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\system32\schtasks.exe" /delete /tn WD /f filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000500	1	1
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 2996	1	0
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 260 thread_handle: 0x00000390 process_identifier: 1944 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\wscript.exe track: 1 command_line: "C:\Windows\System32\WScript.exe" "C:\ProgramData\WindowsHost\office.vbs" filepath_r: C:\Windows\System32\WScript.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000038c	1	1
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 2996	1	0
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2904	1	0
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2252 thread_handle: 0x000002d8 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\Public\office.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002dc	1	1
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 2408 thread_handle: 0x00000088 process_identifier: 2380 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\office.ps1'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2380	1	0
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2380	1	0
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 1880 thread_handle: 0x000003d8 process_identifier: 1692 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000368	1	1
NtGetContextThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000003d8	1	0
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1692 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000368		3221225496
CreateProcessInternalW Dec. 16, 2022, 9:44 a.m.	thread_identifier: 1020 thread_handle: 0x00000348 process_identifier: 1700 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000340	1	1
NtGetContextThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x00000348	1	0
NtAllocateVirtualMemory Dec. 16, 2022, 9:44 a.m.	process_identifier: 1700 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000340	1	0
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELZecàì Î @ `@K ÿ@ H.textÔë ì `.rsrcÿ î@@.reloc@ö@B base_address: 0x00400000 process_identifier: 1700 process_handle: 0x00000340	1	1
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: base_address: 0x00402000 process_identifier: 1700 process_handle: 0x00000340	1	1
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: P8h Ìl#Ì4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°,StringFileInfo000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.02 InternalNameStub.exe&LegalCopyrightLegalTrademarks: OriginalFilenameStub.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly> base_address: 0x00412000 process_identifier: 1700 process_handle: 0x00000340	1	1
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: Ð; base_address: 0x00414000 process_identifier: 1700 process_handle: 0x00000340	1	1
WriteProcessMemory Dec. 16, 2022, 9:44 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1700 process_handle: 0x00000340	1	1
NtSetContextThread Dec. 16, 2022, 9:44 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4262862 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000348 process_identifier: 1700	1	0
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x00000348 suspend_count: 1 process_identifier: 1700	1	0
NtResumeThread Dec. 16, 2022, 9:44 a.m.	thread_handle: 0x000003c0 suspend_count: 1 process_identifier: 2380	1	0

bb.png.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All