Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 8, 2023, 5:30 p.m.	March 8, 2023, 5:32 p.m.

Size	475.4KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`54846ba2f55540444b2f62d30ef9cdbc`
SHA256	`4746941996305743c9d0bcb96ed4b2b930355cd8782098aa5600b42131314308`
CRC32	`2B731E60`
ssdeep	`3072:xuH98N3m23iI8+8jlHl0k5T2POkCmoHv0ZH82X3AQr1E9:xuHuN3m2398xHl0k5T2POkCmu2X3AQ2`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques hide_executable_file - Hide executable file PowerShell_Script_Include_2_Zero - PowerShell Script Include [Zero] PowerShell_Script_MZ_Zero - PowerShell Script MZ [Zero]

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\73cceb_69fbb28af79141d4b6bec17ff2cf1850.txt.ps1
3012
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"
  1188
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
  1632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 8, 2023, 5:30 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 8, 2023, 5:31 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (48 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: Directory: C:\ProgramData console_handle: 0x00000023	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: d---- 2023-03-08 오후 5:30 MEMEMAN console_handle: 0x00000037	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: The term '£££' is not recognized as the name of a cmdlet, function, script file console_handle: 0x00000023	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: , or operable program. Check the spelling of the name, or if a path was include console_handle: 0x0000002f	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: d, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: At line:5 char:5 console_handle: 0x00000047	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: + (£££ <<<< (£££(£££ $AMI))) \| .('{x}{9}'.replace('9','0').replace('x','1')-f' console_handle: 0x00000053	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: Pussy','%%').replace('%%','I').replace('Pussy','EX') console_handle: 0x0000005f	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: + CategoryInfo : ObjectNotFound: (£££:String) [], CommandNotFound console_handle: 0x0000006b	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: Exception console_handle: 0x00000077	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: At line:15 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + $o = $h.GetMethod <<<< ($k) console_handle: 0x0000003b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x00000047	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: Exception console_handle: 0x00000053	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: At line:22 char:10 console_handle: 0x0000008b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + $o.Invoke <<<< ($hh, ($V4,$Ripple)) console_handle: 0x00000097	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000a3	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: eption console_handle: 0x000000af	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000db	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: At line:23 char:10 console_handle: 0x000000e7	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + $o.Invoke <<<< ($hh, ($V2,$Ripple)) console_handle: 0x000000f3	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000ff	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: eption console_handle: 0x0000010b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000117	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000137	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: At line:24 char:10 console_handle: 0x00000143	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + $o.Invoke <<<< ($hh, ($V3,$Ripple)) console_handle: 0x0000014f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x0000015b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: eption console_handle: 0x00000167	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000173	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: Exception calling "WriteAllText" with "2" argument(s): "The UNC path should be console_handle: 0x00000023	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: of the form \\server\share." console_handle: 0x0000002f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: At C:\Users\test22\AppData\Local\Temp\73cceb_69fbb28af79141d4b6bec17ff2cf1850.t console_handle: 0x0000003b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: xt.ps1:73 char:24 console_handle: 0x00000047	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + [IO.File]::WriteAllText <<<< ("$ZeeNEWsTV\\UpdateEscan.js", $sexi) console_handle: 0x00000053	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000005f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000006b	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\CypherDeptography.~+~ Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CypherDeptography.~+~". console_handle: 0x00000083	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\REALENGINEUPDATE.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\REALENGINEUPDATE.js". console_handle: 0x0000008f	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: VERBOSE: Performing operation "Copy File" on Target "Item: C:\ProgramData\MEMEMAN\WindowsDEFENDERUPDATE.js Destination: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDEFENDERUPDATE.js". console_handle: 0x0000009b	1	1
WriteConsoleW March 8, 2023, 5:30 p.m.	buffer: SUCCESS: The scheduled task "EscansUpdate" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2023, 5:31 p.m.	buffer: SUCCESS: The scheduled task "EscanDissldo" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (13 events)

Time & API	Arguments	Status	Return
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:30 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e1738 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e18f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2023, 5:31 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x055e18f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2023, 5:30 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06321000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06323000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:30 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06324000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06325000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06326000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06327000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06328000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0632a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0632e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0633f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2023, 5:31 p.m.	process_identifier: 3012 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x061fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\MEMEMAN\REALENGINEUPDATE.js
file	C:\ProgramData\MEMEMAN\WindowsDEFENDERUPDATE.js

Creates a suspicious process (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Kaspersky	HEUR:Trojan.PowerShell.Kryptik.gen
Google	Detected
AhnLab-V3	Trojan/PowerShell.Agent.SC185668
Ikarus	Trojan-Dropper.VBS.Agent

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

Installs itself for autorun at Windows startup (2 events)

cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
cmdline	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 200 /tn EscanDissldo /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\UpdateEscan.js"
parent_process	powershell.exe				martian_process	"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 120 /tn EscansUpdate /F /tr "wscript.exe //b //e:jscript C:\\ProgramData\\MEMEMAN\\WindowsDEFENDERUPDATE.js"

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\schtasks.exe

73cceb_69fbb28af79141d4b6bec17ff2cf1850.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All