Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 18, 2024, 10:05 a.m.	Oct. 18, 2024, 10:09 a.m.

Size	1.7KB
Type	ASCII text, with CRLF line terminators
MD5	`546d10b7c0a8cacd843e1a51014d01ef`
SHA256	`7c433806233a74bcf338ab947c3950979d9845019fbfd94784268ab6c5a6e7a2`
CRC32	`79688790`
ssdeep	`24:4fY2PNwo1dRSBA1PLVpB+df8UVjNXekTH5RQHwYMFAhRjV5L5k3px3SewCTtTnPB:uVTNLVpGUUVhukTZOQ1AhRjX9E5rOFYX`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\paste.ps1
800
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im dsm.exe
  2096
  - taskkill.exe taskkill /f /im dsm.exe
    2160
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im userinit.exe
  2268
  - taskkill.exe taskkill /f /im userinit.exe
    2324
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im dom.exe
  2388
  - taskkill.exe taskkill /f /im dom.exe
    2432
- cmd.exe "C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\System32\config\systemprofile\dom\*
  2496
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im WindowsUpdate.exe
  2540
  - taskkill.exe taskkill /f /im WindowsUpdate.exe
    2584
- cmd.exe "C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\temp\WindowsUpdate.exe
  2648
- cmd.exe "C:\Windows\system32\cmd.exe" /c attrib -s -h -r %tmp%\config.json
  2696
  - attrib.exe attrib -s -h -r C:\Users\test22\AppData\Local\Temp\config.json
    2780
- cmd.exe "C:\Windows\system32\cmd.exe" /c attrib -s -h -r C:\Windows\temp\config.json
  2840
  - attrib.exe attrib -s -h -r C:\Windows\temp\config.json
    2884
- cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q %tmp%\config.json
  2928
- cmd.exe "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Windows\temp\config.json
  2972
- cmd.exe "C:\Windows\system32\cmd.exe" /c attrib +R +S +H %tmp%\config.json
  2628
  - attrib.exe attrib +R +S +H C:\Users\test22\AppData\Local\Temp\config.json
    2652
- cmd.exe "C:\Windows\system32\cmd.exe" /c attrib +R +S +H C:\Windows\temp\config.json
  2816
  - attrib.exe attrib +R +S +H C:\Windows\temp\config.json
    2872
- cmd.exe "C:\Windows\system32\cmd.exe" /c taskkill /f /im shella.exe
  2940
  - taskkill.exe taskkill /f /im shella.exe
    3012

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
112.217.207.130	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 18, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Get-Process : Cannot find a process with the name "javas". Verify the process n console_handle: 0x00000023	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ame and call the cmdlet again. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:20 char:19 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + $javas=Get-Process <<<< -Name javas \|select-object CPU console_handle: 0x00000047	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (javas:String) [Get-Process], Pr console_handle: 0x00000053	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ocessCommandException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell. console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Commands.GetProcessCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Get-Process : Cannot find a process with the name "javas". Verify the process n console_handle: 0x00000097	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ame and call the cmdlet again. console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:25 char:12 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + Get-Process <<<< -Name javas \| Stop-Process console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (javas:String) [Get-Process], Pr console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ocessCommandException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell. console_handle: 0x000000df	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Commands.GetProcessCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Get-Process : Cannot find a process with the name "javas". Verify the process n console_handle: 0x00000023	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ame and call the cmdlet again. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:10 char:16 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + Get-Process <<<< -Name $proc_name \| Stop-Process console_handle: 0x00000047	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (javas:String) [Get-Process], Pr console_handle: 0x00000053	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ocessCommandException console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell. console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Commands.GetProcessCommand console_handle: 0x00000077	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Remove-Item : Cannot find path 'C:\Users\test22\AppData\Local\Temp\javas.exe' b console_handle: 0x00000097	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: ecause it does not exist. console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:11 char:16 console_handle: 0x000000af	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + Remove-Item <<<< $path console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...\Temp\javas.e console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: xe:String) [Remove-Item], ItemNotFoundException console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x000000df	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: eItemCommand console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: donwload with backurl console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Get-Process : Cannot find a process with the name "config.json". Verify the pro console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: cess name and call the cmdlet again. console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:10 char:16 console_handle: 0x00000127	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + Get-Process <<<< -Name $proc_name \| Stop-Process console_handle: 0x00000133	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (config.json:String) [Get-Proces console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: s], ProcessCommandException console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : NoProcessFoundForGivenName,Microsoft.PowerShell. console_handle: 0x00000157	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Commands.GetProcessCommand console_handle: 0x00000163	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: Remove-Item : Cannot find path 'C:\Users\test22\AppData\Local\Temp\config.json' console_handle: 0x00000183	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: because it does not exist. console_handle: 0x0000018f	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\paste.ps1:11 char:16 console_handle: 0x0000019b	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + Remove-Item <<<< $path console_handle: 0x000001a7	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...emp\config.js console_handle: 0x000001b3	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: on:String) [Remove-Item], ItemNotFoundException console_handle: 0x000001bf	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x000001cb	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: eItemCommand console_handle: 0x000001d7	1	1
WriteConsoleW Oct. 18, 2024, 10:05 a.m.	buffer: donwload with backurl console_handle: 0x000001e7	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004279c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 18, 2024, 10:05 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00427e48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 18, 2024, 10:05 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0255f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05531000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05532000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05533000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05534000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05535000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ed000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05241000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05538000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02559000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05256000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05539000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 18, 2024, 10:05 a.m.	process_identifier: 800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0553a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a suspicious process (13 events)

