Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 7, 2023, 9:37 a.m.	June 7, 2023, 9:39 a.m.

Size	11.1KB
Type	C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5	`aeba5b78f9353aba278c46c9c820265c`
SHA256	`5052a400b1a6583d1264a906bff7360dcc414c59e051d82c7c2c4901a1c03a7e`
CRC32	`1F1ACF52`
ssdeep	`192:nr0z+PeAd6Mi3v9ugS73pBz2NWkFHzpU0xgVfYfl3scpiPQ4+zN/K9o:nrqfFSyFHzpU0xgNYycpiPQZr`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1
3044
- csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qm0gul_y.cmdline"
  1780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (46 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: Add-Type : c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(4) : The type or na console_handle: 0x00000023	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: mespace name 'Linq' does not exist in the namespace 'System' (are you missing a console_handle: 0x0000002f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: n assembly reference?) console_handle: 0x0000003b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(3) : using System.Collections. console_handle: 0x0000004b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: Generic; console_handle: 0x00000057	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(4) : >>> using System.Linq.Exp console_handle: 0x00000067	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: ressions; console_handle: 0x00000073	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(5) : using System.Linq; console_handle: 0x00000083	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1 console_handle: 0x00000093	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: :280 char:9 console_handle: 0x0000009f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + Add-Type <<<< -TypeDefinition $HardwareBreakpoint console_handle: 0x000000ab	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + CategoryInfo : InvalidData: (c:\Users\test22...bly reference?): console_handle: 0x000000b7	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: CompilerError) [Add-Type], Exception console_handle: 0x000000c3	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands. console_handle: 0x000000cf	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: AddTypeCommand console_handle: 0x000000db	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: Add-Type : c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(5) : The type or na console_handle: 0x000000fb	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: mespace name 'Linq' does not exist in the namespace 'System' (are you missing a console_handle: 0x00000107	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: n assembly reference?) console_handle: 0x00000113	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(4) : using System.Linq.Express console_handle: 0x00000123	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: ions; console_handle: 0x0000012f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(5) : >>> using System.Linq; console_handle: 0x0000013f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: c:\Users\test22\AppData\Local\Temp\qm0gul_y.0.cs(6) : using System.Runtime.Comp console_handle: 0x0000014f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: ilerServices; console_handle: 0x0000015b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1 console_handle: 0x0000016b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: :280 char:9 console_handle: 0x00000177	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + Add-Type <<<< -TypeDefinition $HardwareBreakpoint console_handle: 0x00000183	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + CategoryInfo : InvalidData: (c:\Users\test22...bly reference?): console_handle: 0x0000018f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: CompilerError) [Add-Type], Exception console_handle: 0x0000019b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : SOURCE_CODE_ERROR,Microsoft.PowerShell.Commands. console_handle: 0x000001a7	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: AddTypeCommand console_handle: 0x000001b3	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: Add-Type : Cannot add type. There were compilation errors. console_handle: 0x000001d3	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1 console_handle: 0x000001df	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: :280 char:9 console_handle: 0x000001eb	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + Add-Type <<<< -TypeDefinition $HardwareBreakpoint console_handle: 0x000001f7	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + CategoryInfo : InvalidData: (:) [Add-Type], InvalidOperationExc console_handle: 0x00000203	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: eption console_handle: 0x0000020f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : COMPILER_ERRORS,Microsoft.PowerShell.Commands.Ad console_handle: 0x0000021b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: dTypeCommand console_handle: 0x00000227	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: Unable to find type [Test.Program]: make sure that the assembly containing this console_handle: 0x00000247	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: type is loaded. console_handle: 0x00000253	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1 console_handle: 0x0000025f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: :282 char:15 console_handle: 0x0000026b	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + [Test.Program] <<<< ::SetupBypass() console_handle: 0x00000277	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + CategoryInfo : InvalidOperation: (Test.Program:String) [], Runt console_handle: 0x00000283	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: imeException console_handle: 0x0000028f	1	1
WriteConsoleW June 7, 2023, 9:37 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x0000029b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 55 events)

Time & API	Arguments	Status	Return
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x065611a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005e1500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9dc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005f9d08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06380000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05ff5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05448000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 1780 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:37 a.m.	process_identifier: 1780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)

Symantec

ISB.Heuristic!gen97

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qm0gul_y.cmdline"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\qm0gul_y.cmdline

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'yara': [], u'sha1': u'a70084ddb5632f5e419d3f8e17cee7c38657dab2', u'name': u'b67cc52b1ad281c4_qm0gul_y.0.cs', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\qm0gul_y.0.cs', u'sha512': u'9029fa581437ecf6ee50f4df3575e9687bffaac46fdcea82d24ad484e580dd79a08afe9d6aa208d955cad0cad8790d29c6fee0e18322457208fd6353d57239ec', u'urls': [], u'crc32': u'3D1F5978', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/42007/files/b67cc52b1ad281c4_qm0gul_y.0.cs', u'ssdeep': u'192:K0z+PeAd6Mi3v9ugS73pBz2NWkFHzpU0xgVfYfl3scpiPQ4+p:KqfFSyFHzpU0xgNYycpiPQ7', u'sha256': u'b67cc52b1ad281c426d9558b55b826d0a179e2f4dbe0fc96b7d905d08f43d9f8', u'type': u'C++ source, UTF-8 Unicode (with BOM) text, with CRLF line terminators', u'pids': [3044], u'md5': u'1f258089663100f4f2c25842fa5ac16f', u'size': 10697}

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\qm0gul_y.cmdline"

d35u6pvfsr5oqz.cloudfront.net_fav.ico.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All