don.vbs

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/y2sCr

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ISB.Downloader!gen40
Avast	Script:SNH-gen [Trj]
Kaspersky	HEUR:Trojan.VBS.SAgent.gen
ZoneAlarm	HEUR:Trojan.VBS.SAgent.gen
AVG	Script:SNH-gen [Trj]

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  k g e;¶¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28 &ÿ paste.ee  socket: 972		0	0
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  FBAƒ‘WQó’#!©ŸPë_sn`–”è²¾ìÙÉt 1zG§ aG䁵 ó*!7ú'ª;ðF++º­ÅXùNoÓÒ  0‹‘Ðu¯7FÚ£èÁéËéd §xÄô¾øâoŒ—‘«ì_«|lH]˜{Õ©„Š socket: 972		0	0
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  Àšádz)“Ð;¿ÛQ[ÀûdÅ$tvËÀl‡wË =½”<9ߑ¯¿Jæ~2ú¥‹X¿9_„ÞÍÏâNb´½©«û1ÈùÇ:E‹ˆ:KšÆð3JÍxÒòÐÖè8>ج`–‰Ë³’OòFŽÆԑoôᝆ¯? àà0^)ágù«ßK=V¨™Xr»+¡/>¬+4’õÁ€Å§ÅϦ%Òù(„ ê|aý£ ÚÉÝåµAB(C÷Žaz:“ socket: 972		0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  k g e;¶¥Ë¡š®òHОAú ٍ¾YBBáãm”ƒ/5 ÀÀÀ À 28 &ÿ paste.ee  socket: 972		0	0
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  FBAƒ‘WQó’#!©ŸPë_sn`–”è²¾ìÙÉt 1zG§ aG䁵 ó*!7ú'ª;ðF++º­ÅXùNoÓÒ  0‹‘Ðu¯7FÚ£èÁéËéd §xÄô¾øâoŒ—‘«ì_«|lH]˜{Õ©„Š socket: 972		0	0
WSASend Oct. 27, 2023, 10:51 a.m.	buffer:  Àšádz)“Ð;¿ÛQ[ÀûdÅ$tvËÀl‡wË =½”<9ߑ¯¿Jæ~2ú¥‹X¿9_„ÞÍÏâNb´½©«û1ÈùÇ:E‹ˆ:KšÆð3JÍxÒòÐÖè8>ج`–‰Ë³’OòFŽÆԑoôᝆ¯? àà0^)ágù«ßK=V¨™Xr»+¡/>¬+4’õÁ€Å§ÅϦ%Òù(„ ê|aý£ ÚÉÝåµAB(C÷Žaz:“ socket: 972		0	0