Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 24, 2023, 9:20 a.m.	Aug. 24, 2023, 9:22 a.m.

Size	6.6MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`10c83f5b34882b38cfcde8064af6c34b`
SHA256	`0b9f41f810ef6352e7ecb6441af26f60a43d98a49aeee939a5935fda03380296`
CRC32	`00195223`
ssdeep	`384:0WnPZ/WxrZtbKH8iUumsWn/3sIy/UvIa7pUO820QkeXFfcRK63CPjTOkKJ3wjWv0:tV+pU7nS`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\d9e1c3_337d702a7383407ea927e15f24052b8b.txt.ps1
2676
- schtasks.exe "C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript //nologo C:\\ProgramData\\TUKHAMTASSER\\kilng.vbs"
  2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 24, 2023, 9:22 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (45 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: Directory: C:\ProgramData console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: d---- 2023-08-24 오전 9:20 TUKHAMTASSER console_handle: 0x00000037	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: At line:10 char:30 console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: + Decode-BinaryToText $AMI \| . <<<< ('{x}{9}'.replace('9','0').replace('x','1' console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: )-f'Pussy','%%').replace('%%','I').replace('Pussy','EX') console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: seException console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 24, 2023, 9:20 a.m.	buffer: vokeExpressionCommand console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: At line:32 char:36 console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + $invokeMethod = $type.GetMethod <<<< ($method) console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (GetMethod:String) [], Runtime console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: Exception console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x0000007f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: At line:39 char:25 console_handle: 0x0000008b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + $invokeMethod.Invoke <<<< ($nullArray, ($v4Path, $data2)) console_handle: 0x00000097	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: eption console_handle: 0x000000af	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000bb	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x000000db	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: At line:40 char:25 console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + $invokeMethod.Invoke <<<< ($nullArray, ($v2Path, $data2)) console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: eption console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000117	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000137	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: At line:41 char:25 console_handle: 0x00000143	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + $invokeMethod.Invoke <<<< ($nullArray, ($v3Path, $data2)) console_handle: 0x0000014f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x0000015b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: eption console_handle: 0x00000167	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x00000173	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: Remove-Item : Cannot find path 'C:\Users\test22\AppData\Local\Temp\d9e1c3_337d7 console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: 02a7383407ea927e15f24052b8b.txt.ps1' because it does not exist. console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\d9e1c3_337d702a7383407ea927e15f24052b8b.t console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: xt.ps1:59 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + Remove-Item <<<< $scriptPath -Force console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...4052b8b.txt.p console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: s1:String) [Remove-Item], ItemNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: eItemCommand console_handle: 0x00000083	1	1
WriteConsoleW Aug. 24, 2023, 9:22 a.m.	buffer: SUCCESS: The scheduled task "clomepe" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (10 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:20 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:22 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2023, 9:20 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0204b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0205f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02029000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06491000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06493000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06494000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:20 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:21 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06496000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0649b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x064ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029fd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02059000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:22 a.m.	process_identifier: 2676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029fe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\TUKHAMTASSER\kilng.vbs

Creates a suspicious process (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript //nologo C:\\ProgramData\\TUKHAMTASSER\\kilng.vbs"

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Ikarus	Trojan.PS.Agent
Fortinet	JS/Agent.C34B!tr

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript //nologo C:\\ProgramData\\TUKHAMTASSER\\kilng.vbs"

Installs itself for autorun at Windows startup (1 event)

cmdline

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript //nologo C:\\ProgramData\\TUKHAMTASSER\\kilng.vbs"

A potential heapspray has been detected. 115 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1853

name

heapspray

process

powershell.exe

total_mb

115

length

65536

protection

PAGE_READWRITE

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Windows\system32\schtasks.exe" /create /sc MINUTE /mo 187 /tn clomepe /F /tr "wscript //nologo C:\\ProgramData\\TUKHAMTASSER\\kilng.vbs"

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Windows\System32\schtasks.exe

d9e1c3_337d702a7383407ea927e15f24052b8b.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All