IEbrowserUpdates.vbs

Performs some HTTP requests (2 events)

request	GET http://paste.ee/d/ywRmc
request	GET https://paste.ee/d/ywRmc

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Skyhigh	BehavesLike.VBS.Dropper.nv
Symantec	ISB.Downloader!gen40
Kaspersky	HEUR:Trojan.VBS.SAgent.gen

Wscript.exe initiated network communications indicative of a script based payload download (4 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 23, 2024, 2:09 p.m.	buffer: GET /d/ywRmc HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer:  k g e¯J#ÀÔj§ãx^@`§ ÿP ñ5Â’º‹Ï‹u¶Í/5 ÀÀÀ À 28 &ÿ paste.ee  socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer: à¾X(zBAüHnÀs“ëõAUuӈ8/lÊ%ߔüÒé:Ÿ_(“ÂQ·«¯zmè«zC˜O#ý§ßÛ!å,KBŸ:–  0¼OÀóD_©“B†Ôz÷]–’;å„aën÷Ÿ^•c$ƒYnìbó®*ó­ÆDËâëÌj socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer:  ° ²]l3Óñìñpb°Õx²¶<óÁ^Ëx¬(‚µ¡èx€ÉÏyÇNÑ»MQý-ýí_¼«ÉgÈ ¤Ý՝W³X ìFô›úXâg¾{‚%û–ÞZÊ£æ.;ôƒ”eê÷쨎'_j.yÓ%ÆÕ`ßl8ƒµ°D jiӟ÷{¶ÕáV¸1èm÷>¤Üt¶;Ÿ äÑü™›YWÅôgZ@àÈd˓Hε¡ÜJ¹!z socket: 540		0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (4 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Jan. 23, 2024, 2:09 p.m.	buffer: GET /d/ywRmc HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: paste.ee socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer:  k g e¯J#ÀÔj§ãx^@`§ ÿP ñ5Â’º‹Ï‹u¶Í/5 ÀÀÀ À 28 &ÿ paste.ee  socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer: à¾X(zBAüHnÀs“ëõAUuӈ8/lÊ%ߔüÒé:Ÿ_(“ÂQ·«¯zmè«zC˜O#ý§ßÛ!å,KBŸ:–  0¼OÀóD_©“B†Ôz÷]–’;å„aën÷Ÿ^•c$ƒYnìbó®*ó­ÆDËâëÌj socket: 540		0	0
WSASend Jan. 23, 2024, 2:09 p.m.	buffer:  ° ²]l3Óñìñpb°Õx²¶<óÁ^Ëx¬(‚µ¡èx€ÉÏyÇNÑ»MQý-ýí_¼«ÉgÈ ¤Ý՝W³X ìFô›úXâg¾{‚%û–ÞZÊ£æ.;ôƒ”eê÷쨎'_j.yÓ%ÆÕ`ßl8ƒµ°D jiӟ÷{¶ÕáV¸1èm÷>¤Üt¶;Ÿ äÑü™›YWÅôgZ@àÈd˓Hε¡ÜJ¹!z socket: 540		0	0