cmdline	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H %tmp%\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dsm.exe
cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q %tmp%\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dom.exe
cmdline	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im WindowsUpdate.exe
cmdline	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\System32\config\systemprofile\dom\*
cmdline	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r %tmp%\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im shella.exe
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im userinit.exe
cmdline	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\temp\WindowsUpdate.exe

Executes one or more WMI queries (5 events)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "userinit.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dom.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "dsm.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WindowsUpdate.exe")
wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "shella.exe")

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 18, 2024, 10:05 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\javas.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\javas.exe		0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 18, 2024, 10:05 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (5 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 18, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 18, 2024, 10:05 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (20 events)

cmdline	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H %tmp%\config.json
cmdline	attrib +R +S +H C:\Users\test22\AppData\Local\Temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dsm.exe
cmdline	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dom.exe
cmdline	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im WindowsUpdate.exe
cmdline	taskkill /f /im dom.exe
cmdline	attrib -s -h -r C:\Windows\temp\config.json
cmdline	attrib -s -h -r C:\Users\test22\AppData\Local\Temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\System32\config\systemprofile\dom\*
cmdline	attrib +R +S +H C:\Windows\temp\config.json
cmdline	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r %tmp%\config.json
cmdline	taskkill /f /im dsm.exe
cmdline	taskkill /f /im userinit.exe
cmdline	taskkill /f /im shella.exe
cmdline	taskkill /f /im WindowsUpdate.exe
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im shella.exe
cmdline	"C:\Windows\system32\cmd.exe" /c taskkill /f /im userinit.exe
cmdline	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\temp\WindowsUpdate.exe

Communicates with host for which no DNS query was performed (1 event)

host

112.217.207.130

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\javas.exe

One or more non-whitelisted processes were created (14 events)

parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H %tmp%\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c attrib +R +S +H C:\Windows\temp\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c rd /s /q %tmp%\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dom.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\System32\config\systemprofile\dom\*
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Local\Temp\javas.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r C:\Windows\temp\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c taskkill /f /im WindowsUpdate.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c attrib -s -h -r %tmp%\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Windows\temp\config.json
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c taskkill /f /im dsm.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c taskkill /f /im userinit.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c del /f /q C:\Windows\temp\WindowsUpdate.exe
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c taskkill /f /im shella.exe

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

Cynet	Malicious (score: 99)
CTX	powershell.miner.pwsh
Skyhigh	Artemis!Trojan
ALYac	Generic.PWSH.Miner.D.8697786F
VIPRE	Generic.PWSH.Miner.D.8697786F
Arcabit	Generic.PWSH.Miner.D.D84B7BAF
Symantec	Scr.Malcode!gen
ESET-NOD32	PowerShell/CoinMiner.BW
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Generic.PWSH.Miner.D.8697786F
MicroWorld-eScan	Generic.PWSH.Miner.D.8697786F
Emsisoft	Generic.PWSH.Miner.D.8697786F (B)
F-Secure	Trojan.TR/PShell.Miner.G
DrWeb	PowerShell.DownLoader.1760
Ikarus	Trojan.PowerShell.Coinminer
FireEye	Generic.PWSH.Miner.D.8697786F
Google	Detected
Avira	TR/PShell.Miner.G
Kingsoft	Script.Trojan.Generic.a
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Script.Generic
GData	Generic.PWSH.Miner.D.8697786F
AhnLab-V3	Downloader/PowerShell.Miner.SC197176
Tencent	Script.Trojan.Generic.Ztjl
AVG	Script:SNH-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

112.217.207.130:80

The process powershell.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\Windows\System32\cmd.exe
file	C:\Users\test22\AppData\Local\Temp\javas.exe

paste.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All