HIGH 'Script Engine Activity - 2431936258' along with 232 other issues
RESOLVED SECURITY TESTING
ID: #3
|
Created: 2025-12-30 16:28:28
233
Alerts
1
Hosts
10
Files
0
Network
Incident Overview
'Script Engine Activity - 2431936258' along with 232 other issues generated by XDR Agent detected on host book-r0be6s1nc3 involving 2 users
233
2026-01-01 05:34
Unassigned
XDR Agent
Malware
Affected Hosts & Users
system
ubuntu
MITRE ATT&CK Mapping
File Artifacts
10
| File Name | Path | SHA256 | Signature | Verdict | Actions |
|---|---|---|---|---|---|
| UltimateXdrGenerator.exe | - |
dc6ef9db16f6c3af583ab0e1f123ff0d29f5c2c6cc9bb7635cd52a03583efcd8
|
SIGNATURE_UNSIGNED | UNKNOWN | VT |
| splunkd.exe | - |
21a82bc892ffbe9e9351528ca53dde9b4c05c3d35a8696b15c5ff2a311533e6f
|
SIGNATURE_UNSIGNED | UNKNOWN | VT |
| powershell.exe | - |
0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| conhost.exe | - |
6651a3beb0df1e66363a950c37dc9305f185d161fb03761e172ccfa0a4ab4f89
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| pwsh.exe | - |
a7ad362b22e0e289772cccf78c7af3b99e32f3084e675392e4a9ffddf380bf05
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| OpenConsole.exe | - |
6b2915a9a91c0738346a6c6a7b3ee2b74e26582b0c92b1b16066e72570dddd68
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| WindowsTerminal.exe | - |
aba55eb3398b290ebd93ae83b34a9e51d6b5763ac8c0172b39e8a4b6f53b9f8d
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| HOSTNAME.EXE | - |
8ff283fb7a282a9b2b30235016669dfe795665bcbb254fd17ac31fa9308d89d9
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| mmc.exe | - |
48ec341bf3efd9a78141a01f15cd3548f10cd6c56793a9d3705b884d06bb956e
|
SIGNATURE_SIGNED | UNKNOWN | VT |
| regsvr32.exe | - |
f379c637eb2250f0cdae05918035a37f3fdf89d6b2ad897da235c5f603fe2a1e
|
SIGNATURE_SIGNED | UNKNOWN | VT |
Network Artifacts
0
No network artifacts found for this incident
Process Artifacts
232
| Process | Command Line | Parent Process | User |
|---|---|---|---|
| splunkd.exe |
"C:\Users\Public\splunkd.exe" -server http://localhost:8888 -group red
|
WindowsTerminal.exe | N/A |
| WindowsTerminal.exe |
"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.13503.0_x64__8wekyb...
|
WindowsTerminal.exe | ubuntu |
| WindowsTerminal.exe |
"C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.23.13503.0_x64__8wekyb...
|
WindowsTerminal.exe | ubuntu |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoL...
|
- | ubuntu |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
| powershell.exe |
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRed...
|
powershell.exe | SYSTEM |
Registry Artifacts
0
No registry artifacts found for this incident
Analyst Verdict
HIGH
- Isolate affected endpoints
- Investigate all related alerts
- Document findings
Summary
233
Alerts
1
Hosts
10
Files
0
Network
Alert Categories
Malware
Timeline
01-01 05:34:57
Incident Modified
Status or details updated
01-01 05:34:57
Incident Resolved
resolved security testing
01-01 04:10:43
WildFire Malware
high - Prevented (Post Detected)
01-01 01:46:25
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:45:24
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:38:19
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:33:19
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:28:19
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:23:19
Script Engine Activity - 2431936258
high - Detected (Reported)
01-01 01:23:19
Script Engine Activity - 2325564505
high - Detected (Reported)
01-01 01:18:19
Script Engine Activity - 2325564505
high - Detected (Reported)
01-01 01:18:19
Script Engine Activity - 2431936258
high - Detected (Reported)
01-01 01:17:28
Suspicious Process Creation
medium - Prevented (Blocked)
01-01 01:13:19
Script Engine Activity - 2325564505
high - Detected (Reported)
01-01 01:13:19
Script Engine Activity - 2431936258
high - Detected (Reported)
01-01 01:08:19
Script Engine Activity - 2325564505
high - Prevented (Blocked)
01-01 01:08:19
Script Engine Activity - 2431936258
high - Detected (Reported)
01-01 01:05:12
Script Engine Activity - 2431936258
high - Detected (Reported)
01-01 01:05:12
Script Engine Activity - 2325564505
high - Prevented (Blocked)
12-31 23:38:20
Script Engine Activity - 2325564505
high - Detected (Reported)
12-31 23:38:20
Script Engine Activity - 2431936258
high - Detected (Reported)
12-31 23:33:20
Script Engine Activity - 2325564505
high - Detected (Reported)
12-31 23:33:20
Script Engine Activity - 2431936258
high - Detected (Reported)
12-31 23:28:20
Script Engine Activity - 2325564505
high - Detected (Reported)
12-31 23:28:20
Script Engine Activity - 2431936258
high - Detected (Reported)